© megaflopp – Fotolia.com

Consent under data protection law fulfills protective and warning function

OLG Karlsruhe: The requirement of written consent to the disclosure of personal data set out in Section 4a BDSG fulfills a protective and warning function.

A doctor passed on examination results without being asked.
In a ruling dated June 28, 2017, the Higher Regional Court of Karlsruhe (Ref.: 1 Rb Ss 540/16) deemed this to be a breach of data protection law.

It has ruled that the requirement in Section 4a para.
1 sentence 3 BDSG has a protective and warning function.
The person asked for consent should not have to agree hastily, but should be given the opportunity to become aware of their decision and its consequences.

Doctor does not obtain consent for data transfer before drug screening

In mid-2016, the local court sentenced a doctor in private practice to a fine of EUR 1,000 for two cases of intentional violation of the German Federal Data Protection Act (BDSG).
The reason for the conviction was that he carried out a drug screening on the employee as part of a drug screening arranged by an employer and forwarded the results to the employer.

However, the employee had only consented to his employer passing on the examination results.
However, he did not give his written consent under data protection law to the examination and the doctor’s data processing.

A distinction must be made between consent under data protection law and consent under regulatory law

The OLG took a similar view.
By examining and passing on the results without prior written consent, the doctor violated § 43 para.
2 No. 1 BDSG.
This is because he intentionally – or at least negligently – collects or processes unauthorized personal data that is not generally accessible.

The court emphasizes that consent under data protection law must be distinguished from justifying consent under regulatory offences law.
A restrictive interpretation is mandatory.
Therefore, effective consent under data protection law can only be given if the consenting party is able to assess the significance and scope of their waiver of legal interests according to the objective circumstances.

Consent to data transfer does not include consent to data collection

The written data protection consent given by the employee in the context of the G 25 investigation for the disclosure of the personal data did not also include consent to the collection and processing of the data.
However, such written consent under data protection law was required, unless another form of consent was appropriate in exceptional cases, Section 4a para.
1 sentence 3 BDSG.

However, in the opinion of the Higher Regional Court of Karlsruhe, written consent is usually required.
After all, the written form has a protective and warning function.
In the present case, the employee should be given the opportunity to become aware of his decision and not make it prematurely.
This exceptional nature therefore requires a restrictive interpretation of Section 4a para.
1 BDSG.

Compliance with data protection regulations in medical practices

Whether medical practices require a data protection officer within the meaning of the GDPR, regardless of the number of employees, depends on the type and manner of data processing.
In any case, due to the handling of health data in medical practices, it is advisable to carefully examine and comply with data protection regulations.
It can’t hurt to seek advice from an external data protection consultant.

Contact person

Free newsletter

Matching contributions

Search

Request