ZQ – CJEU Judgment (European Union, 2023)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice ruled on a case involving a German health insurance service that shared a person's medical report with their coworkers. This decision is important because it clarifies how health data can be handled in the workplace, especially regarding employee privacy. Companies must ensure they follow strict data protection rules when dealing with sensitive health information.
What happened
The health insurance service shared a person's medical report with their coworkers without proper safeguards.
Who was affected
The individual whose medical data was shared and their coworkers were affected.
What the authority found
The Court held that processing health data for assessing an employee's work capacity may be allowed under certain conditions, but strict data protection requirements must still be met.
Why this matters
This ruling emphasizes the need for companies to protect sensitive health information and follow data protection laws carefully. It sets a precedent for how health data should be managed in employment contexts.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The Medical Service of Health Insurance (the controller) is Germany's public health insurance medical review service. It provides expert reports when people say they are unable to work, as well as for its own staff. Before becoming unable to work, the data subject worked for the controller. The insurance company that was paying their benefits requested an expert opinion from the controller. The controller obtained health information from the data subject's doctor in the form of a medical report, which was then distributed to the data subject's coworkers. The data subject believed that their medical data had been unlawfully processed and sought €20,000 in damages from the controller, who rejected the claims. According to the data subject, the evaluation should have been performed by another organisation in order to prevent coworkers from accessing their medical data. Furthermore, they considered the security procedures around their medical report's archiving to be inadequate. After being rejected at first and second (Landesarbeitsgericht Düsseldorf) instance, the the data subject appealed to the Federal Labour Court, who referred the case to the CJEU with the following questions: On the topic of health data 1) Does Article 9(2)(h) GDPR prohibit a medical service of a health insurance fund from processing its employee’s health data when it is a prerequisite for the assessment of that employee’s working capacity? 2) If the Court answers Question 1 in the negative (with the consequence that an exception to the prohibition on the processing of data concerning health laid down in Article 9(1) GDPR is possible under Article 9(2)(h) GDPR) in a case such as the present one, are there further data protection requirements, beyond the conditions set out in Article 9(3) GDPR, that must be complied with, and, if so, which ones? 3) If the Court answers Question 1 in the negative, does the permissibility or lawfulness of the processing of data concerning health depend on the fulf
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for ZQ in EU
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
21 December 2023
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-7449About this data
Cite as: Cookie Fines. ZQ - European Union (2023). Retrieved from cookiefines.eu
Last updated: