BEM and data protection: errors made by service providers can be costly
Why more and more companies are outsourcing BEM
Today, workplace integration management (BEM) is a key tool for helping employees return to work after a long period of illness. However, larger companies in particular face the problem of having to implement this process in a legally compliant and sensitive manner – a significant additional expense that is often outsourced to external service providers. In practice, companies benefit from such outsourcing because specialised experts provide structured support throughout the process. Employees also often find it easier to discuss health issues with neutral specialists.
But what happens if mistakes are made in the outsourced BEM process? Who bears responsibility and what risks can be expected? These questions are becoming increasingly important, as a recent ruling shows.
Legal consequences of errors in the BEM process
A recent example illustrates the explosive nature of this issue: in the case of a company that outsourced BEM to an external service provider, this process was carried out incorrectly. The Baden-Württemberg Regional Labour Court ruled that the subsequent dismissal on grounds of illness was invalid due to procedural deficiencies. The reason: the service provider's errors were legally attributed to the employer. Even those who outsource BEM remain responsible for its correct and data protection-compliant implementation – with all the consequences of non-compliance.
Data protection plays a central role here. The courts now check carefully whether employers and contracted service providers have informed the employees concerned comprehensively and transparently about data processing. Mistakes not only cost time and money, but can also lead to significant damage to reputation.
BEM and data protection: What companies need to bear in mind now
Transparency and information as a duty – what the law requires
Extremely sensitive health data is processed in BEM in particular. Employers and service providers must therefore explain to employees precisely what data is being collected, for what purpose and how comprehensively their information will be handled. This is not only a moral obligation, but is also expressly required by the General Data Protection Regulation (GDPR).
Essentially, companies must make it clear that health data may only be used for the planning and implementation of the BEM. General or incomplete information is not sufficient. If there is no clear separation between information and the actual implementation of the BEM – for example, if data is already flowing before consent has been obtained – there is no legal basis for processing. The result: the entire BEM process is legally vulnerable.
Responsibility between employer and service provider – identifying and managing risks
A common misunderstanding is the belief that commissioning a service provider also transfers liability. The opposite is true: legally, the employer remains responsible for the proper implementation of the BEM process. From an employment law perspective, errors made by the service provider are attributed to the company; in the event of data protection violations, the liability risk depends on the specific structure and contractual provisions.
Whether the employer and external service provider act as independent controllers, joint controllers or in a contractual relationship should be clearly defined and documented. Unclear responsibilities can quickly become expensive in the event of a violation, both in terms of possible fines and the outcome of any labour law disputes.
Clear processes and responsibilities are therefore essential. Companies should work with their service providers to document procedures, comply with data protection-compliant information obligations and provide employees with transparent and comprehensive information.
Conclusion: Errors in the BEM process can have serious legal and economic consequences – especially if they involve data protection violations. Companies would be well advised to regularly review their processes and contractual relationships in the area of BEM and to train both employees and service providers.
Would you like to make your BEM processes legally compliant and data protection-compliant? If you need support or have any questions, please do not hesitate to contact us. We will be happy to advise you comprehensively and individually!