Marcus Belke
CEO of 2B Advice GmbH, driving innovation in privacy compliance and risk management and leading the development of Ailance, the next-generation compliance platform.
The data protection assessment of Health data in the employment relationship is one of the most sensitive aspects of modern compliance practice. A current occasion for in-depth discussion is the publication of the State Commissioner for Data protection and Freedom of Information North Rhine-Westphalia (LDI NRW) on the so-called continuation of illness. The central question is whether and to what extent an employer is entitled to collect or demand health-related information from employees if there is a suspicion that several periods of illness are connected and therefore no new continued payment of remuneration is triggered.
Health data and their need for protection
Health data are subject to Art. 9 para. 1 GDPR special categories of personal data. In principle, they may not be processed unless a special permission is granted under Art. 9 (2) GDPR. GDPR applies. In the employment relationship, such Processing inter alia by Art. 9 para. 2 lit. b GDPR i.V. m. § Section 26 (3) BDSG if it is necessary for the exercise of rights or the fulfillment of legal obligations under employment law.
The wording "necessary" is not a mere formality: it requires a data protection assessment in each individual case. Employers are therefore not allowed to demand the submission of medical documents across the board or have their own diagnoses made. They must be able to justify the proportionality of the measure.
Continued illness as a touchstone of data protection-compliant practice
The term "continued illness" originates from the law on continued remuneration (Section 3 (1) sentence 2 EFZG). According to this, the obligation to continue to pay wages does not apply if an employee falls ill again, but the new illness is causally related to the previous one and the six-week period has already been exhausted. Whether such a connection exists often remains unclear. In a labor court dispute, employers bear the burden of presentation and proof for the continued existence of the causal connection.
This is precisely where data protection tensions arise: In order to meet their burden of proof, employers often require a medical statement. For example, from the doctor providing treatment, the company doctor or via the health insurance company. However, the LDI NRW points out that such measures are associated with a considerable encroachment on the rights of the employees concerned and can therefore only be permitted in particularly justified exceptional cases.
The role of the employee's duty to cooperate
The decision of the Federal Labor Court of January 18, 2023 (Ref. 5 AZR 93/22) provides a significant impetus for practice. According to this decision, it is the employee's responsibility to demonstrate in concrete and comprehensible terms that there is no connection between the periods of illness. This graduated burden of proof may oblige the employee to release treating doctors from their duty of confidentiality.
The relevance of this decision in terms of data protection law is considerable: while employers themselves are only entitled to collect data to a limited extent, employees have a procedural obligation to disclose it. It is a tense relationship that compliance and data protection officers must keep in mind.
Reading tip: BAG ruling on the dispute over continued illness: Why the presentation of an AU is no longer sufficient on its own
Data protection measures in practice
Regardless of how the data is obtained, the following applies to Health data always place increased demands on technical and organizational protective measures. These include in particular the separate Storage from Health datathe exclusion of unauthorized access through role and rights concepts as well as the use of Encryption. These measures are not merely recommended best practice, but are required by law, for example under Art. 32 GDPR.
In addition, a documented risk assessment is recommended at an early stage. Especially if the employer has a affected person to make a disclosure or would like to rely on information from the health insurance fund. These measures must be List of processing activities and flanked by data protection impact assessments (DPIA) if the risks are classified as high.
Recommendations for data protection and compliance officers
In operational practice, it is essential that data protection and compliance officers actively shape the legal limits and possibilities in the event of suspected continuation of illness. Close cooperation with HR departments is essential here. In particular, standardized procedural descriptions should be developed that define the criteria for permissible collection, take into account alternative lenient means (such as opinions from the company doctor) and strictly regulate access to particularly sensitive data.
In addition, internal training courses should ensure that HR managers do not act hastily or out of routine. Health data collect or request. A structured Documentation of individual cases, including the considerations of the Necessity and proportionality is urgently recommended. Not least with regard to possible audits by supervisory authorities.
Data protection assessment of the continuation of the illness
The assessment of continued illness under data protection law requires a differentiated approach. Employers must carefully weigh up the interest in cost control under employment law against the interest in protecting employees under data protection law. Data protection and compliance officers play a central role in this: they not only ensure that processes are legally compliant, but also protect the fundamental rights of employees. It is a balancing act that requires tact and legal precision in equal measure.
Link tip: Employee health data: what employers are allowed to do and know
Marcus Belke is CEO of 2B Advice as well as a lawyer and IT expert for data protection and digital Compliance. He writes regularly about AI governance, GDPR compliance and risk management. You can find out more about him on his Author profile page.
German 
English 
Italian 
French