Poland: Issued Data Protection Authority Statement on Processing Employee Health Data by Medical Entities

On 15 March 2024, the Polish Data Protection Authority (UODO) issued a statement on the processing of health data by medical entities in a dual role as both employers and medical service providers. This was the case in the judgment of 21 December 2023 in the case of sygn. C-667/21 Krankenversicherung Nordrhein. According to the judgment of the Court of Justice of the European Union, if a medical entity processes health data of one of its employees not as an employer, but as a medical service, to assess the employee's ability to work, the exception provided for in Article 9(2)(h) of the GDPR applies. In such a case, the data may be processed for purposes related to health prevention, occupational medicine, or for the assessment of the employee's ability to work. The President of the UODO stated that this ruling has implications for the interpretation and application of the GDPR in Poland, though it does not require changing regulations as such. Specifically, only individuals examining an employee's health should have access to their health data.