CJEU - C-667/21 - Krankenversicherung Nordrhein

From GDPRhub
CJEU - C-667/21 ZQ v Medical Service of Health Insurance North Rhine
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 5(1)(f) GDPR
Article 6(1) GDPR
Article 9(1) GDPR
Article 9(2)(h) GDPR
Article 9(3) GDPR
Article 24 GDPR
Article 32(1) GDPR
Article 82(1) GDPR
Artikel 275 (1) Sozialgesetzbuch
Artikel 2758 (1) Sozialgesetzbuch
Decided: 21.12.2023
Parties: ZQ
Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts
Case Number/Name: C-667/21 ZQ v Medical Service of Health Insurance North Rhine
European Case Law Identifier: EU:C:2023:1022
Reference from:
I AZR 253/20 (A)
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: Lszabo

The CJEU decided that non-material damages under Article 82 GDPR are limited to moneteray compensation, presuppose causation from the controller and do not take into account the fault of the controller when calculating the amount of compensation awarded for a non-material damage.

English Summary

Facts

The Medical Service of Health Insurance (the controller) is Germany's public health insurance medical review service. It provides expert reports when people say they are unable to work, as well as for its own staff. Before becoming unable to work, the data subject worked for the controller. The insurance company that was paying their benefits requested an expert opinion from the controller. The controller obtained health information from the data subject's doctor in the form of a medical report, which was then distributed to the data subject's coworkers.

The data subject believed that their medical data had been unlawfully processed and sought €20,000 in damages from the controller, who rejected the claims. According to the data subject, the evaluation should have been performed by another organisation in order to prevent coworkers from accessing their medical data. Furthermore, they considered the security procedures around their medical report's archiving to be inadequate.

After being rejected at first and second (Landesarbeitsgericht Düsseldorf) instance, the the data subject appealed to the Federal Labour Court, who referred the case to the CJEU with the following questions:

On the topic of health data

1) Does Article 9(2)(h) GDPR prohibit a medical service of a health insurance fund from processing its employee’s health data when it is a prerequisite for the assessment of that employee’s working capacity?

2) If the Court answers Question 1 in the negative (with the consequence that an exception to the prohibition on the processing of data concerning health laid down in Article 9(1) GDPR is possible under Article 9(2)(h) GDPR) in a case such as the present one, are there further data protection requirements, beyond the conditions set out in Article 9(3) GDPR, that must be complied with, and, if so, which ones?

3) If the Court answers Question 1 in the negative, does the permissibility or lawfulness of the processing of data concerning health depend on the fulfilment of at least one of the conditions set out in Article 6(1) GDPR?

On the topic of non-material damages

4) Does Article 82(1) GDPR have a specific or general preventive character, and must that be taken into account in the assessment of the amount of non-material damage to be compensated at the expense of the controller or processor on the basis of Article 82(1) GDPR?

5) Is the degree of fault on the part of the controller or processor a decisive factor in the assessment of the amount of non-material damage to be compensated on the basis of Article 82(1) GDPR? In particular, can non-existent or minor fault on the part of the controller or processor be taken into account in their favour?

Advocate General Opinion

Advocate General Manuel Sánchez Bordona requested that the Court answer that Articles 9(2)(h) and (3) of the GDPR, as well as Articles 82(1) and (3), be understood as:

Not barring a medical service of a health insurance fund from processing data about the health of an employee of such service, when those data are required for determining that employee's working capacity.

Allowing an exception to the prohibition on processing personal data relating to health where such processing is required for the purposes of assessing the employee's working capacity and complies with the principles outlined in Article 5 GDPR as well as one of the conditions for lawfulness outlined in Article 6 GDPR.

Making the degree of fault on the part of the controller or processor have no bearing on establishing the liability of either of them or quantifying the amount of non-material damage to be compensated on the basis of Article 82(1) GDPR.

Allowing the data subject's participation in the incident that gave rise to the compensation duty to trigger, (depending on the circumstances) an exemption from liability for the controller or processor provided for in Article 82(3) GDPR.

Holding

On the topic of health data

On the first question, the exception under Article 9(2)(h) GDPR applies to situations where a public organisation for medical expertise processes health data of one of its employees not as employer but as a medical service, under the condition that the concerned processing fulfils the expressly prescribed preconditions and guarantees in subparagraph (h) and Article 9(3) GDPR. The purpose of Article 9 GDPR is to ensure a high level of protection in case of processing personal data whose level of sensitivity is especially high, involving an especially strong intrusion into the fundamental rights guaranteed by Articles 7 and 8 of the Charter. Therefore, the list in Article 9(2) is exhaustive and among others Article 9(3) prescribes a number of guarantees in the case of processing based on subparagraph (h). However, there is no reason to assume that subparagraph (h) is limited to cases of processing by independent third parties. This is supported by Recital 52 which states that derogation from Article 9 is permitted when it is in the public interest to do so. The quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health-insurance system can be said to be in the public interest.

On the second question, it was held that because the exemption applies, the controller can share the health data to other colleagues. When health data is processed under subparagraph (h) it also has to be processed according to Article 9(3) GDPR. Article 9(3) requirements cannot be read widely as it is explicit in its requirements. Therefore, there is no legal ground to require that colleagues of the data subject should be excluded from the processing. Having said this, member states can derogate from this rule and create higher national standards under the opening clause provided in Article 9(4) GDPR. If a Member State would do this, the CJEU recommends using the principles of intergrity and confidentiality outlined in Article 5(1)(f) and 32(1)(a) and (b) to justify it. These higher standards should be proportionate to allow the relevant organisations outlined in Article 9(2), who may not have the technical and organisational resources to fulfil these conditions, to process health data. It is for a national court to determine whether the technical and organisational measures, according to Article 32 GDPR, are satisfactory and sufficient.

On the third question, if 9(2)(h) applies, it must not only comply with the provisions set out in the article, but also fulfill at least one legal bases from Article 6(1) to be considered lawful processing. This can be inferrred from Articles 5, 6 and 9 GDPR which are all included in the Chapter titled “Principles” and concern “Principles relating to processing of personal data”, “Lawfulness of processing” and “Processing of special categories of personal data”. Recital 51 GDPR expressly mentions that “the general principles and other rules of this Regulations should apply, in particular as regards the condition for lawful processing". The Court has also decided multiple times that the all processing of personal data has to comply with the preconditions of lawfulness in Article 6 and that all preconditions of Chapter II GDPR have to be complied with.

On the topic of non-material damages

On the fourth question, Article 82(1) GDPR has a compensatory instead of deterrant or penalising function. Compensation is limited to monetary compensation and should fully compensate the damage suffered caused by the infraction of the GDPR. The Court reffered to the established case law that compensation can only be required based on Article 82 GDPR, when all of three cumulative conditions are fulfilled; 1) the existence of a damage, 2) an infringement of the Regulation, 3) a causal relationship exists between the infringement and the damage. The GDPR does not contain rules to define the amount of damages. National courts have to apply domestic rules of the individual Member States as far as the principles of equivalence and effectivity are complied with. Based on Recital 146, the Court states that the objective of this rule is to provide for “full and effective for the damage they have suffered”. Different from the sanctions in Articles 83 and 84, this sanction has not a penalising, but a compensating function. It has nevertheless an effect to deter from repeating the unlawful behaviour as well.

On the fifth question, Article 82 GDPR needs causation (which is presumed unless the controller can prove otherwise) and does not require an assesment as to the degree of the controller's responsibility when calculating the amount of compensation awarded for a non-material damage. A controller has to compensate for a damage which arose as the consequence of an infringement of the GDPR. Recitals 4 to 8 GDPR indicate that the aim of the Regulation is to establish a balance between the rights of the controller and of the data subject. On one hand the responsibility of the controller depends on the existence on an infringement which is to be attributable to it. On the other, this is to be assumed unless the controller can prove that they have not caused it. An obligation to pay damages without causation would contradict the principle of legal certainty. However, once the existence of a damage is ascertained, Article 82 does not require national courts to take into account the gravity of the infringement or the extent of the controller's responsibility to quantify damages. Instead, the amount should be calculated to compensate fully the damage suffered.

Comment

In responding to the third question, the Court did not address the referring court's assumption concerning lawfulness under Article 6(1) that the processing was not necessary because another entity could have processed the data, but explained in the analysis of the first question (and indirectly in the response to the second) that the body had the right to process the data of its employee in a capacity other than its employer.

Combined with the case of CJEU - C-300/21 - Österreichische Post AG, this case makes controllers subject to a heightened liability for GDPR breaches. Not only is there no mimum material threshold for damages, the degree of fault from the controller is not relevant to the quantity of damage. If fault/degree of responsibilty would have been accepted by the court, damages could be limited to the extent that the controller has caused the damage, paving the way for smaller payouts to data subjects.

This case should be read in conjunction with CJEU - C‑340/21 - Natsionalna agentsia za prihodite, which also addresses non-material damages. It holds that, under Article 83(2), the controller cannot be exempt from liability for damages simply because the damage was caused by third parties (hackers), and that fear of potential misuse of personal data is sufficient to give rise to non-material damages under Article 82(1).

Further Resources

One of the answers deals with the cumulative nature of the lawfulness bases in Art. 6. GDPR and the specific conditions in Art. 9 (for special categories of data). An article dealing with the relationship of those and also the specific conditions for data transmissions and transfers - from the view of EU institutions: http://personaldata-protection.blogspot.com/2021/11/why-is-there-no-article-about.html