Judgment of the Court (Third Chamber) of 21 December 2023 (request for a preliminary ruling from the Bundesarbeitsgericht – Germany) – ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts

(Case C-667/21, ¹ Krankenversicherung Nordrhein)

(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 6(1) – Conditions for lawful processing – Article 9(1) to (3) – Processing of special categories of data – Data concerning health – Assessment of an employee’s capacity to work – Health insurance medical service processing data concerning the health of its own employees – Conditions for such processing and whether permissible – Article 82(1) – Right to compensation and liability – Compensation for non-material harm – Compensatory function – Impact of negligence on the part of the data controller)

Language of the case: German

Referring court

Bundesarbeitsgericht

Parties to the main proceedings

Applicant: ZQ

Defendant: Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts

Operative part of the judgment

Article 9(2)(h) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that the exception provided for in that provision is applicable to situations in which a medical examination body processes data concerning the health of one of its employees acting not in its capacity as employer, but as a medical service, in order to assess the working capacity of that employee, provided that the processing concerned satisfies the conditions and guarantees expressly imposed by that point (h) and by Article 9(3) of that regulation.

Article 9(3) of Regulation 2016/679

must be interpreted as meaning that the controller of data concerning health, based on Article 9(2)(h) of that regulation, is not required, under those provisions, to ensure that no colleague of the data subject can access data relating to his or her state of health. However, such an obligation may be imposed on the controller either under rules adopted by a Member State either pursuant to Article 9(4) of that regulation or by virtue of the principles of integrity and confidentiality set out in Article 5(1)(f) of that regulation and given specific expression in Article 32(1)(a) and (b) thereof.

Article 9(2)(h) and Article 6(1) of Regulation 2016/679

must be interpreted as meaning that the processing of data concerning health based on the first provision must, in order to be lawful, not only comply with the requirements arising from that provision, but must also satisfy at least one of the conditions of lawfulness set out in Article 6(1) of that regulation.

Article 82(1) of Regulation 2016/679

must be interpreted as meaning that the right to compensation provided for in that provision fulfils a compensatory function, in that financial compensation based on that provision must allow the damage actually suffered as a result of the infringement of that regulation to be compensated in its entirety, and not a dissuasive or punitive function.

Article 82 of Regulation 2016/679

must be interpreted as meaning that first, the establishment of liability on the part of the controller is subject to the existence of a fault committed by the controller, which is presumed unless the controller proves that the event giving rise to the damage is in no way attributable to it and, secondly, Article 82 of that regulation does not require the degree of seriousness of that fault to be taken into account when determining the amount of damages awarded as compensation for non-material damage on the basis of that provision.

____________