Service providers of health portals and health apps analyze the movement behavior, the consumption behavior and the subjective well-being of their users. Already this offer is viewed critically by data protection authorities because it represents the disclosure of very sensitive personal data. Recently, such service providers use web-based health portals to approach employers to provide business health management consulting services.
As part of the web-based data processing by the service provider a variety of personal (often health-related and thus “sensitive”) data of the employees is collected. Employees are encouraged to answer all health portal questions truthfully. On the basis of the collected data, employees receive, for example, emails or text messages from the service provider, which should encourage them to engage in sports activities and to change their consumer behavior.
In the consulting service, the employer is additionally offered the creation of a mental risk assessment on the basis of the data entered by the employee in the web-based health portal.
Collection, processing and use of personal data in the employment relationship
The Federal Data Protection Act (BDSG) regulates the admissibility of the processing of personal data in the employment relationship. For example, section 32 (1) sent. 1 BDSG stipulates that the personal data of an employee may be collected, processed or used for employment purposes, if this is the case for the decision to establish an employment relationship or justification for employment or termination is required.
Since health data regularly fall under the “sensitive” (ie special types of personal) data according to § 3 Abs. 9 BDSG, special provisions regarding the admissibility of their collection and processing within the employment relationship in accordance with § 32 BDSG. Simitis also states in his BDSG comment that questions about the health status of an applicant must be justified by “specific, job-related requirements and dangers”.
The question of the general state of health or pre-existing illnesses by the employer is thus in principle inadmissible and left to the special legal regulations of the company doctor. In particular, in view of the medical confidentiality under § 203 StGB, this ensures that the data to be disclosed to the employer are kept to the minimum required and, for example, that no information about the type of illness is passed on.
Also, for example, the general question of the employer whether a candidate smokes, not allowed. This applies equally to questions in the context of an existing employment relationship.
According to section 32 (1) sentence 1 BSDG, data on the privacy of an employee may also not be collected. Data attributable to the privacy of an employee include, for example, data on hobbies, personal interests, sports activities, eating habits and consumption behavior or the like.
Contractual relationship of the parties and data use for purposes of the enterprise
As far as a data processing by the employer can not be based on § 32 BDSG (and no other data protection legal permission or data collection obligations are evident) is evidenced by § 4 paragraph 1 BDSG (compulsory for the employee) collection of data by the employer under data protection law inadmissible. Accordingly, the health service provider can not be used as an instruction-bound processing data processor according to § 11 BDSG for the employer to collect the data.
Employee consent to the employer also does not require the employer to collect the data because, on the one hand, this can not be voluntarily given due to the dependency situation and, secondly, in view of the data collection purpose pursued by the employer (measures regarding employee appraisal / selection depending on health status and consumption habits) would also be legally inadmissible with regard to the AGG guidelines.
Thus, the third-party service provider forms its own data protection law responsible body, to which the employee entrusts his data on a voluntary basis. In this respect, the employer is to be qualified as a fully independent third party pursuant to Section 3 (8) BDSG.
Duty to inform employees
In collecting the data by the healthcare provider, the latter has to inform the employees in detail about the nature and extent of the planned use of their personal data.
A use of the data for a mental risk assessment in accordance with § 5 Abs. 2 Arbeitsschutzgesetz for purposes of the employer and an accompanying data transfer is inadmissible and for the described reasons also not to be justified by a consent.
Also, an (attempted) anonymization or pseudonymization of the data by the healthcare provider prior to passing on to the employer for the purpose of occupational safety and health is ruled out, as these data relate precisely to a job or a specific activity and thus the possibility of repatriation to a natural person or to open a group of natural persons.
Registration with private e-mail address
As a result of this private occasion, the question also arises as to whether it is permissible for employees to register at a web-based health portal with their business e-mail address and then receive e-mails from the web-based health portal with information about their state of health.
This is especially against the background that many companies have banned the private use of the business e-mail address for legal reasons (see in more detail the discussion about the reach of the secrecy of telecommunication with permitted private use ) and at the same time on the e-mails of the employees during their absence may be accessible. Here, the use of the business e-mail address for private purposes of health improvement would conflict with the company’s internal requirements.