Data Protection Insider, Issue 93

Data Protection Insider, Issue 93 - Image Landing Page DPI 7

– AG Clarifies the Processing of Medical Data in the Employment Context –


On 25th May, AG Sanchez-Bordona provided clarifications on the processing of medical data in the employment context in ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts. As to the facts of the case, the applicant in the main proceedings, ZQ, was an employee in the IT department of the medical service of a health insurance company (MDK), which provides medical opinions on the health situation of employees who became sick and are compensated by health insurance. The applicant fell sick, as a result of which he was on sick leave, paid by the health insurance, for a prolonged period of time. His employer, MDK, requested an opinion on his health, of which ZQ became aware after asking an ex-colleague who had access to the information processed by MDK. After the opinion was issued, ZQ was dismissed from his job. ZQ raised claims that the processing of his medical data was illegal under the GDPR and the case reached the CJEU via the preliminary ruling procedure. The questions raised concern the legality of the processing of health data under Article 9(2)(h) and 6 GDPR, as well as the assessment of material and non-material damages stemming from illegal processing under the GDPR (Articles 82(1) and (2) GDPR). The AG provided the following interpretation of the evoked provisions of the GDPR. First, as concerns the legal basis for the processing of health data, the AG suggested that Article 9(2)(h) GDPR ‘does not prohibit a medical service of a health insurance fund from processing data concerning the health of an employee of that service, where those data are a prerequisite for assessing that employee’s working capacity’. He provided a literal, purposive, historic and systematic interpretation of Article 9(2)(h) GDPR to reach this conclusion. Second, the AG reminded that for such processing to be legal, it has to comply with the other applicable requirements of the GDPR, including the main principles in Article 5 GDPR, especially data security and the adoption of appropriate technical and organisational measures for data processing. Third, the AG analysed the question of whether an additional legal basis under Article 6(1) GDPR is required for the processing of the medical data in question (in addition to a legal basis under Article 9(2) GDPR). According to him, ‘the relationship between that provision (Article 9 GDPR) and Article 6 does not really allow for a single answer to be given’ and in the case of Article 9(2)(h) GDPR, an additional basis is required under Article 6(1) GDPR, because Article 9(2)(h) GDPR does not have a direct correlation with a legal basis under Article 6(1) GDPR. Fourth, on the question of the determination of non-material damages, after a detailed analysis, the AG proposed that ‘the degree of fault on the part of the controller or processor does not have a bearing on establishing the liability of either of them or quantifying the amount of non-material damage to be compensated on the basis of Article 82(1) of Regulation 2016/679’. Finally, on the question of the role of the fault of the data subject in causing damages under the GDPR when calculating the compensation to be paid to him, the AG opined that ‘the GDPR seeks to provide a high level of protection, but not to the extent that it requires the controller to pay compensation also for damage resulting from events or actions attributable to the data subject.’

Learn more


– ECtHR Rules on Defamation in the Press 


On 30th May, the ECtHR ruled in the case of Mesić v. Croatia (no. 2). In terms of the facts, the case concerned the publication of information concerning Mr. Mesić – the former President of Croatia – on the news website This information linked Mr. Mesić to criminal activity – accepting bribes – relating to the purchase of military vehicles, and relied on official sources from a Finnish investigation and judgment concerning the matter. The applicant initially complained to the website that statements made concerning him were not true. The website, however, stood by the statements. Consequently, the applicant initiated civil proceedings on the basis that the statements ‘had breached his honour and reputation because he had been portrayed as a corrupt politician and a criminal’ and that by ‘publishing that article on its website, the news portal had made those false statements publicly available and accessible to a wide audience’. The decision of the initial court, as well as decisions by the appeal court, did not go in the applicant’s favour, leading eventually to a complaint before the Constitutional Court that: ‘the civil courts had breached his right to a reasoned judgment and his right to be presumed innocent’ – arguing, amongst other things, the inadequate consideration of the accuracy of the information in question. Following the dismissal of this case, the applicant complained to the ECtHR that ‘the domestic courts had failed to protect his reputation as part of his right to respect for his private life’. The Court ruled against the applicant and found no violation of Article 8, concluding that: ‘there are no strong reasons to substitute its view for that of the domestic courts, which struck the requisite fair balance between the applicant’s right to respect for his private life and the right of the news portal to freedom of expression. Therefore, it cannot be said that those courts failed to discharge their positive obligation under Article 8 of the Convention to ensure effective respect for the applicant’s private life, in particular, his right to respect for his reputation.’ In coming to their conclusion, the Court made observations on several significant issues, including, amongst others: i) the nature of the source of journalistic information; ii) the nature of the person and subject matter involved; and iii) the nature of the comments made. We recommend this case, in particular, for the concise summary of principles of ECtHR jurisprudence dealing with the relationship between journalism and privacy, matters of significant public interest, and the use of official sources.

Learn more


– EDPB Plenary and Other News – 


On the 24th of May, the EDPB held its 80th plenary meeting. The following significant issues, amongst others, were discussed:


· ‘Guidelines 4/2022 on the calculation of administrative fines (after public consultation)’;

· ‘Guidelines 3/2021 on the application of Article 65(1)(a) (after public consultation)’;

· ‘Guidelines on the Use of Technologies for Detecting, Removing and Reporting Online Child Sexual Abuse’;

· ‘Study on government access to data in third countries: update’;

· ‘Mandatory user accounts on online shopping websites – request for mandate’.


In other news, on 25th May, the EDPB announced that Anu Talus – head of the Finnish Data Protection Authority – was elected as the new chair of the EDPB.

Learn more


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply