The Court of Justice of the European Union delivered a notable judgment in the case of Krankenversicherung Nordrhein (C-667/21). This case stemmed from a preliminary reference request from the German Federal Labour Court regarding the interpretation of the GDPR. The central issue revolved around MDK Nordrhein, a medical service provider associated with health insurance funds, and its handling of an employee’s health data. The case involved an employee on sick leave who requested a colleague at MDK Nordrhein to access and send photos of their medical assessment report from the organization’s digital archives. This unauthorized access led the employee to take legal action, arguing that MDK Nordrhein had processed their health data unlawfully.
The CJEU’s judgment focused on interpreting Articles 9 and 82 GDPR. Article 9 deals with processing “special categories” of personal data, such as health information. The Court established key principles:
- The Court clarified that under Article 9(2)(h), a medical service provider can assess an employee’s work capacity if acting as a medical provider rather than an employer. This exception requires adherence to the provisions of Articles 9(2)(h) and 9(3).
- Although Article 9(3) does not demand absolute colleague-level data shielding, obligations may arise from national laws under Article 9(4) or the principles of data integrity and confidentiality (Article 5(1)(f)), as well as implementation specifics from Articles 32(1)(a) and (b).
- Processing health data under Article 9(2)(h) must not only comply with its provisions but also fulfill one of the lawful processing conditions in Article 6(1) GDPR.
Regarding Article 82 GDPR, which covers compensation and liability, the CJEU confirmed that liability is contingent upon the controller’s fault. However, the degree of fault does not impact the assessment of compensation for non-material damage. This judgment provides crucial guidance for healthcare providers in the EU by clarifying the legal framework for processing employee health data and striking a balance between necessary medical assessments and the protection of individual privacy. The decision underscores the need for stringent data access controls and adherence to established legal bases for processing sensitive health information.