The impact of the General Data Protection Regulation on Social Security

Abstract

The EU-General-Data-Protection-Regulation (GDPR) provides a Europe-wide and mostly uniform system of Data-Protection, which has also impact on social security. Public authorities must have a legitimate reason for processing data; the legal grounds are given by the GDPR, some have to be specified by domestic law. The processing of special categories of data is strictly prohibited, if there is not an exemption. Consent is not always necessary in order to process personal data, but when it must be freely and unambiguously given and can be just as easily withdrawn. The doctor-client-privilege has to be observed separately. In respect to the rights of the data subject it has always to be checked, if the rights are applicable or if there is a restriction by the GDPR itself or by domestic law. Infringement of the GDPR can cause damage compensation, fines and inadmissibility of evidence.

This is a preview of subscription content, access via your institution.

Notes

  1. 1.

    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 [1] on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

  2. 2.

    An overview how EU Member States have adjusted their domestic data privacy law to the GDPR gives Pohle, CRi 2018, 97–116; especially in respect to Austria see Rieß in Forgó/Helfrich/Schneider, Beschäftigtendatenschutz, 3. Aufl. 2019, p. 1516 [2], to Great Britain: Stauch, ibid., p. 1521; to Italy: Biasiotti/Conti, ibid., p. 1523; to Schweden: Magnusson/Sjöberg, ibid., p. 1532; to Czech Republic: Polcak, ibid., p. 1587.

  3. 3.

    CJEU 29.6.2010-C-28/08 P [4] (Bavarian Lager), ECLI:EU:C:2010:662.

  4. 4.

    German law used to provide the principle of direct collection for social security data: Data have to be collected immediately by the data subject, by third persons only if the data subject cooperates (e.g. by giving consent) and only in rare cases (e.g. if it is an urgent emergency case) without cooperation (§ 67a SGB X).

  5. 5.

    CJEU 13.5.2014 – C-131/12 [5] (Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD)) ECLI:EU:C:2014:317 m.n. 52: it is the internet provider which processes data. Even the searching on the internet can be an transferring of data to third persons, if the search machine is able to identify the person, who is searching eg by using plugins: Bieresborn, Surfen als Amtsermittlung - Welche Grenzen bestehen bei der Internetrecherche für Sozialleistungsträger?, NZS 2016, 531, 535; cf. CJEU 6.11.2003 – C-101/01 (Criminal proceedings againstBodil Lindqvist), EU:C:2003:596, m.n. 68. Besides Facebook it is the owner of a fanpage, who is controller: CJEU 5.6.2018 - C-210/16 (Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein./.Wirtschaftsakademie Schleswig-Holstein GmbH -Facebook fanpages), ECLI:EU:C:2018:388 m.n. 46.

  6. 6.

    In order to become a member combined with the possibility to look on all Facebook-webpages you simply need a valid eMail or mobile-number and a phantasy-name, which guarantees no genuine privacy, Böckenförde, Auf dem Weg zur elektronischen Privatsphäre, JZ 2008, 925, 936 [6].

  7. 7.

    As § 45d Einkommenssteuergesetz (EStG) in Germany.

  8. 8.

    It is, if there is a consent or a national law that enables the collection of those special categories of data.

  9. 9.

    It may, if this is the law provided by specific provisions of national law, e.g. in German law by § 69 Abs 1 SGB X iVm § 76 Abs 2 SGB X.

  10. 10.

    CJEU 24.11.2011 - C-468/10 and C-469/10 [7] (Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF), Federación de Comercio Electrónico y Marketing Directo (FECEMD) v. Administración del Estado), ECLI:EU:C:2011:777.

  11. 11.

    The relation between Art 8 ChFR and the GDPR is not clear yet, cf. Bernsdorff in Meyer/Hölscheid, Kommentar zur Charta der Grundrechte der Europäischen Union, 5. ed., 2019 m.n. 36 [8].

  12. 12.

    Abl.L.119.

  13. 13.

    The development, how a directive evolved into a regulation describes Albrecht, The EU’s New Data Protection Law—How A Directive Evolved Into A Regulation, CRi 2016, 33–43 [9].

  14. 14.

    CJEU 28.03.1985 - C - 272/83 [10] – (Kommission./. Italy - Art. Regulation 1360/78 – Agricultural producer groups), ECLI:EU:C:1985:147.

  15. 15.

    Bieresborn, Sozialdatenschutz nach Inkrafttreten der EU-Datenschutzgrundverordnung - Anpassungen des nationalen Sozialdatenschutzes an das europäische Recht, NZS 2017, 887, 888 [11].

  16. 16.

    Cf. already CJEU 20.5.2003 - C - 465/00, C-138/01 and C-139/01 [12] (Österreichischer Rundfunk etc), EU:C:2003:294, Rn 39 bis 47 and CJEU 6.11.2003 C-101/01 (Lindqvist) EU:C:2003:596, m.n. 27; CJEU 29.01.2008 - C- 275/06 (Promusicae), EU:C:2008:54, m.n. 51 and CJEU 11.12.2014 - C-212/13 (Rynes), EU:C:2014:2428, m.n. 31 - 33.

  17. 17.

    § 1 Abs 8 BDSG, § 35 Abs 2 SGB I.

  18. 18.

    Feiler/Forgó/Weigl, GDPR—A Commentary, Art 5 m.n. 1 [3].

  19. 19.

    Feiler/Forgó/Weigl, GDPR—A Commentary, Art 5 m.n. 2.

  20. 20.

    Feiler/Forgó/Weigl, GDPR—A Commentary, Art 5 m.n. 5.

  21. 21.

    Feiler/Forgó/Weigl, GDPR—A Commentary, Art 5 m.n. 4.

  22. 22.

    Cf. CJEU 16.12.2008, C-73/07 [13] (Markinapörssi and Satamedia), EU:C:2008:727, m.n. 56.

  23. 23.

    Recital 39; Feiler/Forgó/Weigl, GDPR—A Commentary, Art 5 m.n. 13.

  24. 24.

    Cf. Feiler/Forgó/Weigl, GDPR—A Commentary, Art 6 m.n. 3.

  25. 25.

    Weichert in Kühling/Bucher, DS-GVO, Art 9 m.n. 47 [14].

  26. 26.

    CJEU 8.4.14 C-293/12, C-594/12 [15] (Digital Rights Ireland Ltd etc) EU:C:2014:238 and CJEU 21.12.2016 - C-203/15 and C- 698/15 - (Tele2 Sverige and Watson) EU:C.2016:970.

  27. 27.

    German penal law contains a criminal offence of breaching the confidentiality (§ 203 Strafgesetzbuch (StGB)).

  28. 28.

    In case of German wings e.g. the treating psychiatrist wouldn’t have been punished if he had given a hint to the aviation authorities provided he was convinced that his client was a danger to other people by working as a pilot.

  29. 29.

    E.g. § 67a SGB X enables all social security authorities in Germany to collect data in order to fulfill their duties.

  30. 30.

    This question is pending before the CJEU: case C-673/17 (Planet49 v. Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband e.V.).

  31. 31.

    Cf. Frenzel in Paal/Pauly, DSGVO BDSG, 2. Aufl. 2018, Art. 6 Rn. 46 [16] and Buchner/Petri in Kühling/Buchner, DS-GVO 2. Aufl. 2018, Art. 6 m.n. 199 f [17]; the latter emphasizes that Art 6 par 4 is no opening-clause.

  32. 32.

    § 25 Abs 2 BDSG; §§ 75 and 78 SGB X.

  33. 33.

    Cf. Bieresborn, Sozialdatenschutz nach Inkrafttreten der EU-Datenschutzgrundverordnung - Verarbeiten von Sozialdaten, Reichweite von Einwilligungen, grenzüberschreitende Datenübermittlung und Auftragsverarbeitung, NZS 2017, 926, 929.

  34. 34.

    Compare Feiler/Forgó/Weigl, GDPR-A Commentary, Art 4, m.n. 13.

  35. 35.

    CJEU 13.5.2014 – C-131/12 - (Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD)) ECLI:EU:C:2014:317.

  36. 36.

    S. Molnár-Gábor/Kaffenberger, EU-US-Privacy-Shield – ein Schutzschild mit Löchern?- ZD 2017, 18–24 [18].

  37. 37.

    S. CJEU 6.10.2015 - C-362/14 [19] (Schrems) – EU:C:2015:650.

  38. 38.

    COMMISSION IMPLEMENTING DECISION (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (notified under document C(2016) 4176).

  39. 39.

    See Mutkoski, Regulation of Patient Health Information and the Use of Cloud Computing Technologies, CRi 2017, 172–179 [20].

  40. 40.

    H.R. 1428 (114th) vom 12.2.2016.

  41. 41.

    S. European Parliament resolution of 6 April 2017 on the adequacy of the protection afforded by the EU-US Privacy Shield (2016/3018(RSP)) [21].

  42. 42.

    It is argued that the national procedural law lays down obtaining or disclosure and provides appropriate measures to protect the data subject’s legitimate interests as mentioned in Art 14 par 5 lit c GDPR, eg. the right of access to the file, cf. Bieresborn, Auswirkungen der DSGVO auf das gerichtliche Verfahren, DRiZ 2019, 18, 21 [22].

  43. 43.

    BGH, Urteil vom 29.11.2016 – VI ZR 530/15 – juris [23].

  44. 44.

    CJEU 17.7.2014 and C-372/12 y.s. v. Minister van Immigratie, Integratie en Asiell ECLI:EU:C:2014:2081, m.n. 39.

  45. 45.

    Bieresborn/Giesberts-Kaminski, Auswirkungen der EU-Datenschutz-Grundverordnung und der Anpassungsgesetze auf die Sozialgerichtsbarkeit (Teil II), Rechte der betroffenen Personen im Gerichtsverfahren, SGb 2018, 530, 534 [24].

  46. 46.

    Cf. CJEU 20.12.2017 - C-434/16 [25] (Nowak), EU:C:2017:994, m.n. 52.

  47. 47.

    Feiler/Forgó/Weigl, The EU-general Data Protection Regulation—A Commentary, Art 82, m.n. 2.

  48. 48.

    As in Germany: § 43 Abs 3 BDSG, § 65a Abs 3 SGB X.

  49. 49.

    Silverthorne Lumber Co v. United States, 1920, United States Reports, Vol. 251, Oct. Term 1919, p. 385 [26]; cf. the “hypothetical clean path doctrine”, Crispus Nix v. Robert Anthony Williams, (1984), United States Supreme Court Reports 467 US 431, 81 L Ed 2d 377, 104 S. Ct. 2501.

  50. 50.

    Germany: BVerfG, Beschl. v. 30.11.2010 – 2 BvR 2101/09 – NJW 2011, 2417–2420 [27].

References

  1. 1.

    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

  2. 2.

    Forgó/Helfrich/Schneider, Beschäftigtendatenschutz, 3. Aufl. 2019

  3. 3.

    Feiler/Forgó/Weigl, GDPR—A Commentary

  4. 4.

    CJEU 29.6.2010-C-28/08 P

  5. 5.

    CJEU 13.5.2014 – C-131/12

  6. 6.

    Böckenförde, Auf dem Weg zur elektronischen Privatsphäre, JZ 2008

  7. 7.

    CJEU 24.11.2011 - C-468/10 and C-469/10

  8. 8.

    Meyer/Hölscheid, Kommentar zur Charta der Grundrechte der Europäischen Union, 5. ed., 2019

  9. 9.

    The development, how a directive evolved into a regulation describes Albrecht, The EU’s New Data Protection Law—How A Directive Evolved Into A Regulation, CRi 2016

  10. 10.

    CJEU 28.03.1985 - C - 272/83

  11. 11.

    Bieresborn, Sozialdatenschutz nach Inkrafttreten der EU-Datenschutzgrundverordnung - Anpassungen des nationalen Sozialdatenschutzes an das europäische Recht, NZS 2017

  12. 12.

    CJEU 20.5.2003 - C - 465/00, C-138/01 and C-139/01

  13. 13.

    CJEU 16.12.2008, C-73/07

  14. 14.

    Kühling/Bucher, DS-GVO, Art 9

  15. 15.

    CJEU 8.4.14 C-293/12, C-594/12

  16. 16.

    Paal/Pauly, DSGVO BDSG, 2. Aufl. 2018, Art. 6

  17. 17.

    Kühling/Buchner, DS-GVO 2. Aufl. 2018

  18. 18.

    S. Molnár-Gábor/Kaffenberger, EU-US-Privacy-Shield – ein Schutzschild mit Löchern?- ZD 2017

  19. 19.

    CJEU 6.10.2015 - C-362/14

  20. 20.

    Mutkoski: Regulation of Patient Health Information and the Use of Cloud Computing Technologies, CRi 2017

  21. 21.

    European Parliament resolution of 6 April 2017 on the adequacy of the protection afforded by the EU-US Privacy Shield

  22. 22.

    Bieresborn: Auswirkungen der DSGVO auf das gerichtliche Verfahren. DRiZ 2019

  23. 23.

    BGH, Urteil vom 29.11.2016 – VI ZR 530/15

  24. 24.

    Bieresborn/Giesberts-Kaminski, Auswirkungen der EU-Datenschutz-Grundverordnung und der Anpassungsgesetze auf die Sozialgerichtsbarkeit (Teil II), Rechte der betroffenen Personen im Gerichtsverfahren, SGb 2018

  25. 25.

    CJEU 20.12.2017 - C-434/16

  26. 26.

    Silverthorne Lumber Co v. United States, 1920, United States Reports, Vol. 251, Oct. Term 1919

  27. 27.

    BVerfG, Beschl. v. 30.11.2010 – 2 BvR 2101/09 – NJW 2011

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Dr Dirk Bieresborn.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Bieresborn, D. The impact of the General Data Protection Regulation on Social Security. ERA Forum 20, 285–306 (2019). https://doi.org/10.1007/s12027-019-00565-x

Download citation

Keywords

  • Data-protection
  • Consent
  • Doctor-client-privilege
  • Processing
  • Special categories of data
  • Big Data