Court case 12 Sa 186/19 – Court Ruling (Germany, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court ruled on a case involving a medical service provider who shared an employee's health data with colleagues. The court found that the company had taken necessary steps to protect this sensitive information. This decision highlights the importance of safeguarding health data in the workplace.
What happened
The court examined whether a medical service provider properly protected an employee's health data from unauthorized access by colleagues.
Who was affected
An employee whose health data was accessed by colleagues in the IT department.
What the authority found
The court decided that the company had implemented appropriate measures to protect health data, complying with GDPR and German data protection laws.
Why this matters
This ruling underscores the need for companies to ensure that only authorized personnel have access to sensitive health data. It serves as a reminder for businesses to review their data protection practices, especially when handling employee health information.
GDPR Articles Cited
National Law Articles
The defendant offers a medical service, in which - as in the case of the plaintiff - social data in the form of health data can be processed on the basis of the request from his/her health insurance company. Since the plaintiff´s colleagues and the plaintiff are working for the IT department, his colleagues received knowledge of the plaintiff´s health data. Whether the defendant has taken appropriate and specific measures in accordance with the German Federal Data Protection Law and Art. 9 GDPR to protect health data from unauthorized access from employees. The court emphasized that the physical examination of an employee represents a significantly more serious intervention in the personality sphere of the employee than an assessment based on the file. This differentiation meets the requirements of Section 22 (2) of the German Federal Data Protection Law (“BDSG”). In the context of Art. 9 Para. 2, 3 GDPR in conjunction with Section 22 Para. 2 BDSG, there are appropriate and specific measures required. One is that only professional personnel who are subject to professional secrecy may process the health data. This is the case here due to medical and social secrecy. This is not sufficient within the meaning of Section 22 (2) BDSG, but this must be included in the assessment, whether the defendant has taken appropriate and specific measures. The access within the defendant is restricted through technical and organizational measures (Section 22 (2) No. 5 BDSG). The personal data is only accessible to people who need it to perform their tasks. The access rights are determined by assigning rights and roles related to the occupational groups. The access authorization is again divided according to the occupational group-specific role for the 36 employees of the area the plaintiff is belonging to. The court decided that the IT department is uniform and indisputable for the responsibility for the entire protected area. Further protection is granted since the access
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 12 Sa 186/19 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 12 Sa 186/19 - Germany (2020). Retrieved from cookiefines.eu
Last updated: