ECJ clarifies further questions on compensation for damages and health data

On December 21, the ECJ ruled in Case C-667/21 on issues relating to health data in the employment context. The case dealt in particular with the relationship between Art. 6 and Art. 9 GDPR, as well as the burden of proof in the context of compensation for damages under Art. 82 GDPR.

Background

This was preceded by a dispute before the Federal Labor Court (Bundesarbeitsgericht) between an individual as the plaintiff and the Medical Service of the North Rhine Health Insurance (medizinischer Dienst der Krankenversicherung Nordrhein), as the employer and defendant.

The defendant prepares expert opinions on the incapacity for work of insured persons and, in particular, its own employees, as well as that of the plaintiff. The plaintiff was employed in the IT department as a system administrator and helpdesk employee.

When the plaintiff was uninterruptedly unfit for work in November 2017, the plaintiff's health insurance commissioned the defendant to provide an expert opinion in order to eliminate doubts about his incapacity for work, Section 275 (1) no. 3 litera b SGB V.

The defendant obtained the necessary information from the plaintiff's doctor and archived the report electronically so that the plaintiff's colleagues could access it. At the plaintiff's request, one of his colleagues was able to find the report in the archive and sent it to him.

The plaintiff then claimed damages in the amount of € 20,000. The plaintiff is of the opinion that the defendant processed his health data without his consent and without any other legal basis and that he therefore suffered damages for which the defendant is liable.

Decision of the ECJ

The Federal Labor Court wanted to know the following from the ECJ:

1. May the defendant process the health data of its employees in order to prepare an expert opinion to assess their ability to work?
2. If the answer to the first question is yes, are additional data protection requirements beyond Art. 9 (3) GDPR to be complied with?
3. If the answer to the first question is yes, must there be a permissive circumstance under Art. 6 (1) GDPR in addition to Art. 9 GDPR?
4. Does Art. 82 GDPR only have a compensatory function or does the claim for damages also have a deterrent or punitive purpose that must be taken into account?
5. Does the amount of compensation depend on the fault of the person responsible and is contributory negligence on the part of the person concerned taken into account?

The ECJ answered the questions as follows:

Question 1:

Medical assessment bodies may also process the health data of their employees. This is supported by the clear wording of Art. 9 (2) litera h GDPR, as well as the reason that the interpretation must not be guided by considerations derived from the healthcare system of a Member State or from circumstances characterizing the dispute in the main proceedings. In this respect, the Federal Labor Court had expressed a feeling of disturbance because the defendant in the present case performed a dual function and was both the employer and the medical service of the health insurance fund. According to the Federal Labor Court, a "neutral body" would have been necessary for the processing in this case.

Based on the answer to the first question, questions two and three could also be answered:

Questions 2 and 3:

For question two, the ECJ emphasized that no additional data protection requirements had to be complied with. This is also justified by the clear wording of the law. The data controller is therefore not obliged to ensure that none of the data subject's colleagues have access to the data on their state of health. The ECJ has thus rejected the view of the Federal Labor Court expressed in the order for reference, according to which it must be absolutely prevented that colleagues have access to the data of an employee whose incapacity to work is being assessed. According to the ECJ, the member states are instead authorized to issue stricter data protection requirements through additional regulations in accordance with Art. 9 (4) GDPR. The only requirement for this regulation would be proportionality and that it does not conflict with the practical effectiveness of the permission for data processing.

The ECJ answered question 3, whether, in addition to the requirements of Art. 9 GDPR, there must be at least one justification pursuant to Art. 6 (1) GDPR, with a clear "yes". The ECJ justified this systematically with the argument that Articles 5, 6 and 9 GDPR are in Chapter II "Principles". The ECJ once again clearly emphasized that any processing of personal data must comply with the principles set out in Art. 5 (1) GDPR and meet the conditions for lawfulness set out in Art. 6 GDPR. This means that Art. 9 and Art. 6 GDPR must always be read in conjunction.

Question 4:

On question 4, whether Art. 82 GDPR is exclusively intended to provide compensation or whether the claim for damages also has a deterrent or punitive purpose that is reflected in the compensation, the ECJ also finds clear words. Unlike Art. 83 and 84 GDPR, Art. 82 GDPR does not have a punitive purpose, but only a compensatory function. Reference is made to recital 146 sentence 6, according to which full and effective compensation for the damage suffered should be ensured.

Question 5:

With regard to the final question of whether the degree of fault is relevant when assessing the amount of damage and whether non-existent or minor fault on the part of the controller is to be taken into account in its favor, the ECJ clarifies that the claim for damages under Art. 82 GDPR presupposes fault on the part of the controller. However, fault is presumed and the burden of proof for no fault lies with the controller. As follows from the wording of Art. 24 and Art. 32 GDPR, the controller must take technical and organizational measures aimed at preventing any personal data breach as far as possible. If the controller had to compensate for any damage caused by processing in breach of the GDPR, regardless of culpability, this obligation would be called into question. In addition, the requirement of fault and the associated burden of proof on the controller creates a balance between the data subject and the controller.

With regard to the assessment of damages, the ECJ points out that the national courts must apply the national provisions of the individual Member States on the extent of financial compensation when assessing damages, provided that principles of EU law are observed. However, Art. 82 GDPR does not require the degree of fault to be taken into account when assessing the amount of damages.

Possible effects

The decision could have an impact on Section 26 (3) BDSG (Federal Data Protection Act). According to this, the processing of special categories of data within the meaning of Art. 9 GDPR is permitted if it is necessary for the exercise of rights or the fulfillment of legal obligations under labor law, social security law and social protection law and there is no reason to assume that the data subject's legitimate interest in the exclusion of processing prevails. According to the Federal Labor Court, there is much to suggest that the collegial relationship between colleagues is damaged if one colleague has access to the health data of another. "Risks include - depending on the type of illness - damage to reputation, damage to standing or reputation and/or that the person being assessed is exposed to embarrassing situations or feels this way," according to the Federal Labor Court. The interests of the person concerned worthy of protection could prevail in this or a comparable case.

Conclusion

Health data enjoys increased protection in Europe. The ECJ has made this clear once again with this decision.

In answering question 5, the ECJ has clarified with this decision that fault is not only a prerequisite in fine proceedings, as recently decided in the proceedings concerning Deutsche Wohnen (Update Data Protection No. 159 & Update Compliance 9/2023), but that this prerequisite also extends to claims for damages. Damages should only be compensated by Art. 82 GDPR. The standard does not have a more far-reaching punitive aspect.

The supreme court's confirmation of the reversal of the burden of proof contained in Art. 82 GDPR is significant. Companies that process personal data are all the more challenged to document their data protection in order to be able to defend themselves effectively against legal action in an emergency.

It remains questionable how courts assess the immaterial damage of fear or worry, or how much money is necessary to compensate for such damage.