CJEU - C-667/21 - Krankenversicherung Nordrhein
CJEU - C-667/21 ZQ v Medical Service of Health Insurance North Rhine | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 5(1)(f) GDPR Article 6(1) GDPR Article 9(1) GDPR Article 9(2)(h) GDPR Article 9(3) GDPR Article 24 GDPR Article 32(1) GDPR Article 82(1) GDPR Artikel 275 (1) Sozialgesetzbuch Artikel 2758 (1) Sozialgesetzbuch |
Decided: | 21.12.2023 |
Parties: | ZQ Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts |
Case Number/Name: | C-667/21 ZQ v Medical Service of Health Insurance North Rhine |
European Case Law Identifier: | EU:C:2023:1022 |
Reference from: | Bundesarbeitsgericht I AZR 253/20 (A) |
Language: | 24 EU Languages |
Original Source: | AG Opinion Judgement |
Initial Contributor: | Lszabo |
The CJEU decided that immaterial damages under Article 82 GDPR does not require an element of fault.
English Summary
Facts
The Medical Service of Health Insurance (the controller) is the medical review service for statutory health insurance in Germany. It provides expert reports when people claim an inability to work, and also does so for its own employees. The data subject worked for the controller before becoming unable to work. The health insurer paying their benefits asked the controller for an expert opinion. The controller acquired health information from the data subject's doctor via a medical report which was then shared with the data subject's colleagues.
The data subject considered their medical data to be unlawfully processed and claimed damages of €20,000 from the controller who rejected the claims. The data subject claimed that the evaluation should have been done by another organisation to prevent colleagues from accessing their medical data. Furthermore, the security measures around the archiving of the medical report were unsatisfactory.
After being rejected at first and second (Landesarbeitsgericht Düsseldorf) instance, the the data subject appealed to the Federal Labour Court, who referred the case to the CJEU with the following questions:
On the topic of health data
1. Does Article 9(2)(h) GDPR prohibit a medical service of a health insurance fund from processing its employee’s health data when it is a prerequisite for the assessment of that employee’s working capacity?
2. If the Court answers Question 1 in the negative (with the consequence that an exception to the prohibition on the processing of data concerning health laid down in Article 9(1) GDPR is possible under Article 9(2)(h) GDPR) in a case such as the present one, are there further data protection requirements, beyond the conditions set out in Article 9(3) GDPR, that must be complied with, and, if so, which ones?
3. If the Court answers Question 1 in the negative, does the permissibility or lawfulness of the processing of data concerning health depend on the fulfilment of at least one of the conditions set out in Article 6(1) GDPR?
On the topic of damages
4. Does Article 82(1) GDPR have a specific or general preventive character, and must that be taken into account in the assessment of the amount of non-material damage to be compensated at the expense of the controller or processor on the basis of Article 82(1) GDPR?
5. Is the degree of fault on the part of the controller or processor a decisive factor in the assessment of the amount of non-material damage to be compensated on the basis of Article 82(1) GDPR? In particular, can non-existent or minor fault on the part of the controller or processor be taken into account in their favour?
Advocate General Opinion
Advocate General Manuel Sánchez Bordona proposed that the Court answer that Article 9(2)(h) and (3) and Article 82(1) and (3) of the GDPR be interpreted as meaning that:
Not prohibiting a medical service of a health insurance fund from processing data concerning the health of an employee of that service, where those data are a prerequisite for assessing that employee’s working capacity.
Permitting an exception to the prohibition on processing personal data concerning health, where such processing is necessary for the purposes of assessing the employee’s working capacity and complies with the principles set out in Article 5 and with one of the conditions for lawfulness laid down in Article 6 of the GDPR.
Making the degree of fault on the part of the controller or processor have no bearing on establishing the liability of either of them or quantifying the amount of non-material damage to be compensated on the basis of Article 82(1) GDPR.
Allowing the involvement of the data subject in the event giving rise to the compensation obligation to trigger, depending on the circumstances, an exemption from liability for controller or processor provided for in Article 82(3) GDPR.
Holding
After recalling that the purpose of Article 9 is to ensure a high level of protection in case of processing personal data whose level of sensitivity is especially sensitive, involving an especially strong intrusion into the fundamental rights guaranteed by Articles 7 and 8 of the Charter. Therefore, the list in Article 9 (2) is exhaustive and among others Article 9 (3) prescribes a number of guarantees in the case of processing based on subparagraph h. Therefore, there is no reason to assume that subparagraph h is only applicable in the case of processing by an independent third party. Decisive is the purpose to which the data are processed. The Court also notes that there may be different limits to implement the investigation of ability to work by an independent third party in the legislation of different Member States and that the legal environment of the different Member States cannot be taken into account in interpreting EU law. There is no reason thus to conclude that the formulation of Article 9 (2) h would in any way restrict the possibility to process the data to independent third parties. Beyond that, it is explained in Recital 52 that the processing in the public interest, including the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health-insurance system. Therefore, the answer to the first question is: Art. 9 Para. 2 Subpara. h of Regulation (EU) 2016/679 of the European Parliament and the Council of the 27. April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that the exception foreseen in it is applicable to situations where an organisation for medical expertise processes health data of one of its employees not as employer but as a medical service, to judge the ability to work of said employee, under the condition that the concerned processing fulfils the expressly prescribed preconditions and guarantees in subparagraph h and Art. 9 (3). To the second question the Court notes that health data processed under subparagraph h have to be processed according to Article 9 (3) by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies. No requirements can be appended to the requirements in Article 9 (3). Therefore said paragraph is no legal ground to require that colleagues of the data subject should be excluded from the processing. Nevertheless, it has to be examined, whether other stipulations of the GDPR can be the basis for prohibiting the access of colleagues to the health data of the data subject. Member States law can prescribe, based on their right conferred on them by Article 9 (4), further preconditions. To be added that these measures should be proportionate and enable the processing according to the purposes according to Article 9 (2) h for organisations who do not necessarily have the dimension or technical and human resources which are sufficient to fulfil these conditions. Nevertheless, these limitations do not emanate from the GDPR itself, but from these national rules. In addition, the national court has to investigate, whether the technical and organisational measures, according to Article 32 GDPR, are satisfactory and sufficient.
Therefore, the answer to the second question is: Art. 9 (3) of Regulation 2016/679 must be interpreted that The controller processing health data based on Art. 9 (2) h of this Regulation is not obliged to guarantee that no colleague of the data subject has access to the data about the health status of the data subject. Such an obligation can, however, be imposed on a controller of such a processing according to a regulation issued by a Member State based on Article 9 (4) of said Regulation or on the principles of integrity and confidentiality invoked by Article 4 or Article 5 (1) and concretised in Article 32 (1) a and b of said Regulation. To the third question it has to be taken into account that Articles 5, 6 and 9 all included in the Chapter entitled “Principles” and concern “Principles relating to processing of personal data”, “Lawfulness of processing” and “Processing of special categories of personal data”. Furthermore Recital 51 GDPR expressly mentions that “the general principles and other rules of this Regulations should apply, in particular as regards the condition for lawful processing. The Court has decided multiple times that the all processing of personal data has to comply with the preconditions of lawfulness in Article 6 and that all preconditions of Chapter II have to be complied with. Therefore, the answer to the third question is: Art. 9 (2) h and Art. 6 (1) of Regulation 2016/679 must be interpreted that a processing of health data based on the former is only lawful, when it does not only comply with the requirements emanating from that stipulation but also fulfils at least one of the lawfulness bases in Article 6 (1). To the fourth question the Court refers to the established case law that compensation can only be required based on Article 82 GDPR, when all of three cumulative conditions are fulfilled, namely the existence of a damage, an infringement of the Regulation and a causal relationship between the infringement and the damage. As the GDPR does not contain rules to define the amount of damages, national courts have to apply in the framework of procedural autonomy the domestic rules of the individual Member States as far as the principles of equivalence and effectivity are complied with. Based on Recital 146, the Court states that the objective of this rule is to provide for “full and effective for the damage they have suffered”. Different from the sanctions in Articles 83 and 84, this sanction has not a penalising, but a compensating function. It has nevertheless an effect to deter from repeating the unlawful behaviour as well. Both in the case of a material and an immaterial damage, the amount of the compensation should not depend on the gravity of the infraction and should not be higher than necessary for the full compensation of the damage. Therefore, the answer to the fourth question is: Art. 82 (1) of Regulation 2016/679 must be interpreted, that the compensation for damages foreseen by this stipulation has a compensatory function, as a monetary compensation based on this stipulation shall enable to fully compensate for the damage suffered concretely due to the infraction of this Regulation and has no deterrent or penalising function. A controller has to compensate for a damage which arose as the consequence of an infringement of the Regulation, it is not clear, however, from the German version of the Regulation, whether the infraction has to be due to the controller, to base the obligation to compensate for the damage on it. Analysis of different other linguistic versions and of Article 82 (3) results that the controller is relieved from the obligation to pay damages, if it has proved that it is not responsible for the infringement. Recitals 4 to 8 GDPR indicate that the aim of the Regulation is to establish a balance between the rights of the controller and of the data subject. Moreover, the obligation to pay damages without fault would contradict the principle of legal certainty. As already mentioned to the previous question, in establishing the amount of damages to be paid, national courts take into account the domestic legal rules of the Member States as far as the fundamental principles of Union law of equivalence and effectivity are complied with. Article 82 does not require take into account the gravity of the infringement but the amount has to compensate fully the damage suffered. Therefore, the answer to the fifth question is:
Art. 82 of Regulation 2016/679 must be interpreted that on one hand the responsibility of the controller depends on the existence on an infringement which is to be attributable to it, which responsibility has to be assumed if it does not prove that it is not due to it and that Article 82 GDPR does not require to take into account the degree of this responsibility in determining the amount of a compensation for immaterial damages awarded based on this stipulation.
Comment
The Court directly did not address the assumption of the referring court concerning lawfulness according to Article 6 (1) that the processing was not necessary as another organisation could have processed the data in responding to the third question but explained in the analysis of the first question (and indirectly in the response to the second) that the organisation had the right to process the data of its employee in a capacity other than employee. It is interesting that it was said that the differing legal environment of different Member States cannot be taken into account in interpreting EU law. The Court relied in a number of its argumentations to a great extent on recitals.
Combined with the case of CJEU - C-300/21 - Österreichische Post AG, this case makes controllers subject to a heightened liability for GDPR breaches. Not only is there no mimum material threshold, there is also no element of fault required from the controller.
Further Resources
One of the answers deals with the cumulative nature of the lawfulness bases in Art. 6. GDPR and the specific conditions in Art. 9 (for special categories of data). An article dealing with the relationship of those and also the specific conditions for data transmissions and transfers - from the view of EU institutions: http://personaldata-protection.blogspot.com/2021/11/why-is-there-no-article-about.html