Well-intentioned, but treacherous: corporate health management can quickly become a data protection trap

Björn Holeschak, Leiter Datenschutz EIKONA Systems GmbH
Employees participating in company sports as part of health management, which stands for sensitivity in terms of data protection

Since the Corona pandemic, working from home has almost become part of everyday life. However, for some people it can also be stressful to work in isolation and without personal contact with other people. In order to counteract resulting mental illnesses such as depression, corporate health management is very important in companies. This includes not only the fruit bowl in the office or back exercises at home, but also digital offers such as health portals with information on nutrition, health and wellness, fitness courses and so-called wearables including the corresponding apps.


Corporate Health Management and Digital Health - What's it?

Company health management begins with the promotion of sporting activities, for example, by providing rooms, courts or equipment, and goes all the way to the founding of company sports clubs or groups for competitions and joint participation in tournaments. The aim is to promote health, the working atmosphere and performance. Whether darts, tennis or football, there are no limits to the types of sport themselves and any type is possible. In larger companies, the activities are often organised by a health manager.

The very broad definition of digital health encompasses all aspects of health using digital technologies, i.e. the use of hardware and software. In concrete terms, this means the treatment, promotion and prevention of health with the help of apps, wearables or health portals. This enables employees to take part in the employer's offers, such as online fitness courses, at any time and from any location, and to do something for their health. Especially for companies with workplaces all over the world, these sports offers are a good way to balance the physical activity of their workforce and prevent classic corporate diseases.


What has this got to do with data protection?

Quite a lot, in fact. Personal data is generated everywhere. In the case of sporting activities in companies, contact persons and participants are named, tournament lists are drawn up for competitive sports and their results are published on the notice board or on the internet, sometimes even with pictures.

Participants are also insured under certain conditions in the event of accidents via the statutory accident insurance. Should an accident occur, personal data is also transmitted to a third party here.

Since this involves the processing of personal data that is not necessary for the fulfilment of the employment contract, the only legal basis that regularly comes into consideration here is the consent of the respective employee. In this case, the employee must be informed in detail about the processing in advance.


Personal data from digital health proposals

Education about processing is particularly important for offers in the area of digital health as a current trend in workplace health management. There are, for example, health portals and e-learning systems that employees can use independently to acquire knowledge, participate in courses, events and workshops or take advantage of favourable offers on site. As a rule, a service provider is behind this, so that it should already be evaluated in terms of data protection law when selecting the service provider. This means where the service provider is located, what personal data is processed, what protective measures have been taken and whether the conclusion of an order processing agreement is necessary.

Furthermore, the use of wearables and apps can serve to motivate employees. Wearables are very popular. However, smartwatches, fitness trackers and the like collect special personal data such as heartbeat, body temperature, step count, sleep rhythm or GPS data. An order processing agreement is only necessary here if the use of the gadgets is linked to health portals and e-learning systems. If the devices are made freely available, the agreement is not required.

According to the GDPR (General Data Protection Regulation), all these data may only be processed with the consent of the data subjects. It must be known which data are collected when for which purpose and to whom they are passed on, if applicable. The data subject must be informed about this in detail before he or she can give consent. Another legal basis, such as contract fulfilment from the employee's employment contract, is generally out of the question.

Furthermore, a data protection impact assessment must be carried out in advance, as special personal data are processed. Such a prior assessment is mandatory in this case. If there is a works council, it must also be involved.


Conclusion

How to avoid the data protection trap

To ensure that sporting competitions and the reports on them do not have any negative consequences for you as a company, it is imperative to

  • instruct employees in data protection law and
  • obtain their consent to the respective data processing.

For this purpose, set up internal processes and inform your employees whether corporate health management is part of their working hours and to what extent they are insured.
If you are unsure how to deal with data protection in your case, professional advice is recommended.


Björn Holeschak
Björn Holeschak
Team Lead, Data Protection

Drawing on his profound data protection expertise, he tackles data protection challenges with renewed vigor every single day. He understands the dangers and stumbling blocks in intimate detail and gives customers practical advice.


Add a comment

Please add 2 and 3.