Privacy & Information Security Law Blog

On January 11, 2010, the data protection authority of the German federal state of Baden-Wurtemberg issued a press release stating that it had fined the Müller Group €137,500 for illegal retention of health-related data and failure to appoint a Data Protection Officer.

In April 2009, the German press reported that the Müller Group, a drugstore chain comprised of twelve entities and employing some 20,000 workers, was illegally collecting health data from its employees.  Specifically, employees returning from sick leave were required to complete a form and provide the reason for their sicknesses.  After conducting an investigation, the DPA confirmed these allegations.  Since 2006, the Müller Group entities had systematically requested employees returning from sick leave to identify the reasons for their sicknesses on a form that was then sent to the Group’s central Human Resources department to be scanned.  As of April 2009, approximately 24,000 records containing data on employee illnesses were being stored in Müller’s centralized HR files.

In its press release, the German DPA made the following points:

1. Asking for a cause of illness in this context is lawful only for one of four purposes: (i) to alleviate contamination risk; (ii) to eliminate the causes of an employee’s disease; (iii) to ascertain whether an employee returning from sick leave is still fit to do his or her job; or (iv) to assign to the employee a position more appropriate to his or her health condition.  A review of Müller’s records indicated that the data collection was at least partly illegal because there was no justification for the questioning in most cases.
2. The employees were not properly informed about their data protection rights prior to being asked to complete the post-sick leave form.  The employer should have disclosed (i) what types of information employees are obliged to provide, (ii) what types of information employees may choose whether to disclose based on their own interests, and (iii) what would happen with the information provided.
3. Regardless of whether the cause of sickness was lawfully requested for one of the four purposes outlined above, or voluntarily disclosed by employees, it was not necessary to retain the information on a printed form to forward to the HR department or to store the information in electronic records.  This data processing was illegal, and retaining cause of illness data in HR files constitutes a major breach of data protection law.  Further, the records should not have been forwarded by the individual entities to the central HR department in the absence of detailed written agreements with Müller Ltd. & Co. KG.
4. The company had failed to appoint a Data Protection Officer (“DPO”) for nine of the entities as is required by law based on the number of employees involved in the processing of personal data.

In response, in April 2009, the Müller Group (i) suspended its illegal data processing practices, (ii) appointed a DPO for all entities, (iii) promised to delete the health data from its files, and (iv) made a commitment to comply with data protection law in the future.  These remedial measures did not, however, prevent the DPA from imposing on the two largest Müller entities, Müller Ltd. & Co. and MH Müller Handels GmbH, a fine amounting to €137,500 for illegal retention of health-related data and failure to appoint a DPO.