ZQ – CJEU Judgment (European Union, 2023)

The Medical Service of Health Insurance (the controller) is Germany's public health insurance medical review service. It provides expert reports when people say they are unable to work, as well as for its own staff. Before becoming unable to work, the data subject worked for the controller. The insurance company that was paying their benefits requested an expert opinion from the controller. The controller obtained health information from the data subject's doctor in the form of a medical report, which was then distributed to the data subject's coworkers. The data subject believed that their medical data had been unlawfully processed and sought €20,000 in damages from the controller, who rejected the claims. According to the data subject, the evaluation should have been performed by another organisation in order to prevent coworkers from accessing their medical data. Furthermore, they considered the security procedures around their medical report's archiving to be inadequate. After being rejected at first and second (Landesarbeitsgericht Düsseldorf) instance, the the data subject appealed to the Federal Labour Court, who referred the case to the CJEU with the following questions: On the topic of health data 1) Does Article 9(2)(h) GDPR prohibit a medical service of a health insurance fund from processing its employee’s health data when it is a prerequisite for the assessment of that employee’s working capacity? 2) If the Court answers Question 1 in the negative (with the consequence that an exception to the prohibition on the processing of data concerning health laid down in Article 9(1) GDPR is possible under Article 9(2)(h) GDPR) in a case such as the present one, are there further data protection requirements, beyond the conditions set out in Article 9(3) GDPR, that must be complied with, and, if so, which ones? 3) If the Court answers Question 1 in the negative, does the permissibility or lawfulness of the processing of data concerning health depend on the fulf