LAG Düsseldorf - 12 Sa 186/19

From GDPRhub
LAG Düsseldorf - 12 Sa 186/19
CourtsDE-NW.png
Court: LAG Düsseldorf (Germany)
Jurisdiction: Germany
Relevant Law: Article 9 GDPR

Article 22 BDSG (Federal German Data Protection Act)

Decided: 11. 3. 2020
Published: n/a
Parties: anonymous
National Case Number: 12 Sa 186/19
European Case Law Identifier: ECLI:DE:LAGD:2020:0311.12SA186.19.00
Appeal from: n/a
Language: German
Original Source: Justiz-Online (in DE)

The Regional Labour Court Düsseldorf (LAG Düsseldorf) described appropriate technical and organisational measures to protect health data against unauthorized access by the internal IT department.

English Summary[edit | edit source]

Facts[edit | edit source]

The defendant offers a medical service, in which - as in the case of the plaintiff - social data in the form of health data can be processed on the basis of the request from his/her health insurance company. Since the plaintiff´s colleagues and the plaintiff are working for the IT department, his colleagues received knowledge of the plaintiff´s health data.

Dispute[edit | edit source]

Whether the defendant has taken appropriate and specific measures in accordance with the German Federal Data Protection Law and Art. 9 GDPR to protect health data from unauthorized access from employees.

Holding[edit | edit source]

The court emphasized that the physical examination of an employee represents a significantly more serious intervention in the personality sphere of the employee than an assessment based on the file. This differentiation meets the requirements of Section 22 (2) of the German Federal Data Protection Law (“BDSG”). In the context of Art. 9 Para. 2, 3 GDPR in conjunction with Section 22 Para. 2 BDSG, there are appropriate and specific measures required. One is that only professional personnel who are subject to professional secrecy may process the health data. This is the case here due to medical and social secrecy. This is not sufficient within the meaning of Section 22 (2) BDSG, but this must be included in the assessment, whether the defendant has taken appropriate and specific measures. The access within the defendant is restricted through technical and organizational measures (Section 22 (2) No. 5 BDSG). The personal data is only accessible to people who need it to perform their tasks. The access rights are determined by assigning rights and roles related to the occupational groups. The access authorization is again divided according to the occupational group-specific role for the 36 employees of the area the plaintiff is belonging to. The court decided that the IT department is uniform and indisputable for the responsibility for the entire protected area. Further protection is granted since the access and processing history of data is logged with the information who and what action is performed on the personal data. The defendant made it further clear by internal guidelines to its employees that he/she should not simply access the plaintiff’s health data outside of the remit. The court decided that this must also have been clear for the IT department. The measures in total were sufficiently to convince the court that appropriate technical and organisational measures were taken to protect the data from the plaintiff.

Comment[edit | edit source]

Share your comment here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the German original for more details.

2nd
The parties disagree as to whether the defendant is obliged to pay the plaintiff compensation and material damages for a breach of data protection regulations and his personal rights assumed by the plaintiff.
3rd
The plaintiff, born on July 10, 1956, had been working for the defendant, the N. Dienst der Krankenversicherung Nordrhein, which had a total of 1,049 employees in eight locations in 2018, since September 1, 1999, most recently in the IT area as a system administrator and employee in Help desk. The plaintiff's place of work was located in E. The plaintiff was severely disabled with a GdB of 60. He last earned gross 5,812.00 euros per month, this sum consisting of the gross salary of 5,446.00 euros, the family allowance of 306 , 00 euros and 40.00 euros assets. A data protection officer was appointed by the defendant.
4th
In 2018, the defendant prepared a total of 663,467 expert reports for the statutory health insurance funds. The data processing was done by the software Ismed3. There was a service agreement between the defendant and the staff council regarding the use of Ismed 3 (hereinafter DV Ismed 3). This included:
5
"...
6
2. Scope
7
The service agreement applies to all employees who have access to the Ismed 3 software.
8th
...
9
6. Personal identification on the system
10th
A software certificate is required for the registration process and working with Ismed 3. ...
11
7. Access rights
12
The Ismed 3 software is accessed through the use of a software certificate.
13
The access rights in Ismed 3 are determined by the assignment of rights and roles (see Appendix 2 - role concept, escalation routines and rules). ...
14
8. Evaluations
15
In the system, personal data (who carries out which action) is logged in the attribute history and process history and can be used for the purposes of network and operational security.
16
...
17th
Access to anonymized or non-anonymized data for the purpose of individual behavior and performance control does not take place unless the legal participation process has been carried out beforehand.
18th
...
19th
9. Training
20th
All employees who are to work with the system are trained before the introduction of the Ismed 3 software.
21st
10. Data protection
22
Data protection is ensured on the basis of the legal regulations of the Federal Data Protection Act, State Data Protection Act, Social Data Protection Act, etc. Suitable organizational measures to comply with the special requirements for employee data protection in accordance with § 35 SGB I met.
23
... "
24th
In Appendix 2 "Role Concept in Ismed 3" to DV Ismed 3 it stated, among other things:
25th
"In order to be able to carry out certain activities, every employee needs different rights within Ismed 3. The sum of different individual rights is reflected in the roles. There are currently six standard roles in Ismed 3, which can, however, be expanded or supplemented. One user can have multiple roles if their area of responsibility so requires. The roles are:
26
(1) Role-related roles
27th
"Administrative staff" for assistants
28
An administrator can, for example, create orders, record documents, process and forward expert reports.
29
...
30th
"Reviewer" and "Reviewer Function" for reviewers:
31
An appraiser creates assigned appraisals
32
Each location has a group work basket for experts. The role of appraiser controls the view and the accessibility to the group work basket appraiser.
33
Appraisers also have the role of appraiser function, which gives them the authorization to approve appraisals.
34
...
35
(2) Location reference
36
The group work baskets are fanned out for each regional or functional location. They only become visible to employees when they receive at least one order.
37
...
38
- The administrators and the internal auditor are set up on the virtual location "E. (Hverw.)" As the primary organizational unit.
39
- A virtual "special case" location has been set up for processing the reports of employees and their relatives.
40
(3) Additional roles
41
The individual compilation of the roles and rights of an employee always has at least one location reference (primary organizational unit) and depicts a professional role. Additional roles can also be assigned to employee groups with special tasks.
42
... "
43
For further details, reference is made to the exposure of the DV Ismed 3 along with Appendix 2 that is filed. The operation and further development of this software are the responsibility of a joint venture in accordance with § 219 SGB V of the defendant and the N. services of health insurance companies in Bavaria and Thuringia. The data was stored in the data center of C. GmbH in N .. The purpose of C. GmbH was the development, maintenance and provision of data center services for statutory health insurance. As a service provider, C. GmbH processed only social data from statutory health insurance. The data in the C. GmbH data center was client-specific, ie the defendant's data was separate from that of other other medical services. According to the defendant's IT security policy, the aim wasto meet the basic requirement of the basic protection compendium of the Federal Office for Security and Information Technology.
44
The plaintiff had been ill continuously since November 22, 2017. Since May 24, 2018, he received sick pay of EUR 88.34 per calendar day from his health insurance company. On 06.06.2018, the plaintiff's health insurance company commissioned the defendant as a medical service to remove doubts about his incapacity to work. For such an appraisal case the defendant had the "Instructions for the protection of social data of the employees of North Rhine-Westphalia and their relatives (hereinafter DA social data). This included:
45
"1. Purpose and purpose
46
... The instructions serve the purpose of complying with the legal obligation according to § 35 Paragraph 1 Clause 3 SGB I and § 94 Paragraph 3 SGB XI and to avoid the appearance of a conflict of interests.
47
It is of particular concern to North Rhine-Westphalia to avoid the resulting preferences or disadvantages and to ensure special protection of social data.
48
Therefore, social data of employees and their relatives should not be collected or stored at the employee's place of employment.
49
This presupposes that the employee reports appropriate constellations to his health / long-term care insurance. The notification to the health / long-term care fund is given with every contact, for example also in the event of objections to performance decisions, since the case in the N. was already closed after the expert opinion was drawn up and in this case there is otherwise no labeling as a special case without a new note.
50
...
51
3. Explanation of terms
52
3.1. Social data of employees and their relatives
53
...
54
Social data of the employees or their relatives arise when the N. North Rhine is commissioned by the responsible health or long-term care insurance company to assess the social-medical requirements for benefits under the SGB for a N. employee or his relatives. They must not be confused with "employee data" that arise or are processed in the context of an employment / service relationship.
55
3.2. Authorized access
56
Employees who have knowledge of the social data of their employees and their relatives or who have been given the opportunity to access this data (competent experts and assistant employees) are entitled to access. The names of the responsible employees are stored in the attached "access concept".
57
4. Principle
58
In principle, employees and their relatives may not be examined at their place of employment or at their office. The relevant documents may not be kept there, and the social data may not be stored there. The following rule applies to the use of Ismed 3: For all employees who work at the E. location, the employees named in the "Special Case" organizational unit in E. are responsible. The employees of the organizational unit "Special Case" in E. are responsible for employees at the other locations.
59
The social data may only be used by the authorized users for the processing purposes provided. Disclosure to unauthorized third parties is prohibited.
60
5. Procedure
61
5.1. Organizational unit special case
62
a) Ismed 3
63
The affected employee or family member informs his health insurance company in advance of the appointment of the N. that his documents may only be given to the BBZ responsible for processing special cases. To send the order documents, he submits the labeled envelope to his health insurance company, which is already correctly addressed to the "Special Case" organizational unit.
64
Assessment orders within the framework of SGB V (health insurance), which concern the employees of North Rhine-Westphalia or their relatives, must be received in the responsible "Special Case" organizational unit and may only be processed there.
65
If the order for the assessment of an employee or the relative of an employee is incorrectly received in the BBZ without a marked envelope, the forwarding will take place in accordance with the attached "Kurzinfo Spezialfall". The setting of the "special case" characteristic takes over an already created case with the associated documents in the "special case" organizational unit. The case is no longer visible to the other employees. The ordering health insurance company receives a submission message.
66
...
67
5.2. SFB / file situation
68
a) Ismed 3
69
The incoming cases are marked as "special case" and processed exclusively by the designated employees of the organizational unit "special case". The cases must be processed as product type "SFB with statement" or "KH-SFB" and stored in the electronic archive.
70
...
71
5.4. Archiving
72
a) Ismed 3
73
After completing the appraisal order within the framework of the SGV V (health insurance), complete the order with the expert opinion including the electronic medical documents remaining with N. North Rhine and store them in the electronic archive.
74
...
75
5.5. Assessment orders with a physical examination for employees / relatives of the North Rhine region
76
In the case of an assessment order within the framework of SGB V or SGB XI, which would include a physical examination for an employee / relative of an employee, the assessment is carried out by the miners' social service.
77
a) Ismed 3
78
If the assessor determines in a special case that a physical examination is unavoidable, the documents are handed over to the assistants of the "Special Case" organizational unit for further reasons.
79
The expert closes the case with the key:
80
"90 Recommended for assessment" (see "Training document special case").
81
The conclusion is made as a product type "SFB without comment".
82
The doctor and the assistant of the "Special Case" organizational unit hand over the order to the chief doctor of the miners' association, who instructs the ministry department that is closest to the assessor's place of residence and subsequently arranges for the report to be sent back.
83
The electronic archiving is carried out by the assistants of the "Special Case" organizational unit, who scan the report on the order.
84
The actual preparation of the expert opinion by the Federal Knappschaft is to be monitored by the "Special Case" organizational unit.
85
... "
86
For further details, reference is made to the copy of the DA social data submitted to the file as well as the special case brief on Ismed 3, the workflow and the cover "special case" and the training document special case. Reference is also made to the directory of the processing activity provided by the defendant in the copy to the file in accordance with Art. 30 Para. 1b GDPR for the processing activity "Assessment of own employees and their relatives" together with attachments. A total of 36 people were given access to the protected area. These were medical staff, assistants and IT technology staff. The access authorization for processing the special cases was in accordance with Appendix 3 to the defendant's brief of October 16, 2019, to which reference is made for the details,divided into "Outpatient care section" with the counseling and assessment centers (BBZ) E. and E., to which doctors and assistants were assigned, "Inpatient care section" with BBZ E. and E., each with doctors, coding specialists and Assistants were assigned, "Sub-area MFB treatment errors with the BBZ N." and in "IT department" with the headquarters in E. with nine employees from the IT department. The plaintiff was one of these nine employees. The IT department was not only responsible for E., but overarching, ie also for the BBZ in E. All employees in the protected area were committed to social secrecy.They were obliged to do so in writing when they were hired and were informed of the criminal and labor law legal consequences of an injury. The defendant's employees were trained on the importance of § 35 SGB I and compliance with social data protection as part of regular training.
87
On June 12, 2018 there was a conversation between the plaintiff, his wife and the defendant's BEM representative as part of a BEM procedure, the content of which is just as contentious between the parties as the question of who took the initiative on the BEM.
88
The plaintiff's health insurance company had received the order for an expert opinion by post in the defendant's BBZ E. The order was assigned directly to the so-called electronic protected area by the responsible clerk. The plaintiff had not used a special case envelope with the health insurance company. The report was prepared by the doctor Dr. med. I., who worked at BBZ E. and worked in the protected area. In this connection, she called the plaintiff's doctor on June 21, 2018 and asked for information in order to verify the plaintiff's incapacity to work. The attending doctor informed the plaintiff of this telephone call. The report prepared on August 22, 2018 included the following information:
89
"Diagnosis (s): F32.2 - Severe depressive episode with no psychiotic symptoms
90
...
91
Mr. NS, born 07/10/1956
92
Documents / med. Documents:
93
...
94
Telephone call on August 21, 2018
95
Assessment / answering the client's questions:
96
After consultation with the treating psychiatrist, a return to work can be expected in about two months if partial stabilization has already occurred.
97
No further measures are required to restore professional performance.
98
The insured is already in discussion with the AG.
99
...
100
Result: From a medical point of view, AU
101
... "
102
For further details, reference is made to the copy of the expert report (Bl. 89, 90 dA) that was filed with the file. The report dated June 22, 2018 was stored electronically in the defendant's protected area. The order data with the master data and the assessment data were saved separately in two databases. Access from the order data to the assessment data was made using a key stored in the Oracle encryption library. Without this, order data could not be assigned to individual insured persons. Only if a reference to the order was created could an access-authorized user automatically assign the assessment data to the order using the Oracle encryption library. The system could only be accessed by an authorized user,what has been technically checked by the system. The appraisal order was kept as an open order until it was completed and then archived. You could only access again using the encryption package in the encryption library. Technically, even after the conclusion of the expert opinion dated June 22, 2018 regarding the plaintiff, the nine IT employees in the protected area were able to access it. Persons who made or participated in personnel decisions for the defendant had no access and were also given no knowledge.Technically, even after the conclusion of the expert opinion dated June 22, 2018 regarding the plaintiff, the nine IT employees in the protected area were able to access it. Persons who made or participated in personnel decisions for the defendant had no access and were also given no knowledge.Technically, even after the conclusion of the expert opinion dated June 22, 2018 regarding the plaintiff, the nine IT employees in the protected area were able to access it. Persons who made or participated in personnel decisions for the defendant had no access and were also given no knowledge.
103
On August 1, 2018, the plaintiff called his colleague, IT employee T. At this point in time, Ms. T., as an IT employee, was authorized to access the so-called special cases. The plaintiff asked Ms. T. to see if he had an expert opinion. Ms. T. checked this manually and informed the applicant that this was the case. The plaintiff then asked Ms. T., referring to the long-standing collegial cooperation, to photograph the report and send it to him. This was done by Ms. T .. The transmitted image file was the screenshot passed to the file. The defendant became aware of this fact after he had investigated the matter after the appointment in front of the cognizant chamber on November 13, 2019 by the internal auditor with the participation of the staff council.In addition to Ms. T.'s access on August 1, 2018, only the employee who was directly entrusted with processing the case or preparing the report had access to it, according to the log file of the plaintiff's report.
104
By letter dated August 15, 2018, the plaintiff, through his legal representative, requested the defendant to pay compensation of EUR 20,000.00. The defendant rejected this in a letter dated September 3, 2018.
105
The claimant received his sick pay on May 15, 2019.
106
The defendant gave notice of termination without notice on December 5, 2019 and on December 12, 2019. The first termination without notice took place before the expiry of the deadline set by the Inclusion Office for comment by 6 December 2019. In the previous hearing with the plaintiff, the defendant justified the dismissal by claiming to bring the present case with the aim of material and immaterial damages because a colleague had accessed the report. This was done with the indication that he would have been able to work much earlier without the data protection violation. The colleagues now knew what illness the plaintiff had and he, the defendant, had not done everything to protect his confidential data. According to the factual situation, the allegations are not tenable.The relationship of trust was shaken by this behavior. The plaintiff has brought an action against the dismissal protection against the Düsseldorf Labor Court. Both dismissal protection proceedings were pending at the time of the last oral hearing on March 11, 2020 and were not legally decided. The defendant heard his staff council terminate Ms. T.'s contract without notice and in the alternative.
107
The plaintiff said that he was entitled to a claim under Article 82 (1) GDPR, which he could also base on Article 823 (1) BGB in conjunction with Article 2 (1) and Article 1 (1) GG. The defendant had seriously violated his right to privacy. As his employer, he was not allowed to perform the duties of the medical service and was therefore allowed to obtain his health data. He took insufficient precautions to protect this data. This is already confirmed by Dr.'s telephone inquiry. I. at the doctor treating him. It was a colleague with whom he had to deal from time to time, even if she worked at the E. location. She was not allowed to contact the doctor treating him without his consent. If anything, the contact was made in writing in the so-calledHandling procedures had to take place. The telephone inquiry leaves room for learning more than a written inquiry and suggests deliberate action on the part of the defendant. In the case of information requested by telephone, the later saving does not "automatically" reproduce the content of the previously discussed completely and correctly. And the fact that a colleague from the protected area asked by phone gave him justified cause for concern that more was asked than was evident from the stored data. In addition, the health data collected had to be assigned to the protected area in the first place and had previously been visible outside of this area. It wasn't just the IT staff as his immediate colleagues,all employees in the protected area had access to the report dated August 22, 2018. Visibility alone is a serious personal injury because the person concerned does not know who has consulted. The defendant as an employer must also ensure data protection vis-à-vis his colleagues, as he also does towards employees outside the protected area. The defendant knew of a corresponding gap in data protection without remedial action. The former head of the staff council had informed the defendant's data protection officer. The plaintiff said that non-physical examinations should also have been given to a third party such as the miners, which at least has happened in the past. In addition,that he was mentally ill. This health data in particular is particularly sensitive because it can be assigned to the highly personal area and is not automatically recognizable to the outside world. The spread of such a disease within the workforce is a very considerable burden. The fact that the HR managers have no direct access right is irrelevant because the information about his mental state is spread like wildfire behind the scenes and would also reach the HR department. The plaintiff argued that § 35 SGB I did not concern the facts at issue here.The spread of such a disease within the workforce is a very considerable burden. The fact that the HR managers have no direct access right is irrelevant because the information about his mental state is spread like wildfire behind the scenes and would also reach the HR department. The plaintiff argued that § 35 SGB I did not concern the facts at issue here.The spread of such a disease within the workforce is a very considerable burden. The fact that the HR managers have no direct access right is irrelevant because the information about his mental state is spread like wildfire behind the scenes and would also reach the HR department. The plaintiff argued that § 35 SGB I did not concern the facts at issue here.§ 35 SGB I do not concern the facts in question here.§ 35 SGB I do not concern the facts in question here.
108
The plaintiff alleged that he was first informed by a person who was also working in the "specially protected IT area" in a telephone call that at least about 10 of the employees and direct colleagues there had access to health data about him the diagnosis of a mental illness (page 4 of the application of September 28, 2018). Further explanations about the telephone call are not important, because this telephone call is not a factual criterion that justifies the claim, but merely shows how he had learned that there was an expert opinion on his mental health condition that was also protected by his colleagues in the protected The area was easily visible (page 7 of the brief from 07.01.2019).It must therefore have been inspected in the data concerning him, which is also confirmed by the fact that he had been informed by a colleague about the existence of the expert's opinion obtained from the defendant. This colleague also sent him a screenshot of the report (page 8 of the brief dated 07.06.2019).
109
The plaintiff also said that tensions with the employer also contributed to his mental illness, which resulted from the fact that the defendant, despite a medical certificate, refused to use him in another area of the administration. Ultimately, this procedure is not important. This is on a different page.
110
The applicant has applied for
111
Order the defendant to pay him compensation at the discretion of the court, but at least EUR 20,000.00.
112
The defendant has applied for
113
reject the complaint.
114
He was of the opinion that he could also carry out his legal duties in the case of the plaintiff. Due to the assignment to the protected area, he only found out about the order from the plaintiff's health insurance company for assessment because of the complaint. The telephone contact and data collection by the doctor Dr. I. was done according to § 276 SGB V, which contains a duty of disclosure by the treating doctor. If the attending physician was of the opinion that Dr. I. had not identified sufficiently, so he could have refused to provide information. The doctors calling would identify themselves with the relevant information. If there is any doubt, the doctor treating the patient will be offered a call back. The reference to the handling process is wrong because it no longer exists due to data protection concerns.The handling of the data in question is regulated by § 35 SGB I, which has not been changed even under the new GDPR.
115
The defendant denied that an employee from the protected IT area had informed the plaintiff that someone from the particularly protected area had unauthorized access to the health data. The applicant does not name this person.
116
Since the plaintiff had not commented on the result of the BEM, the defendant asked the plaintiff to lodge an application for pension on 3 January 2019. Moreover, you yourself had no doubt about the plaintiff's incapacity to work and made no use of Section 5 N.-T. According to Section 36 N.-T, however, she may ask the plaintiff to apply for a pension if the conditions for reduced earning capacity are met.
117
The labor court dismissed the claim for compensation by judgment of February 22, 2019. Regarding the plaintiff's application after the oral proceedings on January 18, 2019, to state that the defendant was obliged to compensate him for the material damage that had arisen and will arise from the violation of his right to personality alleged with the complaint, the labor court did not rule because it saw no reason to reopen the hearing. The plaintiff lodged an appeal against the judgment delivered to him on March 7, 2019 on March 14, 2019 and justified it on June 7, 2019 after extending the period for appeals.
118
The plaintiff is of the opinion that the labor court did not adequately assess the fact that this concerns health data that could be collected by a colleague and viewed by colleagues. Insofar as the labor court established the permission and necessity of data collection with Art. 6 Para. 1 Letter c GDPR in conjunction with §§ 275, 276 SGB V, it only examined the concept of "necessity" in the sense of one condition. Necessity within the meaning of Article 6 (1) (c) GDPR should be understood as a reference to compliance with the principle of proportionality. The understanding of the labor court that an assessment is not possible without data collection is not enough. It should be looked atwhat type of data it is and only then can an overall assessment be made to determine whether the severity of the intervention is still tolerable in relation to the justifying reasons. And it does not follow from the admissibility of the collection of the data that their further processing is lawful. Even if the colleagues had to access his data in order to perform their tasks, this says nothing about their further processing and storage, as well as appropriate measures against data misuse. The point is that the colleagues in the protected area were able to see the expert opinion, which was at least possible for his immediate colleagues, because in the process of the automatic data comparison name,Address and ICD number are visible. He, the plaintiff, assumed that employees of the protected area would be assessed by the miners.
119
It should also be taken into account that this is not just any data, but rather the health data that is particularly protected in accordance with Art. 9 GDPR. Stricter requirements would apply here again. Special precautions and increased protection would have to be guaranteed. This applies in particular to conditions and guarantees from Art. 9 Para. 3 GDPR. Under this condition, Article 9 GDPR permits the collection of health data to assess the employability of employees. However, this does not have the local situation in view, because typically the medical service assesses the work ability of people employed elsewhere. Then the confidentiality of the doctor is a fairly certain guarantee that colleagues of the employee and his colleagues will not find out about it.In this respect, there is no operational cooperation from the outset. Article 9 (2) (h) GDPR is tailored only to this normal case. Only then would the reference to confidentiality suffice. It was different here. That his colleague Dr. I. are subject to medical confidentiality and social secrecy, do not change the fact that they do not concern his health data as a colleague. § 35 SGB I do not change anything.
120
He does not have to show how the defendant gets out of the bind. But there is the way of the assessment over the miners. In addition, it can be deduced from the GDPR that certain technical measures, such as pseudonymization, could also be created for protection.
121
The defendant's general organizational precautions regarding data protection had nothing to do with the facts in question here. The defendant did nothing in this regard. The fact that he had no insight as an employer was just as insignificant as his colleagues' obligation to protect social data. Especially from the aspects of data reduction and data economy, it is not understandable that his closest colleagues of all people were able to see the data. It would have required another security mechanism, such as the four-eyes principle, or the external assessment with subsequent storage, if necessary. In an email dated 03.07.2018, the former head of the staff council confirmed that there was a gap in the procedure if the order arrived in the data exchange, ie the defendant online from C.GmbH will be transmitted. The software does not notice if it is an employee's data. This could result in employees outside the protected area also seeing this data and a colleague being entrusted with the report. A counter-run of the employee directory would have been necessary when the data was received. The head of the staff council had generally asked for better protection of employee data because it could at least be viewed by people in the protected area.A counter-run of the employee directory would have been necessary when the data was received. The head of the staff council had generally asked for better protection of employee data because it could at least be viewed by people in the protected area.A counter-run of the employee directory would have been necessary when the data was received. The head of the staff council had generally asked for better protection of employee data because it could at least be viewed by people in the protected area.
122
The plaintiff is of the opinion that adherence to the written form serves to protect the health data, because in face-to-face conversation there is more the disclosure of further, unnecessary information, without this being understandable. This was especially true when the appraiser was a work colleague. The defendant, on the other hand, seemed more likely to object to the behavior of the person from the group of colleagues, who had informed him by sending the screenshot of the report. Here the "whistleblower" becomes the culprit, which detracts from the defendant's responsibility. For understandable reasons, he did not want to name this person. However, this does not change the accessibility. Otherwise, the person would not have been able to send him the expert opinion (page 11 of the brief dated November 6, 2019).
123
With regard to the material damages claimed, the plaintiff claims that without the personal injury in dispute, the treating physician has assessed the defendant to have been able to resume work from December 2018. Without the personal injury, he would still have been sufficiently mentally resilient in late summer 2018 for the gradual reintegration offered by the defendant. He would have followed his doctor's advice and actively asked for reintegration, which would then have been carried out. Its operational capability would have been restored within a few weeks. Moreover, in parallel to the medical liability law and the claim for damages in the event of a violation of the traffic safety obligation of the defendant,that the same damage had occurred even if it had been dealt with properly.
124
The plaintiff points out in a document dated December 17, 2019 that this is a civil procedural dispute. The object of the dispute on which he based the damages was determined solely by him as the plaintiff. As far as the factual basis of liability is concerned, it is of no importance at all that the defendant's last focus on who and why he accessed his expert opinion. At no point did he say that a colleague looked at the report on his own initiative and submitted it on his own initiative. At no time did he base the factual basis of liability on this. For this, he had an upstream issue, namely the telephone call from Dr. I. parked with his treating doctor. His lawsuit is based onthat the defendant was responsible for inadequate security structures within his own organizational area that his case was Dr. I. was assigned as a colleague from the protected area. The defendant's liability was derived from the phone call with his doctor right from the start. A later inspection of the expert opinion could not change the previously established liability-based fact. Liability can also be based on several acts of infringement. But he didn't do that. With his lawsuit, he did not assert the fact that access to the expert report had occurred as a fact that justified liability.His statements regarding the inspection by a person working in the protected area and regarding the transmission of the screenshot were made solely for the purpose of illustration that the defendant's house had completely inadequate security measures against later unauthorized access to the data. An employee of the protected area can call up the opinion of a work colleague. Protection measures and controls were lacking. A functioning of the security systems, as the defendant assumes, could not be spoken of in the first place if, in the event of the assessment of a N. employee, no precautions were taken for outsourcing. Instead, the defendant tried to stamp him and Ms. T. on the perpetrators and to silence them.that in the defendant's house there were completely inadequate security measures against later unauthorized access to the data. An employee of the protected area can call up the opinion of a work colleague. Protection measures and controls were lacking. A functioning of the security systems, as the defendant assumes, could not be spoken of in the first place if, in the event of the assessment of a N. employee, no precautions were taken for outsourcing. Instead, the defendant tried to stamp him and Ms. T. on the perpetrators and to silence them.that in the defendant's house there were completely inadequate security measures against later unauthorized access to the data. An employee of the protected area can call up the opinion of a work colleague. Protection measures and controls were lacking. A functioning of the security systems, as the defendant assumes, could not be spoken of if there were no precautions for outsourcing in the event of the assessment of a N. employee. Instead, the defendant tried to stamp him and Ms. T. on the perpetrators and to silence them.Protection measures and controls were lacking. A functioning of the security systems, as the defendant assumes, could not be spoken of in the first place if, in the event of the assessment of a N. employee, no precautions were taken for outsourcing. Instead, the defendant tried to stamp him and Ms. T. on the perpetrators and to silence them.Protection measures and controls were lacking. A functioning of the security systems, as the defendant assumes, could not be spoken of if there were no precautions for outsourcing in the event of the assessment of a N. employee. Instead, the defendant tried to stamp him and Ms. T. on the perpetrators and to silence them.
125
The fact that the telephone call with Ms T. had confirmed that the expert opinion in the protected area was readily visible should also be taken into account when assessing the extent of the damage. This also applies to the fact that the defendant does not apologize, but instead goes into a counter-attack and accuses him of fraudulent proceedings by hiding the factual submission. He claimed that the apparently ineffective termination was also a further violation of the law in the course of this proceeding, which had to be taken into account when increasing the claim for compensation that was uniformly attributable to him. The same applies to the immediate termination threatened to Ms T. by the defendant, which - even though the case is unjustified - has triggered a remorse for him.If individual, familiar employees were not allowed to speak about data protection omissions, this would be all the more difficult to prove. In view of his degradation, a sensitive amount of compensation had to be fixed because the defendant tried to turn the tables and make the victim the culprit.
126
Insofar as the State Labor Court in its evidence decision of November 13th, 2019 focused on the fact that it would be fully operational again in December 2018 if the social-medical report had not been saved in the protected area, this did not correspond to its factual presentation. The order of evidence was to be amended so that it should read if it did not correspond to that of Dr. I would have made a call to his treating doctor. The primary damage lies in an infringement of intangible rights against him resulting in a consequent uniform intangible claim for compensation based on overlapping legal bases, namely Art. 82 in conjunction with Art. 9 GDPR, Art. 1 GG in conjunction with Section 823 (2) BGB and Section 823 para. 1 BGB. And of course his doctor told him about the call from Dr.I. may teach.
127
In the appointment on March 11, 2020, the plaintiff's representative, when asked by the court, stated that he would only give material damage compensation on the telephone call of Dr. I. have turned off. He did not base his liability on a call to a colleague regarding the storage of the report. The storage of the expert opinion should not fill the liability, but fill the liability as a further consequence of the liability-based circumstance of the call by Dr. I. and also the inadmissible assessment by this person. But it is the case that he wants to claim the storage of the expert opinion as compensation, insofar as it concerns compensation for non-material damage, ieas a data protection violation, which, in his view, justifies such compensation, in addition to the other reasons he claims.
128
The applicant claims that
129
to amend the judgment of the Düsseldorf Labor Court of February 22, 2019 - 4 Ca 6116/18 - and
130
1. Order the defendant to pay him reasonable compensation at his reasonable discretion, but at least EUR 20,000.00;
131
2.Order the defendant to pay him material compensation in the amount of the loss of earnings in the amount of EUR 5,812.00 gross less EUR 2,653.00 net for the months December 2018, January 2019, February 2019, March 2019, April 2019 and May 2019 as well as EUR 5,812.00 gross for the months of June 2019, July 2019, August 2019, September 2019 and October 2019 plus interest at a rate of 5 percentage points above the base rate since pending;
132
3.for the period up to October 2019, to determine in the alternative that the defendant is obliged to compensate him for the material damage that has arisen and / or will arise from the violation of his personal right alleged with the lawsuit and
133
4.For the period from November 2019 to determine that the defendant is obliged to compensate him for the material damage that has arisen and / or will arise from the violation of his personal right alleged with the lawsuit.
134
The defendant claims that
135
dismiss the appeal.
136
He defends the judgment of the labor court. The basis for the data collection are §§ 275, 276 SGB V. He has taken all precautions, moreover, that no one gets knowledge of the employee data, which they may not receive. The IT employee does not work with normal data traffic, but only with error messages. This is unlikely to have happened to the plaintiff. Technically, several 100,000 reports ran through the system without an IT employee having to intervene. The employee only has to correct and correct the data transmission error in the event of errors. A knowledge of the content of the report is neither necessary nor permitted.
137
The defendant believes that contacting the assessing doctor by phone with the doctor treating the patient does not violate data protection because two confidential agents communicated. The health insurance company's mandate for assessment made data collection necessary. Section 276 (2) SGB V also regulates the transmission obligation of a service provider. It was precisely the legal aim to have an immediate exchange. In addition, it adhered to the principle of data economy. It had only collected the data necessary for the plaintiff's assessment. Otherwise, Dr. I. in E. and the plaintiff in E. .. Both would not have worked in the same protected area.
138
As far as the plaintiff describes the colleague who sent him a screenshot as a whistleblower, this does not apply. In the knowledge of social data protection, none of their employees would contact the plaintiff actively and without being asked to transmit the screenshot or other data from the plaintiff's file. However, it is conceivable that the plaintiff had contacted a colleague from the group of those with special access rights and had tempted him to look into the system to see whether and if so what data was stored there. The plaintiff may explain himself.
139
After knowing the plaintiff's call to Ms T., the defendant said that there was already no data protection breach in relation to the plaintiff because he had authorized Ms T. to inspect his data. The fact that Ms T. had violated any instructions in relation to him, the defendant, did nothing to change that. Without the phone call to Ms. T., no one would have had access to the report. It would have remained dark and protected in the system. All this shows that the complainant's allegations are not tenable after all. Rather, the plaintiff's factual presentation incorrectly suggested that a colleague had spoken to him about the report in a telephone call.
140
With regard to material damages, the defendant claims that the plaintiff's submission on alleged recovery after reintegration is without any basis without the alleged breach of duty. Finally, he was offered reintegration under the BEM. The plaintiff did not react to this. He, the defendant, followed the recommendations of the plaintiff's doctor almost completely during the reintegration. Only the plaintiff rejected the reintegration. He simply no longer wanted to be used in the area of administration and the help desk. There was also no factual lecture to adequately causally cause the alleged damage caused by the alleged data protection violation. This should have taken place at a timefor which the plaintiff had been unable to work for several months due to the same diagnosis and illness. In view of the plaintiff's unsustainable presentation, it was not necessary to obtain a medical expert opinion. The lawsuit is wanton. Had knowledge of the call from Dr. I. if the doctor treating him had made him unable to continue working, the plaintiff's doctor should have kept this call to himself.the plaintiff's doctor should have kept this call to himself.the plaintiff's doctor should have kept this call to himself.
141
For further details, reference is made to the changed briefs in addition to the annexes and minutes of meetings in both instances, as well as the notice resolution of 25.09.2019, the evidence decision of 13.11.2019 and the decision of 16.01.2020.
142
DECISION REASONS:
143
A. The plaintiff's admissible appeal is unfounded because the admissible claims are unfounded. The plaintiff can neither demand compensation from the defendant for non-material damage nor compensation for the material damage claimed by him.
144
I. The plaintiff cannot demand compensation from the defendant for non-material damage. The relevant claim for 1. is admissible but unfounded.
145
1. The application for action to 1. is admissible.
146
a) the claim for 1. is sufficiently determined within the meaning of Section 253 (2) No. 2 ZPO. For this, it is sufficient for the claim for compensation asserted here that the plaintiff states the facts that the court is to use in determining the amount and specifies a magnitude of the claim made. These requirements are met. In accordance with Section 69 (2) ArbGG, reference is first made to the relevant statements by the labor court regarding BI1 of the reasons for the decision. In addition, it should be pointed out that in the context of the civil proceedings listed here, data protection violations should not be examined ex officio, but the plaintiff, through his presentation in the context of the disposition maxim, determines the subject of the dispute, which is to be examined for a possible violation in the above-mentioned sense. The applicant has rightly pointed this out.
147
aa) The uniformity of the aim of the action is not sufficient to accept a single object of dispute. Rather, the plea must also be identical (BAG 19.11.2019 - 3 AZR 281/18, juris Rn. 45). All facts are to be counted as grounds for the claim, which, in the case of a natural, from the point of view of the parties and the nature of the facts, belong to the complex of facts to be decided, which the plaintiff submits to the court in support of his request for legal protection. The object of dispute thus covers all substantive claims that can be derived from the facts of the life submitted for decision in the context of the submitted application. This applies regardless of whether the individual facts of life have been brought forward by the parties or not,and also regardless of whether the parties knew the facts of the life process that were not presented in the preliminary process at that time and could have put them forward (BAG 19.11.2019 op. cit. margin no. 45).
148
bb) The fact that the appraisal on behalf of the health insurance company by the doctor Dr. I. took place, which, like him, is assigned to the protected area. He further complains that the doctor has contacted the doctor treating him without his consent and not in writing using the envelope procedure, but by telephone. In contrast to the material claim for damages, he further complains that the expert opinion was saved in the protected area, with the consequence that the expert opinion was visible to his colleagues. The plaintiff has made it sufficiently clear that the alleged data protection violation should depend on abstract visibility,but not to the actual inspection of the expert opinion by Mrs. T .. To the conviction of the Chamber, the circumstances mentioned by the plaintiff concern a uniform complex of facts, namely those circumstances which arise in the "normal" way of processing the expert opinion order, ie the distribution of the Report to Dr. I., the execution of the expert opinion by this and the final storage of the expert opinion. It is a uniform activity of processing the personal data of the plaintiff within the meaning of Art. 4 No. 2 GDPR.normal "way of processing the expert opinion order, i.e. from the distribution of the expert opinion to Dr. I., the execution of the expert opinion by her and the final storage of the expert opinion. It is a uniform activity of processing the personal data of the plaintiff within the meaning of Art 4 No. 2 GDPR.normal "way of processing the expert opinion order, i.e. from the distribution of the expert opinion to Dr. I., the execution of the expert opinion by her and the final storage of the expert opinion. It is a uniform activity of processing the personal data of the plaintiff within the meaning of Art 4 No. 2 GDPR.
149
b) The chamber no longer had to examine the factual jurisdiction of the labor jurisdiction with regard to the fact that the defendant acted as a medical service within the framework of health insurance law and that there was an employment relationship between him and the plaintiff in accordance with section 17a (5) GVG. There is no exclusive deviating factual jurisdiction. Art. 82 (6) GDPR in conjunction with Art. 79 (2) GDPR concerns only the international competence that is not in doubt here, while the national competence is based on the laws of the member states (Bergt in Kühling / Buchner, DS-GVO, BDSG, 2. Edition 2018, Art. 79 GDPR marginal no.15).
150
2. The application for 1. is unfounded. The claimant is not entitled to claim damages from Article 82 (1) GDPR or from Article 823 (1) of the German Civil Code (BGB) because of injury to his health or from Article 823 (1) BGB in conjunction with Article 2 (1), Article 1 (1). 1 GG in connection with violation of his general right of personality.
151
a) The plaintiff cannot demand compensation from the defendant in accordance with Art. 82 Para. 1 GDPR for the allegedly incurred intangible damage.
152
aa) According to Art. 82 Para. 1 GDPR, any person who has suffered material or immaterial damage as a result of a violation of the GDPR has the right to compensation against the person responsible or against the processor. The claims for compensation for material and immaterial damage are two different issues (cf. in this respect to § 15 Paragraph 1 and 2 AGG BAG 16.02.2012 - 8 AZR 697/10, juris Rn. 21). With the claim for 1., the plaintiff asserted the object aimed at payment of compensation for the alleged intangible damage. According to Article 82 (1) of the GDPR, such compensation requires that there be a violation of the GDPR. It can remain openwhether this only refers to violations of the GDPR itself or also violations of national law which serve to clarify the GDPR (see with reference to recital 146 HK-DS-GVO / BDSG / Schwartmann / Keppeler / Jacquemain, 2018, Art. 82 GDPR No. 5). The court is convinced that there is no violation in either respect. It can remain open whether the scope of application of EU law is open at all in view of the fact that this - also - concerns legal norms of health insurance law. This is irrelevant because the validity of the GDPR in the law of statutory health insurance pursuant to Section 35 (2) SGB I applies by virtue of federal law (see BSG 18.12.2018 - B 1 KR 40/17 R, juris Rn. 29 ff .; BSG 18.12.2018 - B 1 KR 31/17 juris Rn. 14 f.).which serve to clarify the GDPR (cf. with reference to recital 146 HK-DS-GVO / BDSG / Schwartmann / Keppeler / Jacquemain, 2018, Art. 82 DS-GVO Rn. 5). The court is convinced that there is no violation in either respect. It can remain open whether the scope of application of EU law is open at all in view of the fact that this - also - concerns legal norms of health insurance law. This is irrelevant, because the validity of the GDPR in the law of statutory health insurance pursuant to Section 35 Paragraph 2 SGB I applies by virtue of federal law (see BSG 18.12.2018 - B 1 KR 40/17 R, juris Rn. 29 ff .; BSG 18.12.2018 - B 1 KR 31/17 juris Rn. 14 f.).which serve to clarify the GDPR (see also with reference to recital 146 HK-DS-GVO / BDSG / Schwartmann / Keppeler / Jacquemain, 2018, Art. 82 GDPR marginal no. 5). The court is convinced that there is no violation in either respect. It can remain open whether the scope of application of EU law is open at all in view of the fact that this - also - concerns legal norms of health insurance law. This is irrelevant, because the validity of the GDPR in the law of statutory health insurance pursuant to Section 35 Paragraph 2 SGB I applies by virtue of federal law (see BSG 18.12.2018 - B 1 KR 40/17 R, juris Rn. 29 ff .; BSG 18.12.2018 - B 1 KR 31/17 juris Rn. 14 f.).The court is convinced that there is no violation in either respect. It can remain open whether the scope of application of EU law is open at all in view of the fact that this - also - concerns legal norms of health insurance law. This is irrelevant, because the validity of the GDPR in the law of statutory health insurance pursuant to Section 35 Paragraph 2 SGB I applies by virtue of federal law (see BSG 18.12.2018 - B 1 KR 40/17 R, juris Rn. 29 ff .; BSG 18.12.2018 - B 1 KR 31/17 juris Rn. 14 f.).The court is convinced that there is no violation in either respect. It can remain open whether the scope of application of EU law is open at all in view of the fact that this - also - concerns legal norms of health insurance law. This is irrelevant, because the validity of the GDPR in the law of statutory health insurance pursuant to Section 35 Paragraph 2 SGB I applies by virtue of federal law (see BSG 18.12.2018 - B 1 KR 40/17 R, juris Rn. 29 ff .; BSG 18.12.2018 - B 1 KR 31/17 juris Rn. 14 f.).because the validity of the GDPR in the law of statutory health insurance pursuant to Section 35 (2) SGB I applies by virtue of federal law (see BSG 18.12.2018 - B 1 KR 40/17 R, juris Rn. 29 ff .; BSG 18.12.2018 - B 1 KR 31/17 juris Rn. 14 f.).because the validity of the GDPR in the law of statutory health insurance pursuant to Section 35 (2) SGB I applies by virtue of federal law (see BSG 18.12.2018 - B 1 KR 40/17 R, juris Rn. 29 ff .; BSG 18.12.2018 - B 1 KR 31/17 juris Rn. 14 f.).
153
bb) The processing of the personal data by the expert opinion regarding the plaintiff, which - as follows from Art. 82 Para. 2 Clause 1 GDPR - falls within the scope of the claim for compensation from Art. 82 Para. 1 GDPR, has been lawful . It does not violate the provisions of the GDPR, nor does it violate national law. To the Chamber's conviction, the plaintiff therefore has no right to compensation under Article 82 (1) GDPR.
154
(1) The test criteria for the legality of the collection of the plaintiff's health data are Art. 6 GDPR and Art. 9 GDPR. Both regulations apply side by side. Art. 6 GDPR contains the general legality requirements for data processing, which is basically only given if one of the conditions specified in Art. 6 Para. 1 GDPR is met. Art. 9 GDPR contains a prohibition with a reservation of permission (Art. 9 Para. 2 GDPR) for health data, and additional requirements for processing for certain purposes (Art. 9 Para. 3 GDPR). With regard to the fact that Art. 9 GDPR contains special additional requirements for the processing of health data, among other things, and at the same time Art. 6 GDPR in Art. 6 Para. 4 Letter c GDPR refers to Art. 9 GDPR,that in addition to the exception for the legality of data processing of health data, the general legality requirements from Art. 6 GDPR must also be met. This is different only if the content regulation in Art. 9 GDPR does not allow recourse to Art. 6 GDPR (Albers / Veit in Wolff / Brink BeckOK, data protection law, 31st edition 01.11.2019 Art. 9 GDPR marg. 24; in this respect also HK-DS-GVO / BDSG / Jaspers / Schwartmann / Mühenbeck aaO Art. 9 DS-GVO Rn. 20; Wedde in Däubler / Wedde / Weichert / Sommer, EU-GDPR and BDSG, 2nd edition 2020, Art. 9 GDPR marginal 3).9 GDPR does not allow recourse to Art. 6 GDPR (Albers / Veit in Wolff / Brink BeckOK, data protection law, 31st edition 01.11.2019 Art. 9 GDPR margin no. 24; in this respect also HK-DS-GVO / BDSG / Jaspers / Schwartmann / Mühenbeck loc. Cit. Art. 9 GDPR margin no.20; Wedde in Däubler / Wedde / Weichert / Sommer, EU GDPR and BDSG, 2nd edition 2020, Art.9 GDPR does not allow recourse to Art. 6 GDPR (Albers / Veit in Wolff / Brink BeckOK, data protection law, 31st edition 01.11.2019 Art. 9 DS-GVO Rn. 24; in this respect also HK-DS-GVO / BDSG / Jaspers / Schwartmann / Mühenbeck loc. Cit. Art. 9 GDPR margin no.20; Wedde in Däubler / Wedde / Weichert / Sommer, EU GDPR and BDSG, 2nd edition 2020, Art.
155
(2) The legality of the data processing does not result from the consent of the plaintiff (Art. 6 Para. 1 Sentence 1 Letter a GDPR or Art. 9 Para. 2 Letter a GDPR). There is no such. However, this does not mean that the data processing was unlawful. In the present case, the expert opinion was legal without the plaintiff's consent.
156
(3) First of all, the general requirements from Art. 6 GDPR are met. The Labor Court correctly assessed this in its decision-making reasons to convince the Chamber, which the Chamber has already pointed out in its decision of September 25, 2019. The Chamber sees no reason to assess the legal aspects within the application of Art. 6 GDPR and the national law that has been passed differently than the Labor Court and expressly and largely adopts its statements in this respect.
157
(3.1.) According to Art. 6 Para. 1 Sentence 1 Letter c GDPR, the processing of personal data is lawful if it is necessary to fulfill a legal obligation to which the controller is subject. According to Art. 6 Para. 2 GDPR, the member states can maintain or introduce more specific provisions regarding the processing to fulfill Art. 6 Para. 1 Sentence 1 Letter c GDPR by adapting the requirements of the GDPR Specify processing and other measures more precisely to ensure lawful and fair processing, including for other special processing situations in accordance with Chapter IX GDPR. The legal basis for processing in accordance with Art. 6 para.1 sentence 1 letter c GDPR is accordingly also determined by the law of the member states to which the controller is subject (Article 6 (3) sentence 1 letter b GDPR). The purpose of the processing must be laid down in this legal basis (Art. 6 Para. 3 Clause 2 GDPR). It may also contain specific provisions to adapt the application of the provisions of the GDPR, including provisions on which general conditions apply to the regulation of the lawfulness of processing by the controller, which types of data are processed, which persons are affected, and to which institutions and for what purposes the personal data may be disclosed, what purpose they are subject to,how long they may be stored and which processing operations and procedures may be used, including measures to ensure lawful and fair processing, such as those for other special processing situations in accordance with Chapter IX GDPR (Art. 6 Para. 3 Sentence 3 GDPR ). The law of the member states must pursue a goal that is in the public interest and must be proportionate to the legitimate purpose pursued (Art. 6 Para. 3 Clause 4 GDPR). These requirements are met.The law of the member states must pursue a goal that is in the public interest and must be proportionate to the legitimate purpose pursued (Art. 6 para. 3 sentence 4 GDPR). These requirements are met.The law of the member states must pursue a goal that is in the public interest and must be proportionate to the legitimate purpose pursued (Art. 6 para. 3 sentence 4 GDPR). These requirements are met.
158
(3.2.) The processing of the plaintiff's personal data in connection with the preparation of the report was necessary to fulfill a legal obligation within the meaning of Art. 6 Para. 1 Clause 1 GDPR. Pursuant to section 275 (1) sentence 1 number 3 letter b SGB V, health insurers are obliged in legally determined cases or if it is necessary based on the type, severity, duration or frequency of the illness or the course of the illness, in the event of inability to work to eliminate Obtain an expert opinion from the N. Dienst if you are not able to work. These requirements are met, even if there is no example of Section 275 (1a) sentence 1 SGB V. The list is not ("in particular") exhaustive (Berchtold / Huster / Rehborn, health law, 2nd edition 2018, § 275 SGBV marg.26). For the completion of the concept of the necessity of obtaining an expert opinion from the N. Service of the health insurance company, the guidelines for action are both the optimization of the benefits and the examination of the benefits (Becker / Kingreen, SGB V, Statutory Health Insurance, 6th edition 2018 § 275 Paragraph 7). The plaintiff had been ill here since November 22, 2017. He received sick pay from May 24, 2018. The aspect of "duration of incapacity for work" according to § 275 Paragraph 1 Clause 1 SGB V is therefore addressed. There is no objection if the health insurance company then switches on the N. service of the health insurance company promptly (cf. § 275 para. 1a sentence 2 SGB V) to check the performance requirements.For the completion of the concept of the necessity of obtaining an expert opinion from the N. Service of the health insurance company, the guidelines for action are both the optimization of the benefits and the examination of the benefits (Becker / Kingreen, SGB V, Statutory Health Insurance, 6th edition 2018 § 275 Paragraph 7). The plaintiff had been ill here since November 22, 2017. He received sick pay from May 24, 2018. The aspect of "duration of incapacity for work" according to § 275 Paragraph 1 Clause 1 SGB V is therefore addressed. There is no objection if the health insurance company then switches on the N. service of the health insurance company promptly (cf. § 275 para. 1a sentence 2 SGB V) to check the performance requirements.For the completion of the concept of the necessity of obtaining an expert opinion from the N. Service of the health insurance company, the guidelines for action are both the optimization of the benefits and the examination of the benefits (Becker / Kingreen, SGB V, Statutory Health Insurance, 6th edition 2018 § 275 Paragraph 7). The plaintiff had been ill here since November 22, 2017. He received sick pay from May 24, 2018. The aspect of "duration of incapacity for work" according to § 275 Paragraph 1 Clause 1 SGB V is therefore addressed. There is no objection if the health insurance company then switches on the N. service of the health insurance company promptly (cf. § 275 para. 1a sentence 2 SGB V) to check the performance requirements.The service of the health insurance company serves as guidelines for action, both the optimization of the benefits and the examination of the benefits (Becker / Kingreen, SGB V, Statutory Health Insurance, 6th edition 2018, § 275 marginal 7). The plaintiff had been ill here since November 22, 2017. He received sick pay from May 24, 2018. The aspect of "duration of incapacity for work" according to § 275 Paragraph 1 Clause 1 SGB V is therefore addressed. There is no objection if the health insurance company then switches on the N. service of the health insurance company promptly (cf. § 275 para. 1a sentence 2 SGB V) to check the performance requirements.The service of the health insurance company serves as guidelines for action, both the optimization of the benefits and the examination of the benefits (Becker / Kingreen, SGB V, Statutory Health Insurance, 6th edition 2018, § 275 marginal 7). The plaintiff had been ill here since November 22, 2017. He received sick pay from May 24, 2018. The aspect of "duration of incapacity for work" according to § 275 Paragraph 1 Clause 1 SGB V is therefore addressed. There is no objection if the health insurance company then switches on the N. service of the health insurance company in a timely manner (see Section 275 (1a) sentence 2 of the Social Code Book V).11.2017 continuously sick. He received sick pay from May 24, 2018. The aspect of "duration of incapacity for work" according to § 275 Paragraph 1 Clause 1 SGB V is therefore addressed. There is no objection if the health insurance company then switches on the N. service of the health insurance company promptly (cf. § 275 para. 1a sentence 2 SGB V) to check the performance requirements.11.2017 continuously sick. He received sick pay from May 24, 2018. The aspect of "duration of incapacity for work" according to § 275 Paragraph 1 Clause 1 SGB V is therefore addressed. There is no objection if the health insurance company then switches on the N. service of the health insurance company promptly (cf. § 275 para. 1a sentence 2 SGB V) to check the performance requirements.
159
(3.3.) The legal basis for the processing of the plaintiff's personal data is laid down in § 276 Paragraph 2 Clause 1 and Clause 3 SGB V. It meets the requirements of Art. 6 Para. 3 Clauses 2 and 4 GDPR.
160
(3.3.1.) The medical service may collect and store social data in accordance with section 276 (2) sentence 1 SGB V, insofar as this is necessary for the examinations, advice and expert opinions in accordance with sections 275 SGB V to 275d SGB V. According to Section 276 (2) Sentence 3 SGB V, the lawfully collected and stored social data may only be processed or used for the purposes specified in Section 275 SGB V, for other purposes, insofar as this is ordered or permitted by the legal provisions of the Social Code. According to Section 67 Paragraph 2 Sentence 1 SGB X, social data are personal data (Art. 4 No. 1 GDPR) that are processed by a body named in Section 35 SGB I with regard to their tasks under this Code. The medical service also belongs to the positions mentioned in § 35 SGB I, so far as a working group of service providers within the meaning ofSection 35 (1) sentence 4 SGB I (Section 278 (1) sentence 1 SGB V as of December 31, 2019) and since 01.01.2020 as a public law association mentioned in the Social Code (Section 278 (1) sentence 1 SGB V as of January 1, 2020, according to which the medical service is no longer a working group but is established as a corporation under public law). According to Art. 4 No. 1 half sentence 1 GDPR, personal data is all information that relates to an identified or identifiable natural person.according to which the medical service is no longer a working group but is established as a corporation under public law). According to Art. 4 No. 1 half sentence 1 GDPR, personal data is all information that relates to an identified or identifiable natural person.according to which the medical service is no longer a working group but is established as a corporation under public law). According to Art. 4 No. 1 half sentence 1 GDPR, personal data is all information that relates to an identified or identifiable natural person.
161
(3.3.2) Section 276 (2) sentences 1 and 3 SGB V meet the requirements of Article 6 (3) sentences 2 and 4 GDPR. With the tests, advice and expert opinions according to § 275 SGB V, you determine the purpose of the processing. This is a goal in the public interest. The regulations are also proportionate to this purpose. They only allow the collection and storage of personal data insofar as this is necessary for this purpose, and the processing and use of personal data only if the data are lawfully collected and stored for the purposes specified in § 275 SGB V or for other purposes, insofar as this is required by law of the Social Code is ordered or allowed.
162
(3.4.) The processing of the plaintiff's data in connection with the preparation of the expert opinion by the defendant on behalf of his health insurance company fulfills the requirements of Section 276 (2) sentences 1 and 3 SGB V.
163
(3.4.1.) The defendant has collected and saved the plaintiff's personal data for an expert opinion in accordance with section 275 (1) sentence 1 number 3 letter b of the Social Code Book V. This required data collection and storage. It is necessary to collect social data if the corresponding task cannot be carried out without the collection (jurisPK-SGB V / Strack 3rd ed. § 276 para. 13). That's how it is here. The expert opinion could not have been prepared without the collection and storage of the data. The plaintiff's consent to the determination of the information by the doctor treating him is not required (Becker / Kingreen loc. Cit. § 276 para. 4). This is in line with Art. 6 GDPR because the data collection according to Art. 6 para.1 sentence 1 letter c GDPR is lawful without the consent of the person concerned.
164
(3.4.2.) Contrary to the plaintiff's view, the defendant was allowed to I. Call the doctor treating him by phone and ask him for information for the purpose of preparing the report. The legal basis is Section 276 (2) sentence 2 SGB V. If the health insurance companies or the medical service have requested the insured-related data required for an expert opinion or examination in accordance with Section 275 (1) to (3) SGB V from the service provider, the service provider shall do so this regulation obliges to transmit this data directly to the N. Dienst. The handling procedure used by the plaintiff has nothing to do with the question of a phone call from Ms. I directly to the doctor treating her. It is true that the handling procedure is no longer permitted. However, this affected the problemthat the health insurance companies could request documents from the service providers for the N. service. In this respect, it was not ensured that the data became known to the health insurance companies and not only to the N. Dienst (see also Becker / Kingreen loc. § 276 para. 6; Heberlein in BeckOK social law, Rolfs / Giesen / Kreikebohm / Udsching, 55th edition 01.12 .2019, § 276 SGB V Rn. 68 ff.). That is not the point here. According to § § 276 Para. 2 Clause 2 SGB V, if the request comes from the N. service (but also from the health insurance company, which is not the issue here), the service provider, ie the treating doctor, has (see Heberlein in BeckOK Social law aaO § 276 SGB V Rn. 53) to transmit the data directly to the N. Dienst. It was exactly the same here. Miss Dr. I.asked the defendant as a medical service the data for the purpose of drawing up an opinion on the plaintiff's incapacity to work in accordance with Section 275 (1) of the Social Code Book V and the latter immediately communicated this to the defendant as a medical service, ie transmitted it. Section 276 (2) sentence 2 SGV does not contain any substantive requirements regarding the form of transmission and does not exclude direct telephone transmission. It may be that treatment documents are regularly provided (Becker / Kingreen, loc. § 276 para. 6 "as a rule"; Heberlein in BeckOK social law op. § 276 SGB V para. 84: "The data will regularly be bound to the usual written documents "). However, this does not mean that verbal information by telephone may not be sufficient in individual cases.It is crucial that the obligation to transmit information extends to those that are necessary for the proper completion of the expert opinion (Heberlein in BeckOK social law cited above § 276 SGB V Rn. 84). In this respect, it may be sufficient for the purpose of the expert opinion if, in view of the facts, a brief telephone inquiry to the attending doctor is sufficient. If the appraiser is convinced that this is sufficient to fulfill the purpose of the appraisal, there is no reason to request any documents in writing. This also has advantages in the interests of the insured, because simple cases of doubt like this can be answered promptly and quickly. The expert called the doctor on June 21, 2018. The report was created just one day later on June 22, 2018 with the resultthat there is temporary incapacity to work, so any doubts have been resolved. The purely hypothetical possibility that a doctor, contrary to his medical obligation, asks other questions that are not part of the expert opinion, does not lead to the telephone information being banned in simple cases, especially since the content of the call - as it happened - must be documented. This result is further supported by the fact that the service provider's obligation to transmit is linked to the collection by medical service of the data which are to be transmitted as requested data. However, the collection of data is to be understood broadly (Section 67 (1) SGB X in conjunction with Art. 4 No. 2 GDPR). And finally, Section 276 (2) sentence 2 of the Social Code Book V can be understood as a statutory regulation that requires the doctor to provide information within the meaning of Section 100 (1) sentence 1 no.1 SGB X justified (see also Becker / Kingreen op. § 276 para. 6). Information does not have to be in writing.
165
(3.5) The defendant was allowed to collect and store the personal data, even though he is the plaintiff's employer. Conversely, this follows from Section 35 (1), third sentence, SGB I. According to this, social data of employees and their relatives Persons who can make personnel decisions or can participate in them must neither be accessible nor passed on by authorized persons. This obligation presupposes that employees' social data may be collected and stored at all.
166
(3.6.) The plaintiff's legally collected and stored personal data have only been processed or used for the purposes specified in § 275 SGB V. They were used to prepare the expert opinion dated June 22, 2018.
167
(3.7.) The processing of the plaintiff's personal data satisfied the specific provision of Section 276 (2) sentence 7 SGB V.
168
(3.7.1.) According to this regulation, technical and organizational measures must be taken to ensure that the social data are only accessible to those who need them to perform their tasks. This is a specific provision for the protection of social secrecy, which includes the obligation to ensure, even within the service provider, that the social data is only accessible to authorized persons or is only passed on to them (Section 35 (1) sentence 2 SGB I and for the defendant in conjunction with Section 35 para. 1 sentence 4 SGB I). This obligation requires an employee-related consideration. The medical service of the health insurance company should not be considered a "competence unit" under data protection law, but should be viewed in a differentiated manner in relation to employees (see Krauskopf / Pewestorf, Social Health Insurance, as of September 2019, § 97 SGB XI Rn.32 on the area of data in long-term care insurance). Section 35 (1) sentence 3 of Book I of the Social Code, as a specific form of this obligation (Gutzler in BeckOK Social Law, loc. Cit. Section 35 of Book I of Social Code I, para. 33), does not stipulate that the social data of employees and their relatives, persons who make personnel decisions or can participate in them, neither be accessible or be passed on by authorized users.
169
(3.7.2.) The defendant meets these requirements. The personal data was only accessible to people who needed it to perform their tasks. It is true that the plaintiff complained that the request for the opinion was not received directly in the protected area. The defendant received the expert's order by post and was assigned directly to the protected area by the responsible clerk. This is a process necessary for the fulfillment of tasks. The expert opinion was then processed within the protected area using the Ismed 3 system. This could not be accessed at will, but an appropriate access right was required, which was obtained through the use of a software certificate (sections 6 and 7 DV Ismed 3).The access rights were determined by assigning rights and roles. According to the role concept for Ismed 3, the sum of various individual rights was reflected in the roles. There were first the roles related to the occupational groups. This ensures that each occupational group can only access the data that it needs for its occupational group-specific tasks. For example, an administrative assistant can create orders, record documents, process and forward expert reports. An appraiser creates assigned appraisals. He also has the appraisal function, which grants the approval authorization for appraisals. There is also a location-based authorization.There was the virtual location "Special Case" for the processing of reports from employees and their relatives. Only the 36 employees of the protected area, ie the work organization that was responsible for processing the reports of employees and their relatives, could access the personal data in connection with the creation and storage of the plaintiff's report. It is correct that there was no further internal local splitting of the authorization for the 36 employees of the protected area, because there was only one virtual area "special case". However, this does not mean that all 36 employees within the "special case" area had access to all data. This was done through the occupational group-specific role.Each employee in the protected area only had access within the scope of the respective task that he had to perform as a professional group. It is correct that the role concept itself does not provide any further subdivision within the protected area. However, the access authorization was again divided according to section 3.2 DA social data in connection with the access concept. This is enough to convince the Chamber. However, it is correct that the area of the IT department in the protected area is uniform and is indisputably responsible for the entire protected area. This is precisely what the plaintiff criticizes. Due to the task of the IT staff, they were able to access the entire data of the protected area and thus also the plaintiff's report - as proven by the access by Ms. T.This basic access to the entire database of the protected area is necessary for the fulfillment of tasks as an IT department. The defendant has taken sufficient organizational measures within the meaning of section 276 (2) sentence 7 SGB V to convince the chamber. On the one hand, the defendant's employees are obliged to maintain social secrecy and are instructed and trained accordingly. The protection of social secrecy also means within the defendant that the social data are only accessible to authorized persons (Section 35 (1) sentence 2 in conjunction with sentence 4 SGB I). In addition, the defendant has issued the DA social data, which stipulates in section 3.2 that only employees who gain knowledge of the social data due to their employment contract are entitled to access.In turn, the authorized users may only use the social data for the processing purposes provided in accordance with Section 4 Paragraph 2 DA. This makes it clear for every IT employee that he can access the social data within the protected area, but that he can only do this if this is necessary for the employment contract. A mere access for pure curiosity or another reason not related to the task is not permitted and prohibited by the social secret and the DA social data. The fact that the other IT employees are colleagues of the plaintiff and that as an IT employee he is also for Dr. I. is responsible is a question that arises in the context of the examination of Art. 9 GDPR. People who make personnel decisions or can participate in themthe plaintiff's data in question were not accessible.
170
(4) To the Chamber's conviction, the special requirements that Art. 9 GDPR places on the processing of health data regarding data processing for the plaintiff's opinion have also been met. This is where the plaintiff's appeal comes into play. He rightly points out the particular need for protection of the health data processed here, which require special requirements with regard to the aspects of necessity and proportionality. In principle, this is correct. These specific requirements are met in the specific case.
171
(4.1) Art. 9 GDPR contains a prohibition of processing with the reservation of permission for the personal data mentioned in Art. 9 Para. 1 GDPR in the cases mentioned in Art. 9 Para. 2 and 3 GDPR. In addition, according to Article 9 (4) GDPR, Member States can also introduce or maintain additional conditions, including restrictions, for health data. The plaintiff's data in question is health data. Health data are personal data that relate to the physical or mental health of a natural person, including the provision of health services, and from which information about their state of health can be derived (Art. 4 No. 15 GDPR). This category of data is affected here because, as the content of the report shows,it is about the confirmation of a certain designated diagnosis, the indication of the related information as well as the result namely the assessment of the inability to work from a medical point of view.
172
(4.2.) The processing of the health data in question here is lawful on the basis of Article 9 (2) (b) GDPR in conjunction with Article 9 (2) (h) GDPR. To the Chamber's conviction, the two regulations overlap and are in any case to be applied cumulatively in the specific case of an expert assessment of the inability to work by a medical service of the health insurance company.
173
(4.2.1.) According to Article 9 (2) (b) GDPR, the processing of health data is permitted if it is necessary so that the person responsible exercises his rights arising from the law of social security and social protection and fulfills his obligations in this regard can. This applies insofar as this is permissible under Union law or the law of the member states or a collective agreement under the law of the member states, which provides suitable guarantees for the fundamental rights and interests of the data subject. The right to social security and social protection covers in particular the provision of social benefits and thus also that of statutory health insurance (HK-DS-GVO / BDSG / Jaspers / Schwartmann / Mühenbeck loc. Art. 9 DS-GVO Rn. 125; Wedde in Däubler / Wedde / Weichert / Sommer opArt. 9 GDPR marg. 68). This covers the case in question here, which involves checking the conditions for receiving sickness benefit, namely the inability to work by the defendant as a medical service on behalf of the plaintiff's health insurance. In terms of content, Article 9 (2) (b) GDPR contains two requirements. On the one hand, the processing of health data must be necessary for the purposes of this provision. On the other hand, a - here - national provision is required, which permits processing and which at the same time provides for the special requirements in the form of suitable guarantees for fundamental rights and the interests of the data subject.namely the inability to work by the defendant as a medical service on behalf of the plaintiff's health insurance. In terms of content, Article 9 (2) (b) GDPR contains two requirements. On the one hand, the processing of health data must be necessary for the purposes of this provision. On the other hand, a - here - national provision is required, which permits processing and which at the same time provides for the special requirements in the form of suitable guarantees for fundamental rights and the interests of the data subject.namely the inability to work by the defendant as a medical service on behalf of the plaintiff's health insurance. In terms of content, Article 9 (2) (b) GDPR contains two requirements. On the one hand, the processing of health data must be necessary for the purposes of this provision. On the other hand, a - here - national provision is required, which permits processing and which at the same time provides for the special requirements in the form of suitable guarantees for fundamental rights and the interests of the data subject.On the other hand, a - here - national provision is required, which permits processing and which at the same time provides for the special requirements in the form of suitable guarantees for fundamental rights and the interests of the data subject.On the other hand, a - here - national provision is required, which permits processing and which at the same time provides for the special requirements in the form of suitable guarantees for fundamental rights and the interests of the data subject.
174
(4.2.2.) Article 9 (2) (h) GDPR confirms the provision of Article 9 (2) (b) GDPR in relation to the health sector (Weichert in Kühling / Buchner, DS-GVO, BDSG, 2. Edition 2018, Art. 9 GDPR marginal no. 60). The two provisions overlap precisely with regard to health data (Wedde in Däubler / Wedde / Weichert / Sommer loc. Art. 9 GDPR margin no. 68). The processing for the assessment of the employability of the employee is expressly addressed here. It is irrelevant in this regard that the assessment concerns the question of inability to work as a prerequisite for performance. The concept of work ability is comprehensive, ie it should also be understood in a negative sense. The assessment of the ability to work does not only refer to a possible legal relationship with the employer,but also includes that of the social service provider. This is evidenced by the overall context of the exception. Health or social care or treatment is also mentioned, as is the management of health and social care systems and services. In this respect, the statutory health insurers including the medical service are also included (Wedde in Däubler / Wedde / Weichert / Sommer loc. Art. 9 GDPR marginal no. 124). The data exchange between social security institutions is also covered by the occupational medicine also mentioned (Weichert in Kühling / Buchner, DS-GVO, BDSG, 2nd edition 2018, Art. 9 DS-GVO Rn. 113 aE). The medical diagnosis also affected here is also mentioned in Article 9 (2) (h) GDPR. Art. 9 para.2 letter h GDPR requires a - here - national provision as the basis for processing and the corresponding necessity. Article 9 (3) GDPR restricts the very wide-ranging fact in terms of personnel by allowing the handling of the sensitive data alone (according to Union law or the law of the member states) to a specialist who is subject to professional secrecy or other confidentiality obligations. This is an example of a "suitable guarantee" or "appropriate measure", as they are also required in other circumstances of admissibility (Albers / Veit in BeckOK data protection law cited above, Art. 9 GDPR marginal no. 80).Article 9 (3) GDPR restricts the very wide-ranging fact in terms of personnel by allowing the handling of the sensitive data alone (according to Union law or the law of the member states) to a specialist who is subject to professional secrecy or other confidentiality obligations. This is an example of a "suitable guarantee" or "appropriate measure", as they are also required in other circumstances of admissibility (Albers / Veit in BeckOK data protection law cited above, Art. 9 GDPR marginal no. 80).Article 9 (3) GDPR restricts the very wide-ranging fact in terms of personnel by allowing the handling of the sensitive data alone (according to Union law or the law of the member states) to a specialist who is subject to professional secrecy or other confidentiality obligations. This is an example of a "suitable guarantee" or "appropriate measure", as they are also required in other circumstances of admissibility (Albers / Veit in BeckOK data protection law cited above, Art. 9 GDPR marginal no. 80).Appropriate guarantee "or" appropriate measure ", as they are also required in other admissibility (Albers / Veit in BeckOK data protection law cited above Art. 9 GDPR marginal no. 80).Appropriate guarantee "or" appropriate measure ", as they are also required in other admissibility (Albers / Veit in BeckOK data protection law cited above Art. 9 GDPR marginal no. 80).
175
(4.2.3.) The provisions of Article 9 (2) (b) and (h) GDPR have to be met cumulatively for the case of checking incapacity for work within a social security system. This is supported by the fact that Article 9 (2) (b) GDPR within Article 9 (2) GDPR regulates the basic requirements for the processing of particularly sensitive data within the framework of social security law. For special and specific areas, Art. 9 (2) (h) GDPR then contains separate requirements with the special requirement that results from Art. 9 (3) GDPR. It is not evident that the membership regulation should not at the same time meet the requirements of Art. 9 (2) (b) GDPR in the case that provides for such special security, ieprovide generally appropriate safeguards for the fundamental rights and interests of the data subject. It must be taken into account that Article 9 (3) GDPR already regulates such a guarantee.
176
(4.3.) The requirements set out in Article 9 (2) (b) and (h) GDPR in conjunction with Article 9 (3) GDPR and in conjunction with the national provisions (Article 9 (4) GDPR) have been met.
177
(4.3.1.) Data processing is initially required within the meaning of Article 9 (2) (b) GDPR. With the necessity for the fulfillment of obligations from the right of the social security and the social protection, in particular the provision and settlement of social benefits and the data necessary in this context are addressed (Albers / Veit in BeckOK data protection law cited above Art. 9 GDPR margin no. 54). The assessment of the applicant's inability to work for the purpose of checking the sickness benefit was, as stated, necessary because of the length of the inability to work. The associated diagnostics and data processing was also necessary because otherwise the expert opinion would not have been created and the conditions for receiving the benefits could not have been checked.
178
(4.3.2) There are national regulations that allow the processing of the health data in question in connection with the preparation of the expert opinion regarding the applicant's incapacity to work. These are the provisions of § 275 Paragraph 1 Clause 1 No. 3 Letter b SGB V, § 276 Paragraph 2 Clauses 1, 3 and 7 SGB V mentioned in the examination within the scope of Art. 6 GDPR. On the above statements in this regard reference is made to Art. 6 GDPR.
179
(4.3.3.) The requirements of Art. 9 Para. 3 GDPR are met. The processing of the data must then be carried out by specialist personnel who are subject to professional secrecy in accordance with the law of a Member State or the regulations of national competent authorities or if the processing is subject to a duty of confidentiality in accordance with the law of the Member State or the regulations of competent authorities. This is initially for the doctor Dr. I. the case. It is subject to medical confidentiality, which is a professional secret within the meaning of Article 9 (3) GDPR, because it is protected by criminal law in accordance with Section 203 (1) No. 1 of the Criminal Code and also in the medical profession regulations of doctors (cf. in addition § 9 (model) professional regulations for the doctors working in Germany contain (Weichert in Kühling / Buchner loc. Art. DS-GVO Rn.139; HK-DS-GVO / BDSG / Jaspers / Schwartmann / Mühenbeck loc. Cit. Art. 9 DS-GVO Rn. 206). But also for the other persons involved in the N. who were involved in the implementation of the expert opinion, whether it was the first assignment by the first clerk to the protected area or by assistants of the protected area, the requirement of Art. 9 para. 3 GDPR. As stated, these employees, as those of the defendant, are subject to social secrecy as the medical service of the health insurance companies, which also applies within the N. service. Social secrecy in accordance with Section 35 (1) SGB I is either already professional secrecy within the meaning of Art. 9 (3) GDPR (Weichert in Kühling / Buchner loc. Cit. Art. 9 DS-GVO Rn. 142; HK-DS-GVO / BDSG / Jaspers / Schwartmann / Mühenbeck op. Art. 9 GDPR marg.206) or another duty of confidentiality within the meaning of Art. 9 Para. 3 GDPR.
180
(4.3.4.) This does not exhaust the examination mandate that Article 9 (2) GDPR places on the legal user. As stated, the national regulations must provide suitable guarantees for the fundamental rights and interests of the data subject (Article 9 (2) (b) GDPR). In addition, the national legislator can impose further requirements in accordance with Article 9 (4) GDPR. The German legislature has not only issued specific protection regulations for the area of social data, such as those found in Section 276 (2) sentence 7 SGB V. Entry standard for the collection of social data is Section 67a (1) SGB X. In general, data collection is then permitted if its knowledge is required to fulfill a task of the collecting agency under the Social Code - as here - (Section 67a (1) sentence 1 SGB X).As a further requirement within the meaning of the guarantees required by Article 9 (2) (b) GDPR, Section 67 a (1) sentence 3 SGB X for the collection of special categories of personal data within the meaning of Article 9 (1) GDPR determines the corresponding application of Section 22 Paragraph 2 BDSG, which is based on Article 32 Paragraph 1 GDPR. According to this provision, appropriate and specific measures must be taken to safeguard the interests of the data subject. Taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of processing, as well as the different likelihood of occurrence and severity of the risks associated with processing for the rights and freedoms of natural persons, these include, in particular, the following are not conclusive listed measures, such astechnical organizational measures to ensure that processing takes place in accordance with the GDPR (Section 22 Paragraph 2 Clause 2 No. 1 BDSG), measures that ensure that it can be subsequently checked and ascertained whether and by whom personal data entered, changed or have been removed (Section 22 (2) Sentence 2 No. 2 BDSG), awareness-raising of those involved in processing operations (Section 22 (2) Sentence 2 No. 3 BDSG), restriction of access to personal data within the responsible body and by Processors (Section 22 Paragraph 2 Sentence 2 No. 5 BDSG), Pseudonymization of Personal Data (Section 22 Paragraph 2 Sentence 2 No. 6 BDSG) and Encryption of Personal Data (Section 22 Paragraph 2 Sentence 2 No. 7 BDSG). § 22 para.2 BDSG is flexible and provides the responsible persons with a (non-conclusive) framework for orientation (Albers / Veit in BeckOK data protection law, cf. Art. 9 GDPR marginal no. 96; see BAG 09.04.2019 - 1 ABR 51/17, juris marginal no. 48) , unless special requirements are to be met here. The cognizant chamber informed the defendant of this by decision of September 25, 2019 and gave him the opportunity to make a presentation. Insofar as - as here - the social data is not collected from the data subject, Section 67a (2) sentence 2 SGB X must also be observed. These requirements are met.09.2019 and gave him the opportunity to give a speech. Insofar as - as here - the social data is not collected from the data subject, Section 67a (2) sentence 2 SGB X must also be observed. These requirements are met.09.2019 and gave him the opportunity to give a speech. Insofar as - as here - the social data is not collected from the data subject, Section 67a (2) sentence 2 SGB X must also be observed. These requirements are met.
181
(4.3.4.1.) Contrary to the plaintiff's view, it is not inadmissible that the defendant, as the plaintiff's employer, conducts the assessment, even if these specific requirements are assessed. It is also not inadmissible that Dr. I. is carried out, which the plaintiff as IT employee also looks after temporarily. Such a prohibition cannot be derived from Art. 9 GDPR for health data, which is at issue here. Overall, the plaintiff is of the opinion that business cooperation prevents the collection of his health data. The discerning chamber does not follow this. Such a general approach as the plaintiff represents cannot be derived from Art. 9 GDPR. For example, occupational medicine is also mentioned in Article 9 (2) (h) GDPR. It concerns the triangular relationship between employer,Employed and medical personnel, in particular the company doctor (Weichert in Kühling / Buchner loc. Cit. Art. 9 DS-GVO Rn. 111; HK-DS-GVO / BDSG / Jaspers / Schwartmann / Mühenbeck loc. Art. 9 DS-GVO marg. 177) . A company doctor does not have to be a third party from outside the company, but can also be employed by the employer as an employee (cf. § 2 (3) sentence 2 ASiG and BAG 24.03.1988 - 2 AZR 369/87, juris). He can therefore also know the workers employed in the company as "colleagues" without being prohibited from collecting or taking note of their health data. And the works council, which consists of "colleagues", can also have knowledge of health data, provided thatthat he takes appropriate and specific protective measures within the meaning of Section 22 (2) BDSG to safeguard the interests of the employees affected by data processing (see BAG 09.04.2019 - 1 ABR 51/17, juris Rn. 40). To convince the Chamber, these have been adequately met.
182
(4.3.4.2.) This concerns the aspect that colleagues can gain knowledge of the health data. The defendant as a medical service, in which - as in the case of the plaintiff - social data in the form of health data can be processed on the basis of the request from his health insurance company, saw this problem and reacted to it through the DA social data and created an internal organizational measure which Restricts people who have to do with the social data of their own employees. In general, these are not processed like all other social data within the defendant, but are assigned to the protected area, the organizational unit "Special Case". There is already an organizational limitation. The problem with this case is characterized bythat the plaintiff himself is one of the 36 employees in the protected area. This is also regulated in Section 4 of the DA Social Data. According to this, employees may in principle not be assessed at their place of employment. The documents may not be kept there and the data may not be stored there. There is then a special regulation for the use of Ismed3, which is relevant here. The named employees of the organizational unit "Special Case" in E. are responsible for all employees who work at the E. location. The employees of the organizational unit "Special Case" in E. are responsible for employees at the other locations. This is a geographical separation that is a certain "distance" between the people who are dealing with the health datacreates. The Chamber does not fail to recognize that the plaintiff, as an IT employee, is also responsible for the E. location and, as such, that he also works with Dr. I. has to do. However, this does not change the fact that a spatial distance is created, because Dr. I. has its place of employment spatially in E. and the plaintiff has it in E. .. Contrary to the plaintiff's view, it was not advisable to have every assessment carried out externally by the miner's social medicine service. It is correct that, if a physical examination is required, the defendant's own employee is assessed by the miners' social medicine service in accordance with section 5.5 DA social data. The Chamber is convinced that this gradation is justifiable.The physical examination of an employee represents a significantly more serious intervention in the personality sphere of the employee than an assessment based on the file. This differentiation is understandable and meets the requirements of Section 22 (2) BDSG.
183
(4.3.4.3.) However, the fundamental problem that the plaintiff is an IT employee and that the colleagues in the IT department from the protected area were able to inspect the expert opinion has not yet been solved. In the context of Art. 9 Para. 2 GDPR in conjunction with Section 22 Para. 2 BDSG, comparable explanations apply in principle to Art. There are appropriate and specific measures within the meaning of Section 22 (2) BDSG. An example of such a measure is - as stated - the requirement derived from Art. 9 Para. 3 GDPR that only professional personnel who are subject to professional secrecy may process the health data. This is the case here due to medical and social secrecy. This is not sufficient within the meaning of Section 22 (2) BDSG, but it is a first step into the assessment,whether the defendant has taken appropriate and specific measures must be taken into account. The above measures have been taken sufficiently to convince the Chamber. First of all, access within the defendant is restricted (Section 22 Paragraph 2 Clause 2 No. 5 BDSG). This is done through technical and organizational measures (Section 22 Paragraph 2 Clause 2 No. 1 BDSG). The personal data was only accessible to people who needed it to perform their tasks, which also applies to the first clerk who manually assigned the health insurance's postal order to the protected area. Within the Ismed 3 system that was used for processing, access could not be arbitrary, but an appropriate access right was required,This was done through the use of a software certificate (numbers 6 and 7 DV Ismed 3). The access rights were determined by assigning rights and roles. According to the role concept for Ismed 3, the sum of various individual rights was reflected in the roles. There were initially the roles related to the occupational groups. This ensures that each occupational group can only access the data that it needs for its occupational group-specific tasks. For example, an administrative assistant can create orders, record documents, process and forward expert reports. An appraiser creates assigned appraisals. He also has the appraisal function, which grants the approval authorization for appraisals. There is also a location-based authorization.There was the virtual location "Special Case" for the processing of reports from employees and their relatives. Only the 36 employees of the protected area, ie the work organization that was responsible for processing the reports of employees and their relatives, could access the personal data in connection with the creation and storage of the plaintiff's report. It is correct that there was no further internal local splitting of the authorization for the 36 employees of the protected area, because there was only one virtual area "special case". However, this does not mean that all 36 employees within the "special case" area had access to all data. This was done through the occupational group-specific role.Each employee in the protected area only had access within the scope of the respective task that he had to perform as a professional group. It is correct that the role concept itself does not provide any further subdivision within the protected area. However, the access authorization was again divided according to section 3.2 DA social data in connection with the access concept. This is enough to convince the Chamber. However, it is correct that the area of the IT department in the protected area is uniform and is indisputably responsible for the entire protected area. Due to the task of the IT staff, they were able to access the entire data of the protected area and thus also the plaintiff's report - as proven by the access by Ms. T.This basic access to the entire database of the protected area is necessary for the fulfillment of tasks as an IT department. In order to convince the Chamber, the defendant has taken sufficient organizational measures not only within the meaning of Section 276 (2) Sentence 7 SGB V, but also within the meaning of Section 22 (2) Sentence 2 No. 1 BDSG. In this respect, nothing else applies than already stated above. The corresponding sensitization according to Section 22 Paragraph 2 Clause 2 No. 3 BDSG took place because the defendant's employees were committed to social secrecy and were instructed and trained accordingly. The protection of social secrecy also means within the defendant that the social data are only accessible to authorized persons (Section 35 (1) sentence 2 in conjunction with sentence 4 SGB I). The defendant has also issued the DA social data, which is set out in section 3.2 stipulates that only employees who gain knowledge of the social data due to their employment contract are entitled to access. According to Section 4 Paragraph 2 of the DV Social Data, the social data may only be used by the authorized users for the processing purposes provided. This makes it clear for every IT employee that he can access the social data within the protected area, but that he can only do this if this is necessary for the employment contract. A mere access for pure curiosity or another reason not related to the task is not permitted and prohibited by social secrecy. In this respect, too, nothing else applies than already stated. This also makes it clear to every plaintiff's IT colleaguethat he should not simply access the plaintiff’s health data outside of the remit. In addition, the Ismed 3 system records in the attribute history and in the process history who carries out which action on the personal data (Section 8 DV Ismed 3). This is a measure within the meaning of Section 22 (2) Sentence 2 No. 2 BDSG. This also explains why the defendant was able to determine who accessed the plaintiff's opinion by accessing the file by means of an evaluation based on the participation of the internal auditor and the staff council. Overall, this is enough to convince the Chamber to ensure adequate protection within the meaning of Section 22 (2) BDSG, even if it is taken into account that IT colleagues in particular were able to inspect the report technically. There is no evidencethat this would have happened if the plaintiff had not asked Ms. T. to look at his report. It is not evident that this would have done this outside the scope of its duties, contrary to the clear rules and in violation of social secrecy. Otherwise, it cannot be explained why, in the board's view, the plaintiff at least misleadingly raised the question of Ms. T.'s insight. The use of the passive, namely that a person working in the IT area had advised him in a phone call that his health data could be viewed by at least 10 employees, has in the Chamber in connection with the use of the term "whistleblower" give the impression that this person has made this clear to the plaintiff. The chamber does not fail tothat the lecture was not given so positively. However, as stated, the plaintiff's statements in the specific wording were designed to create this false impression. At the last hearing, the board openly communicated to the plaintiff that it was assuming an at least misleading presentation. The plaintiff did not contest the matter, but - as already in writing - withdrew from the fact that inspection was never presented as a factual basis for liability. That's right, but it doesn't change the misleading talk. It does not change the fact that the resulting impression has to be considered in the overall assessment. The plaintiff's presentation shows that he himself does not assumethat a person looks into their health data without a task-related reason. Otherwise, the full facts could have been brought forward without further ado, namely that he called the colleague and she had confirmed his presumption to his request. A naming could have been omitted just as in the lecture initially given in the process. It is true that it is still possible for an IT colleague to inspect the file with the plaintiff's report because the task is related, for example because the file is damaged and needs to be repaired. To convince the chamber, this must be accepted with due regard to social secrecy due to the specifics of an IT department, which, as here, must have access to the entire IT system.Incidentally, it is also acknowledged that Dr. I. once had to do with the plaintiff, in no way apparent or even to fear that she, as a doctor, would have asked inadmissible and further questions by phone to the doctor treating the plaintiff.
184
(4.3.5.) The health data could also be collected without the plaintiff's involvement from his treating doctor as a service provider within the meaning of Section 35 (1) SGB I. The requirements of section 67a (2) sentence 2 no.1 SGB X are met. The treating physician was authorized to transmit the data in accordance with section 276 (2) sentence 2 SGB V (section 67 (2) sentence 2 number 1 letter a SGB X). Collecting the data from the plaintiff would involve a disproportionate effort in accordance with section 67 (2) sentence 2 number 1 letter b SGB X. This is demonstrated by the specific case. The plaintiff's health status was readily available to the attending physician. It only took a brief verifying telephone inquiry to confirm the incapacity to work - as happened in the result.The independent new examination then by the social medicine service of the minership is out of proportion. There are also no overriding interests worthy of protection of the plaintiff that are impaired (Section 67 (2) sentence 2 no. 1 letter c SGB X). This provision is part of the appropriate guarantees for the fundamental rights and interests of the data subjects within the meaning of Article 9 (2) (b) GDPR (BAG 09.04.2019 - 1 ABR 51/17, juris Rn. 28). The interests of the plaintiff are also taken into account in this particular case by the measures already described in accordance with Section 22 (2) BDSG, which means that the plaintiff's interests, which are worthy of protection, do not conflict with the specific data processing (cf. BAG 09.04.2019, cited above, marg. 40 aE). Overall, the aspect of data minimization (Art. 5 para.1 letter c GDPR). Only the data required for the expert opinion was collected and processed. In the absence of a data protection violation, it was also not considered to take into account any ineffective termination against the plaintiff or the threat of termination against Ms. T.
185
b) The plaintiff is not entitled to claim compensation under section 823 (1) BGB for the violation of his health or section 823 (1) BGB in conjunction with Art. 2 (1), Art. 1 (1) GG in conjunction with the violation of his general right of personality , because there is also a lack of a data protection breach of duty accusable to the defendant. In this respect, it can remain open whether the above-mentioned bases of claim apply in addition to Art. 82 Para. 1 GDPR.
186
II. The plaintiff cannot demand compensation from the defendant for the material damage claimed by him. The relevant claims for 2nd and 4th are admissible but unfounded. The Chamber did not apply for the auxiliary determination request for 2. for the period until October 2019.
187
1. The applications to 2. and 4. are admissible.
188
a) The plaintiff, as appellant, was able to assert these requests by extending the action within the scope of his appeal. The requirements of § 533 ZPO are met. The defendant accepted the last two and fourth requests at the hearing without complaint. Irrespective of this, the claims for 2nd and 4th are also pertinent within the meaning of Section 533 No. 1 ZPO. They relate to another object of the dispute with the material damages. However, the entitlement is based at least in part on the same life circumstances as the entitlement to compensation. In both cases it concerns the alleged data protection violation by the defendant alleged by the plaintiff. In this respect, the decision regarding the material damage claim is still process-economical within this procedure,because a large part of the previous material and dispute can be used. It is irrelevant that the dispute is expanded by the question of causality and thus, if necessary, other necessary statements on the question of the time of the recovery of the plaintiff without the alleged breach of data protection. This does not stand in the way of the economic use of the previous substance. The requirement of Section 533 No. 2 ZPO is met because the plaintiff has already presented the other facts in the justification for the appeal and these are to be used as a basis for the appeal process.further required statements on the question of when the plaintiff's recovery will be expanded without the alleged data protection violation. This does not stand in the way of the economic use of the previous substance. The requirement of Section 533 No. 2 ZPO is met because the plaintiff has already presented the other facts in the justification for the appeal and these are to be used as a basis for the appeal process.further required statements on the question of when the plaintiff's recovery will be expanded without the alleged data protection violation. This does not stand in the way of the economic use of the previous substance. The requirement of Section 533 No. 2 ZPO is met because the plaintiff has already presented the other facts in the justification for the appeal and these are to be used as a basis for the appeal process.
189
b) The application for action 2 is admissible as an application for payment. The declaration request for 4th for the period from November 2019 is admissible. Since the development of the damage has not yet been completed, the plaintiff can request the full determination of the obligation to pay compensation in accordance with section 256 (1) ZPO (BGH April 19, 2016 - VI ZR 506/14, juris marginal 6 mwN). In particular, the employment relationship has not yet ended. On request, the plaintiff announced on March 11, 2020 that he had not yet applied for a pension. It is not necessary to continually adapt the application for ascertainment to the payment application. The subject-matter of the dispute, which is put to the court for decision, also concerns a uniform complex of facts in this respect, namely those circumstances that arise in "normal"Processing of the expert opinion order, ie from the distribution of the expert opinion to Dr. I., the execution of the expert opinion by this and the final storage of the expert opinion. It is a uniform activity of processing the personal data of the plaintiff within the meaning of Art. 4 No. 2 GDPR. This unified life situation cannot be split up with regard to material damage either. Another question is whether the plaintiff bases the damage he claims based on all aspects of the processing operation.It is a uniform activity of processing the personal data of the plaintiff within the meaning of Art. 4 No. 2 GDPR. This unified life situation cannot be split up with regard to material damage either. Another question is whether the plaintiff bases the damage he claims based on all aspects of the processing operation.It is a uniform activity of processing the personal data of the plaintiff within the meaning of Art. 4 No. 2 GDPR. This unified life situation cannot be split up with regard to material damage either. Another question is whether the plaintiff bases the damage he claims based on all aspects of the processing operation.
190
2. The motions for claims 2 and 4 are unfounded. The material damage asserted by the plaintiff does not arise from Art. 82 (1) GDPR or from Section 823 (1) BGB due to injury to his health or from Section 823 (1) BGB in conjunction with Art. 2 (1), Art. 1 Paragraph 1 of the Basic Law in connection with violation of his general right of personality, because - as stated for the compensation claim - there is no breach of duty by the defendant in the form of a data protection violation. Irrespective of this, a material claim for damages based on the storage of the expert opinion is not considered, because the plaintiff does not claim that this is the basis of liability for the material damage. The discerning chamber is bound to it.Since, according to the remarks on the claim for compensation, the Chamber was convinced of a data protection violation and, moreover, the plaintiff no longer relied on the storage of the expert opinion for the material damage, it was no longer necessary to take evidence. A formal annulment of the decision of evidence dated November 13, 2019 was not required (BAG October 25, 2012 - 2 AZR 495/11, juris Rn. 36).
191
The Chamber did not receive the auxiliary request for auxiliary determination for the period up to and including October 2019, because it was maintained as an auxiliary request only in the event that the request for benefits was not inadmissible. An interpretation as an interim assessment application was not considered as an auxiliary application.
192
B. The cost decision is based on Section 97 (1) ZPO. Reasons for the plaintiff to go beyond the cost decision of the first instance, which remains, also the first-instance extrajudicial costs of the defendant in deviation from § 12a (1) ArbGG
193
to impose did not exist.
194
C. The court approved the revision in accordance with Section 72 (2) No. 1 ArbGG.
195
REMEDY INSTRUCTIONS
196
The plaintiff can appeal against this judgment
197
REVISION
198
be inserted.
199
The defendant has no legal remedy against this judgment.
200
The revision must be submitted in writing or in electronic form to the
201
Federal Labor Court
202
Hugo-Preuss-Platz 1
203
99084 Erfurt
204
Fax: 0361 2636-2000
205
be inserted.
206
The emergency period begins with the delivery of the full judgment, at the latest five months after the announcement.
207
The revision letter must be signed by a proxy. The following are only authorized as authorized representatives:
208
1.Lawyers,
209
2. unions and associations of employers and associations of such associations for their members or for other associations or associations with a similar focus and their members,
210
3.Legal persons, all of whose shares are the economic property of one of the organizations specified in number 2, if the legal person exclusively provides legal advice and litigation for this organization and its members or other associations or associations with a similar focus and their members in accordance with their statutes, and if the organization is liable for the activities of the authorized representative.
211
In the cases of paragraphs 2 and 3, the persons who sign the revision certificate must be qualified to act as judges.
212
A party who is authorized to act as a proxy can represent itself.
213
The electronic form is maintained by an electronic document. The electronic document must be suitable for processing by the court and be provided with a qualified electronic signature of the person responsible, or be signed by the person responsible and be securely transmitted in accordance with Section 46c ArbGG in accordance with the regulation on the technical framework for electronic legal transactions and via the special electronic authority mailbox (ERVV) v. November 24, 2017 in the currently applicable version. You can find more information on electronic legal transactions on the website of the Federal Labor Court www.bundesarbeitsgericht.de.
214
* an emergency period is unchangeable and cannot be extended.
215
Dr. Gotthardt vom Brocke Bickhove-Swiderski