CJEU - C-667/21 - Krankenversicherung Nordrhein

From GDPRhub
Revision as of 16:42, 28 December 2023 by Lszabo (talk | contribs) (Created page with "{{CJEUdecisionBOX |Case_Number_Name=C-667/21 ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein |ECLI=EU:C:2023:1022 |Opinion_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=274110&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=10456419 |Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=280768&pageIndex=0&doclang=de&mode=lst&dir=&occ=first&part=1&cid=10456419 |Date_Decided=21.12.2023 |Year=2023 |GD...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C-667/21 ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 5(1)(f) GDPR
Article 6(1) GDPR
Article 9(1) GDPR
Article 9(2)(h) GDPR
Article 9(3) GDPR
Article 24 GDPR
Article 32(1) GDPR
Article 82(1) GDPR
Artikel 275 (1) Sozialgesetzbuch
Artikel 2758 (1) Sozialgesetzbuch
Decided: 21.12.2023
Parties: ZQ
Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts
Case Number/Name: C-667/21 ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein
European Case Law Identifier: EU:C:2023:1022
Reference from: Bundesarbeitsgericht
I AZR 253/20 (A)
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: Lszabo

Processing special categories of data of the employee of the controller based on Article 9 (2)h is lawful, colleagues can have access, but the conditions in Article 6 have to be fulfilled. Conditions and amount of damages were also clarified.

English Summary

Facts

MDK Nordrhein is the medical service of the health insurers and a public body. It provides expert reports concerning the inability to work within its are of responsibility, including that of its own employees. A special organisational entity is entrusted with these tasks in this case and only a limited number of employees have access to the “Social data” of the concerned employee and to the electronic archives, including some staff of the IT department. The applicant worked in the IT department of the MDK Nordrhein before becoming unable to work. The health insurer paying the benefits asked MDK Nordrhein for an expertise. The special entity acquired among others health information from the treating doctor of the applicant. The applicant then asked colleagues from the IT department to provide copies of the medical expertise.

As the applicant considered the medical data being processed unlawfully, claimed damages of 20 000 Euros from the employer, who rejected the claim.

The applicant claimed at the Labour Court Düsseldorf reimbursement of the damages due to the unlawful processing of personal data as the evaluation should have been done by another organisation to prevent that the colleagues have access to the medical data. Furthermore, the security measures around the archiving of the medical report were unsatisfactory.

After being rejected at first and second (Landesarbeitsgericht Düsseldorf) instance, the applicant appealed to the Federal Labour Court, who has doubts concerning the following questions:

- whether the exception to the prohibition of processing of special categories of data in Article 9 (2) h were applicable as this refers only to the processing of data by a “neutral” third party – subparagraph b is not applicable as processing by MDK Nordrhein was not necessary for its rights and obligations as employer.

- whether the controller should not ensure – beyond fulfilling the conditions of Article 9 (2) GDPR – that the colleagues of the data subject should not have access to the medical data

- whether should at least one of the bases of lawfulness in Article 6 GDPR not also be fulfilled beyond fulfilling the conditions in Article 9 (2)

- whether the compensation according to Article 82 (1) has also a deterring or penalising character and should thus the principles of effectivity, proportionality and equivalence been taken into account in determining its amount and, finally

- whether the responsibility of the controller depends on whether it has caused the damage intentionally or carelessly and whether the fault of the controller has to be investigated and whether the degree of its eventual culpability influences the amount of the damages awarded for immaterial damage.

The questions asked are the following:

1. Is Article 9(2)(h) GDPR to be interpreted as prohibiting a medical service of a health insurance fund from processing its employee’s data concerning health which are a prerequisite for the assessment of that employee’s working capacity?

2. If the Court answers Question 1 in the negative, with the consequence that an exception to the prohibition on the processing of data concerning health laid down in Article 9(1) GDPR is possible under Article 9(2)(h) GDPR: in a case such as the present one, are there further data protection requirements, beyond the conditions set out in Article 9(3) GDPR, that must be complied with, and, if so, which ones?

3. If the Court answers Question 1 in the negative, with the consequence that an exception to the prohibition on the processing of data concerning health laid down in Article 9(1) GDPR is possible under Article 9(2)(h) GDPR: does the permissibility or lawfulness of the processing of data concerning health depend on the fulfilment of at least one of the conditions set out in Article 6(1) GDPR?

4. Does Article 82(1) GDPR have a specific or general preventive character, and must that be taken into account in the assessment of the amount of non-material damage to be compensated at the expense of the controller or processor on the basis of Article 82(1) GDPR?

5. Is the degree of fault on the part of the controller or processor a decisive factor in the assessment of the amount of non-material damage to be compensated on the basis of Article 82(1) GDPR? In particular, can non-existent or minor fault on the part of the controller or processor be taken into account in their favour?

Advocate General Opinion

Advocate General Manuel Sánchez Bordona proposed that the Court answer: Article 9(2)(h) and (3) and Article 82(1) and (3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that:

it does not prohibit a medical service of a health insurance fund from processing data concerning the health of an employee of that service, where those data are a prerequisite for assessing that employee’s working capacity;

it permits an exception to the prohibition on processing personal data concerning health, where such processing is necessary for the purposes of assessing the employee’s working capacity and complies with the principles set out in Article 5 and with one of the conditions for lawfulness laid down in Article 6 of Regulation 2016/679;

the degree of fault on the part of the controller or processor does not have a bearing on establishing the liability of either of them or quantifying the amount of non-material damage to be compensated on the basis of Article 82(1) of Regulation 2016/679;

the involvement of the data subject in the event giving rise to the compensation obligation may trigger, depending on the circumstances, the exemption from liability of the controller or processor provided for in Article 82(3) of Regulation 2016/679.

Holding

After recalling that the purpose of Article 9 is to ensure a high level of protection in case of processing personal data whose level of sensitivity is especially sensitive, involving an especially strong intrusion into the fundamental rights guaranteed by Articles 7 and 8 of the Charter. Therefore, the list in Article 9 (2) is exhaustive and among others Article 9 (3) prescribes a number of guarantees in the case of processing based on subparagraph h. Therefore, there is no reason to assume that subparagraph h is only applicable in the case of processing by an independent third party. Decisive is the purpose to which the data are processed. The Court also notes that there may be different limits to implement the investigation of ability to work by an independent third party in the legislation of different Member States and that the legal environment of the different Member States cannot be taken into account in interpreting EU law. There is no reason thus to conclude that the formulation of Article 9 (2) h would in any way restrict the possibility to process the data to independent third parties. Beyond that, it is explained in Recital 52 that the processing in the public interest, including the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health-insurance system. Therefore, the answer to the first question is: Art. 9 Para. 2 Subpara. h of Regulation (EU) 2016/679 of the European Parliament and the Council of the 27. April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that the exception foreseen in it is applicable to situations where an organisation for medical expertise processes health data of one of its employees not as employer but as a medical service, to judge the ability to work of said employee, under the condition that the concerned processing fulfils the expressly prescribed preconditions and guarantees in subparagraph h and Art. 9 (3). To the second question the Court notes that health data processed under subparagraph h have to be processed according to Article 9 (3) by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies. No requirements can be appended to the requirements in Article 9 (3). Therefore said paragraph is no legal ground to require that colleagues of the data subject should be excluded from the processing. Nevertheless, it has to be examined, whether other stipulations of the GDPR can be the basis for prohibiting the access of colleagues to the health data of the data subject. Member States law can prescribe, based on their right conferred on them by Article 9 (4), further preconditions. To be added that these measures should be proportionate and enable the processing according to the purposes according to Article 9 (2) h for organisations who do not necessarily have the dimension or technical and human resources which are sufficient to fulfil these conditions. Nevertheless, these limitations do not emanate from the GDPR itself, but from these national rules. In addition, the national court has to investigate, whether the technical and organisational measures, according to Article 32 GDPR, are satisfactory and sufficient. Therefore, the answer to the second question is: 

Art. 9 (3) of Regulation 2016/679

must be interpreted that The controller processing health data based on Art. 9 (2) h of this Regulation is not obliged to guarantee that no colleague of the data subject has access to the data about the health status of the data subject. Such an obligation can, however, be imposed on a controller of such a processing according to a regulation issued by a Member State based on Article 9 (4) of said Regulation or on the principles of integrity and confidentiality invoked by Article 4 or Article 5 (1) and concretised in Article 32 (1) a and b of said Regulation. To the third question it has to be taken into account that Articles 5, 6 and 9 all included in the Chapter entitled “Principles” and concern “Principles relating to processing of personal data”, “Lawfulness of processing” and “Processing of special categories of personal data”. Furthermore Recital 51 GDPR expressly mentions that “the general principles and other rules of this Regulations should apply, in particular as regards the condition for lawful processing. The Court has decided multiple times that the all processing of personal data has to comply with the preconditions of lawfulness in Article 6 and that all preconditions of Chapter II have to be complied with. Therefore, the answer to the third question is: Art. 9 (2) h and Art. 6 (1) of Regulation 2016/679 must be interpreted that a processing of health data based on the former is only lawful, when it does not only comply with the requirements emanating from that stipulation but also fulfils at least one of the lawfulness bases in Article 6 (1). To the fourth question the Court refers to the established case law that compensation can only be required based on Article 82 GDPR, when all of three cumulative conditions are fulfilled, namely the existence of a damage, an infringement of the Regulation and a causal relationship between the infringement and the damage. As the GDPR does not contain rules to define the amount of damages, national courts have to apply in the framework of procedural autonomy the domestic rules of the individual Member States as far as the principles of equivalence and effectivity are complied with. Based on Recital 146, the Court states that the objective of this rule is to provide for “full and effective for the damage they have suffered”. Different from the sanctions in Articles 83 and 84, this sanction has not a penalising, but a compensating function. It has nevertheless an effect to deter from repeating the unlawful behaviour as well. Both in the case of a material and an immaterial damage, the amount of the compensation should not depend on the gravity of the infraction and should not be higher than necessary for the full compensation of the damage. Therefore, the answer to the fourth question is: Art. 82 (1) of Regulation 2016/679 must be interpreted, that the compensation for damages foreseen by this stipulation has a compensatory function, as a monetary compensation based on this stipulation shall enable to fully compensate for the damage suffered concretely due to the infraction of this Regulation and has no deterrent or penalising function. A controller has to compensate for a damage which arose as the consequence of an infringement of the Regulation, it is not clear, however, from the German version of the Regulation, whether the infraction has to be due to the controller, to base the obligation to compensate for the damage on it. Analysis of different other linguistic versions and of Article 82 (3) results that the controller is relieved from the obligation to pay damages, if it has proved that it is not responsible for the infringement. Recitals 4 to 8 GDPR indicate that the aim of the Regulation is to establish a balance between the rights of the controller and of the data subject. Moreover, the obligation to pay damages without fault would contradict the principle of legal certainty. As already mentioned to the previous question, in establishing the amount of damages to be paid, national courts take into account the domestic legal rules of the Member States as far as the fundamental principles of Union law of equivalence and effectivity are complied with. Article 82 does not require take into account the gravity of the infringement but the amount has to compensate fully the damage suffered. Therefore, the answer to the fifth question is: 

Art. 82 of Regulation 2016/679

must be interpreted that on one hand the responsibility of the controller depends on the existence on an infringement which is to be attributable to it, which responsibility has to be assumed if it does not prove that it is not due to it and that Article 82 GDPR does not require to take into account the degree of this responsibility in determining the amount of a compensation for immaterial damages awarded based on this stipulation.

Comment

The Court directly did not address the assumption of the referring court concerning lawfulness according to Article 6 (1) that the processing was not necessary as another organisation could have processed the data in responding to the third question but explained in the analysis of the first question (and indirectly in the response to the second) that the organisation had the right to process the data of its employee in a capacity other than employee. It is interesting that it was said that the differing legal environment of different Member States cannot be taken into account in interpreting EU law. The Court relied in a number of its argumentations to a great extent on recitals.

Further Resources

Share blogs or news articles here!

Retrieved from "https://gdprhub.eu/index.php?title=CJEU_-_C-667/21_-_Krankenversicherung_Nordrhein&oldid=38909"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki