On May 25, 2018, the new European General Data Protection Regulation (EU GDPR) came into force. For companies in the member states of the EU, and depending on the circumstances also beyond, this regulation is directly binding. The new law has a significant impact on the handling of personal data in the company.
In addition to the "classic" personal data such as name, address and contact data, the EU GDPR expands the previous definition and places strong emphasis on the area of personal data requiring special protection, which is defined by Art. 9(1) EU GDPR. This includes, above all, health data.
In today's world, the number of users of fitness services such as fitness trackers and jogging apps is growing daily. As a result, specific services are increasingly coming onto the market that are relevant as a component of occupational health management in companies. What these services have in common is that they process health data, i.e., personal data requiring special protection.
Significance and implication for the providers of such services
Companies are attaching increasing importance to the health and well-being of their employees. A heart rate variability (HRV) measurement over a 72-hour period can be used as a medically recognized method of current condition and performance. This is used to objectively assess stress resistance, recovery ability and general physical fitness based on a medically proven method. The adaptability of the organism to external influences and the biological age are generally measured.
The measurement of heart rate variability (HRV) - what is measured, what is the message?
Heart rate variability is the difference in time between successive heartbeats. Contrary to what one might think, the human heart never beats completely regularly, i.e. there is usually a difference of a few milliseconds between successive heartbeats. Figure 1 illustrates this fact.
Heart rate variability, or HRV for short, is generally used as an indication of the adaptability of the organism.
The control impulses of the VNS occur via the nervous counterparts, the sympathetic and the parasympathetic nervous system. The sympathetic nervous system assumes an activating function ("escape instinct") and the parasympathetic nervous system regenerative functions.
The sequence of heartbeats is constantly adapted to the momentary conditions by the organism through the interaction of the nervous counterparts. Thus, during exhalation, for example, the heartbeat is usually somewhat slower than during inhalation.
HRV is the ability of the organism to optimally adapt the sequence of heartbeats to momentary conditions. During high stress, e.g. during sports activity, the heart rate increases and at the same time the HRV decreases until it reaches a plateau at a certain level of heart rate. At this plateau, the sequence of individual heartbeats is practically constant, and heart rate variability is thus zero. The organism runs in "autopilot mode", so to speak; almost exclusively the sympathetic nervous system is active in order to be able to cope with the high load.
The measurement of heart rate variability can thus be used to assess how phases of active stress alternate with resting or regenerating phases over the course of the day and night.
With the professional evaluation of the HRV measurement by a physician, including coaching discussions, companies can make an active contribution to increasing the well-being and health of their employees.
For the actual implementation, we recommend that the HRV measurement is carried out completely voluntarily, independently and anonymously, i.e. only the employee himself and the participating laboratories for the purpose of evaluation and the physician for the final coaching discussion have access to the data. The data processing is based on the strict regulations for data processing by medical institutions and is subject to medical confidentiality.
Providers of these services may also be subject to the obligations and requirements of the EU GDPR.
Specifically, this means that providers of the services must comply with the following requirements:
- Processes that handle personal data must be data protection compliant. They must be inventoried and described transparently.
- The obligation to implement new deletion concepts and increase transparency about data flows and storage locations requires adjustments in the area of IT-based implementation. This obligation is particularly relevant for sensitive health data.
- Contracts and, in particular, general terms and conditions often have to be adapted and extended to include data protection statements and supplementary information.
- External partners must be inventoried and classified according to the type and scope of data processing performed
Significance and implication for companies that want to use such services?
For companies that offer corresponding fitness and health services as benefits to their employees as part of their company health management, there are also implications against the background of the EU GDPR.
When using HRV measurement, for example, an external service provider is involved who processes the sensitive personal data.
Companies must ensure that the service provider involved meets applicable data protection requirements. The EU GDPR provides for the use of commissioned data processing as the legal basis for this and the service provider has an obligation to provide information to the customer company. Within the scope of this duty to provide information, the service provider must, among other things, provide information about which types of data are processed, which IT systems are used for the processing and how they are protected. Information must also be provided about any other third-party companies involved.
Companies are also required to inform their employees that the service, in this example HRV measurement, is provided by an external service provider. They must give their employees an overview of what sensitive personal data the service provider receives and processes and how it is stored.
What's next: Data protection in occupational health management
In times when employers are vying for the best workers, professional occupational health management is one way to stand out from other companies in the industry. But pragmatic reasons already shine directly: healthy workers are motivated, efficient, work with concentration and feel better overall. Their increased well-being benefits their performance and, not least, their employer.
Health thus plays an important role, especially at work, and should not be strictly separated from health in private life. We expect more and more employers to recognize these connections and invest in their greatest asset, their employees, by establishing a professional company health management system.
We also believe that the trend toward the use of fitness devices and their use, especially in private life, will increase. Their use at work, e.g. in the context of occupational health management, is developing great potential.
In all the trends and measures described, it is necessary to take into account the applicable data protection requirements and this should become a matter of course.
Thanks to Christian Zimmer for writing this article.
