Processing of Health Data of your Employees: Where to Draw the Line

Authors: Ann Bugeja & Christine Borg Millo

According to local and European Union law, it is the obligation of every employer to receive and maintain an internal record of information pertaining to the employment relationship between the employer and employee.[1] This must be understood in the light of the right to the proportional protection of personal data – a right which is not absolute, and which emerges from the General Data Protection Regulation[2] (the “GDPR”).

This discussion was the focal point in the EU case C-667/21 under the names of ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts. The request for a preliminary ruling to the European Court of Justice (the “ECJ”) was made in the context of a dispute between ZQ, as the employee, and its employer; the Medical Service of the North Rhine Health Insurance, Germany (hereinafter referred to as ‘MDK Nordrhein’).  In this case, ZQ claimed to have suffered from the alleged unlawful processing of data concerning his health[3] carried out by MDK Nordrhein, as his employer.

Delving into the facts of the Case

The facts of the case were summarily as follows:

ZQ worked in the IT department of MDK Nordrhein, a public law body which acts as a medical service of health insurance funds. The latter has a primary role of carrying out medical assessments by a special cases unit, to eliminate any doubts relating to the incapacity for work of individuals who are insured with the compulsory health insurance funds. It could also carry out this assessment on its own employees.

Due to medical reasons, the employee was placed on incapacity for work. Although the organisation as its employer, continued to pay the applicant his wages, following the incapacity, at the end of one semester, the compulsory health insurance fund department began to pay him a sickness benefit. For this reason, the fund department requested for the employer to carry out the assessment on incapacity for work of the applicant, by a doctor from the special cases unit. This unit accepted this request, and proceeded to obtain information from the applicant’s treating doctor regarding his declared incapacity. At this stage, the applicant stated that the data concerning his health had been the subject of unlawful processing by his employer and therefore sued for compensation for damages.

The applicant’s reasoning was based on the following points:

1. The assessment in question should have been carried out by another medical service, and not the employee’s private doctor, to prevent his colleagues from having access to data concerning his health;
2. The measures of security surrounding the archiving of the report relating to this expertise were insufficient; 
3. The processing of his health data by his employer constituted a violation of the legal rules protecting such data which had caused him both moral and material damage.

Inquiries to the ECJ

The referring court inquired on five (5) questions to the ECJ.

i. Processing of special categories of personal data

Article 9 (1) of the GDPR dictates that the processing of personal data revealing data concerning health, among others, shall be generally prohibited. However, the article in its second sub article goes on to exhaustively list the exceptions to when the processing of such personal data is permitted. One of these exceptions is paragraph (h) which states that processing of health data is allowed when it is necessary for the purposes of:

• preventive or occupational medicine;
• for the assessment of the working capacity of the employee;
• medical diagnosis;
• the provision of health or social care or treatment; or
• the management of health or social care systems and services on the basis of European Union or Member State law or pursuant to contract with a health professional.

This is on condition however, that the personal data may be processed when the health data is processed by or under the responsibility of:

• a professional subject to the obligation of professional secrecy under any European Union or Member State law; or
• rules established by national competent bodies; or
• by another person also subject to an obligation of secrecy under European Union or Member State law; or
• rules established by national competent bodies.

Therefore, does the situation where a medical control body processes data concerning the employee’s health, to assess the work capacity of this employee, fall under this exception?

In this regard, the Court answered that the employer in this case had a right to process its own  employee’s health data, provided that the processing concerned satisfies the conditions and guarantees of article 9.[4] Overall, the possibility of processing sensitive data, such as those concerning health, is strictly regulated by a series of cumulative conditions such as for the assessment of the employee’s working capacity, whether it concerns the right to the European Union, the law of a Member State or a contract concluded with a health professional and based on the duty of confidentiality, and secrecy of information.

ii. Access to data of colleagues

The second question delved into whether the GDPR ensures that no colleague of the employee who had his personal data accessed, can also access that data relating to the employee’s state of health.

The ECJ confirmed that Article 9(3) of the GDPR[5] does not require the controller of data processing concerning health to ensure that no colleague of the data subject can access data relating to the state of health of that person. However, this obligation may be imposed on the processing controller by virtue of regulations adopted by a Member State or by virtue of the principles of integrity and confidentiality.[6]

iii. Conditions of lawfulness when processing health data

The third question made by the referring court was: does the processing of sensitive data concerning health comply with the requirements set in the GDPR and fulfil at least one of the conditions of lawfulness set out in article 6 (1) to be legal?

In this discussion, article 6 (1) states that the processing of sensitive personal data shall be lawful only if and to the extent that at least one (1) of the following applies:

A) the data subject has given consent to the processing of his/her personal data for one or more specific purposes;

B) processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;

C) processing is necessary for compliance with a legal obligation to which the controller is subject;

D) processing is necessary to protect the vital interests of the data subject or of another natural person;

E) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

F) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

This list is exhaustive and restrictive; hence it cannot be deviated from. The ECJ reiterated that should one of the above points be satisfied, then the processing of the data may very well take place. From this ruling, there is a greater emphasis placed on the employer to prove a valid justification for why the processing of personal health data of an employee is required, and whether the processing is in line with the principle of lawfulness.

Concluding remarks

According to this case, the processing of special categories of data within the meaning of article 6 and 9 of the GDPR is therefore permitted. However, this comes at a price; the processing must be lawful, and necessary for the exercise of rights or the fulfillment of legal obligations under labour law, social security law and social protection law. Conversely, the data subject, like an employee, cannot immediately assume that his legitimate interest is to exclude the possibility for his data to be processed, and this includes data such as sensitive health data in employment.

Overall, personal data which is, by nature, particularly sensitive from the point of view of fundamental rights and freedoms deserve specific protection, because the context in which they are processed could create significant risks for these freedoms and rights. It shall always be the case that any data controller or processor should compensate any damage that a person may suffer because of processing carried out in violation of the GDPR. The data controller or processor will however be exonerated from liability if they prove that the damage is in no way attributable to them. 

[1] This is in line with the Transparent and Predictable Working Conditions Regulations (S.L. 452.126) of the Laws of Malta;

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;

[3] Please note that personal data concerning health includes all data relating to the state of health of a data subject which reveal information about the past, present or future state of physical or mental health of the data subject.

[4] Its first sub article states that processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. Article 9 (2) goes on to list the exceptions to this rule and maybe found here.

[5] Which states as follows: 3.Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under European Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under European Union or Member State law or rules established by national competent bodies.

[6] As set out in Article 5(1)(f) of the GDPR which states:  Personal data shall be: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).