The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

The processing of health data in the workplace

On May 25, 2023, the Advocate General submitted his conclusions regarding Case C-667/21 on the reference for a preliminary ruling submitted to the CJEU by the German Federal Labour Court.

Many of the conclusions are in the groove of previous pronouncements of the same Court or represent foreseeable developments of those pronouncements, so there is good reason to believe that the final decision will not deviate much from the conclusions examined here.

It will be interesting to see whether the CJEU, as happens in the majority of cases, will follow the Advocate General’s legal approach, which has multiple points of general interest.

Matters subject to preliminary ruling

The issues involved in the preliminary ruling application, addressed by the Advocate General, are significant and can be summarized as follows:

  1. Exceptions to Articles 9.2(b) and 9.2(h) – Whether the exception to the prohibition of processing sensitive data for “preventive or occupational medicine, for the assessment of the working capacity of the employee,” etc. [Art. 9.2(h), GDPR], can be asserted – particularly for health-related data – by the data controller who is also the employee’s employer (e.g., to assess the employee’s ability to work); or can the only exception that can be used by a “data controller – employer” be ” carry out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law” [Art. 9.2(b), GDPR];
  2. Additional safety requirements for Art. 9.2(h) – Whether, in the case of the exception provided for in Art. 9.2(h), additional safety requirements, in addition to those already provided for in Art. 9.3, which refers to it, must be met.
  3. Complementarity Articles 9 and 6 – Whether for the lawfulness of the processing of sensitive data (“special categories of personal data”), in particular related to health, in addition to the application of one of the exceptions to the prohibition of Article 9, one of the conditions specified in Article 6.1 of the GDPR must also be met.
  4. Compensation for damages and liability – Does the degree of liability of the controller or processor (i.e., whether the absence of liability affects this determination) matter for compensation for material or non-material damage (Art. 82, GDPR).