Processing of sensitive health data in the employment relationship in the context of the GDPR
The collection and use of health data in the workplace is among the most sensitive processes under data protection law. Parties to employment contracts are increasingly confronted with complex issues, particularly since the General Data Protection Regulation (GDPR) established uniform requirements across Europe. The current case law, especially the decision of the Federal Labor Court (BAG, decision of 31.01.2023 – 8 ARZ 25/20), specifies the requirements for the data protection-compliant processing of medical information in the employment relationship.
The following examines the procedural and substantive requirements that must be observed when processing health data by the employer. Particular focus is given to the current legal standings and the practical implications for companies.
Health data as a special category of personal data
Definition and legal scope of protection
Health data are particularly protected under Art. 9 para. 1 GDPR, as they reveal insights into the physical or mental condition and are highly sensitive. Improper handling may pose significant risks to the individual concerned, which is why legislators and case law provide for strict protection mechanisms.
Lawfulness of processing in the employment relationship
The processing of this information requires a specific legal basis. It is permitted only if a special legal provision applies—such as the consent of the data subject, a statutory obligation, or a necessity in connection with the exercise of employment rights and obligations, cf. Art. 9 para. 2 GDPR in conjunction with Section 26 (3) BDSG.
BAG decision: Standards for data processing in labor court proceedings
Background of the decision
The decision of the Federal Labor Court addressed whether and under what circumstances the court may order the disclosure or transmission of the parties’ health data. This aimed, among other things, to further specify the balance between the court’s duty to clarify facts and the need for confidentiality.
Requirements for the disclosure of health data
The BAG makes clear that a court order to disclose personal health information is only considered when it is strictly necessary for legal clarification. Furthermore, it must be ensured that disclosure complies with the principle of data minimization and that no more information is revealed than necessary for the decision-making process. Secure storage and limiting processing to individuals directly involved in the proceedings are also essential.
Relationship between data protection and procedural fact-finding
A key finding of the decision is that the party’s data protection interests generally have priority, unless there are compelling procedural reasons justifying disclosure. Data subjects must generally be given the opportunity to comment on the scope and purpose of planned data processing so that they can effectively exercise their right to informational self-determination.
Practical implications for companies and employees
Employer documentation and informational obligations
Companies are required to document the collection, storage, and use of sensitive employee data in detail and to ensure transparency. This includes the obligation to inform employees clearly and understandably about the handling of health data and to obtain their consent in cases prescribed by law.
Limits of consent and proportionality
Particular attention must be paid to the extent to which employees’ consent can genuinely be given voluntarily. The imbalance of power in the employment relationship may affect the validity of consent. Companies must therefore always check whether other suitable legal grounds for data processing exist.
Erasure and protective measures
Another consequence of current case law is the obligation to protect collected data by appropriate technical and organizational measures. The obligation to erase data without delay only lapses if mandatory retention obligations prevent this. It must also be ensured that access is limited to a small group of persons.
Legal classification and outlook
The Federal Labor Court’s decision demonstrates that courts are strictly adhering to the special requirements of the GDPR even in employment law proceedings and will only order the disclosure of sensitive data under stringent conditions. Companies and employees should be aware of the procedural rights and obligations arising from this.
As far as employment or court matters involve data protection questions, especially concerning health data, it is advisable to pay close attention to current legal developments. The precise balance between data protection and legitimate interests is crucial, particularly in the area where employer and employee interests intersect.
If more in-depth questions arise regarding the processing of sensitive data in the employment context, the lawyers at MTR Legal Rechtsanwälte are available nationwide and internationally as contact persons.
