Well-intentioned, but treacherous: corporate health management can quickly become a data protection trap

Company health management begins with the promotion of sporting activities, for example, by providing rooms, courts or equipment, and goes all the way to the founding of company sports clubs or groups for competitions and joint participation in tournaments. The aim is to promote health, the working atmosphere and performance. Whether darts, tennis or football, there are no limits to the types of sport themselves and any type is possible. In larger companies, the activities are often organised by a health manager.

The very broad definition of digital health encompasses all aspects of health using digital technologies, i.e. the use of hardware and software. In concrete terms, this means the treatment, promotion and prevention of health with the help of apps, wearables or health portals. This enables employees to take part in the employer's offers, such as online fitness courses, at any time and from any location, and to do something for their health. Especially for companies with workplaces all over the world, these sports offers are a good way to balance the physical activity of their workforce and prevent classic corporate diseases.

Quite a lot, in fact. Personal data is generated everywhere. In the case of sporting activities in companies, contact persons and participants are named, tournament lists are drawn up for competitive sports and their results are published on the notice board or on the internet, sometimes even with pictures.

Participants are also insured under certain conditions in the event of accidents via the statutory accident insurance. Should an accident occur, personal data is also transmitted to a third party here.

Since this involves the processing of personal data that is not necessary for the fulfilment of the employment contract, the only legal basis that regularly comes into consideration here is the consent of the respective employee. In this case, the employee must be informed in detail about the processing in advance.

Education about processing is particularly important for offers in the area of digital health as a current trend in workplace health management. There are, for example, health portals and e-learning systems that employees can use independently to acquire knowledge, participate in courses, events and workshops or take advantage of favourable offers on site. As a rule, a service provider is behind this, so that it should already be evaluated in terms of data protection law when selecting the service provider. This means where the service provider is located, what personal data is processed, what protective measures have been taken and whether the conclusion of an order processing agreement is necessary.

Furthermore, the use of wearables and apps can serve to motivate employees. Wearables are very popular. However, smartwatches, fitness trackers and the like collect special personal data such as heartbeat, body temperature, step count, sleep rhythm or GPS data. An order processing agreement is only necessary here if the use of the gadgets is linked to health portals and e-learning systems. If the devices are made freely available, the agreement is not required.

According to the GDPR (General Data Protection Regulation), all these data may only be processed with the consent of the data subjects. It must be known which data are collected when for which purpose and to whom they are passed on, if applicable. The data subject must be informed about this in detail before he or she can give consent. Another legal basis, such as contract fulfilment from the employee's employment contract, is generally out of the question.

Furthermore, a data protection impact assessment must be carried out in advance, as special personal data are processed. Such a prior assessment is mandatory in this case. If there is a works council, it must also be involved.