Fachbücher zu Daten­schutz und IT-Sicher­heit finden Sie hier.
  1. Home
  2. News
  3. How small data protection errors in BEM can become very expensive – what companies need to watch out for now
  • Data Protection

How small data protection errors in BEM can become very expensive – what companies need to watch out for now

BEM and data protection: errors made by service providers can be costly

Why more and more companies are outsourcing BEM

Today, workplace integration management (BEM) is a key tool for helping employees return to work after a long period of illness. However, larger companies in particular face the problem of having to implement this process in a legally compliant and sensitive manner – a significant additional expense that is often outsourced to external service providers. In practice, companies benefit from such outsourcing because specialised experts provide structured support throughout the process. Employees also often find it easier to discuss health issues with neutral specialists.

But what happens if mistakes are made in the outsourced BEM process? Who bears responsibility and what risks can be expected? These questions are becoming increasingly important, as a recent ruling shows.

Legal consequences of errors in the BEM process

A recent example illustrates the explosive nature of this issue: in the case of a company that outsourced BEM to an external service provider, this process was carried out incorrectly. The Baden-Württemberg Regional Labour Court ruled that the subsequent dismissal on grounds of illness was invalid due to procedural deficiencies. The reason: the service provider's errors were legally attributed to the employer. Even those who outsource BEM remain responsible for its correct and data protection-compliant implementation – with all the consequences of non-compliance.

Data protection plays a central role here. The courts now check carefully whether employers and contracted service providers have informed the employees concerned comprehensively and transparently about data processing. Mistakes not only cost time and money, but can also lead to significant damage to reputation.

BEM and data protection: What companies need to bear in mind now

Transparency and information as a duty – what the law requires

Extremely sensitive health data is processed in BEM in particular. Employers and service providers must therefore explain to employees precisely what data is being collected, for what purpose and how comprehensively their information will be handled. This is not only a moral obligation, but is also expressly required by the General Data Protection Regulation (GDPR).

Essentially, companies must make it clear that health data may only be used for the planning and implementation of the BEM. General or incomplete information is not sufficient. If there is no clear separation between information and the actual implementation of the BEM – for example, if data is already flowing before consent has been obtained – there is no legal basis for processing. The result: the entire BEM process is legally vulnerable.

Responsibility between employer and service provider – identifying and managing risks

A common misunderstanding is the belief that commissioning a service provider also transfers liability. The opposite is true: legally, the employer remains responsible for the proper implementation of the BEM process. From an employment law perspective, errors made by the service provider are attributed to the company; in the event of data protection violations, the liability risk depends on the specific structure and contractual provisions.

Whether the employer and external service provider act as independent controllers, joint controllers or in a contractual relationship should be clearly defined and documented. Unclear responsibilities can quickly become expensive in the event of a violation, both in terms of possible fines and the outcome of any labour law disputes.

Clear processes and responsibilities are therefore essential. Companies should work with their service providers to document procedures, comply with data protection-compliant information obligations and provide employees with transparent and comprehensive information.

Conclusion: Errors in the BEM process can have serious legal and economic consequences – especially if they involve data protection violations. Companies would be well advised to regularly review their processes and contractual relationships in the area of BEM and to train both employees and service providers.

Would you like to make your BEM processes legally compliant and data protection-compliant? If you need support or have any questions, please do not hesitate to contact us. We will be happy to advise you comprehensively and individually!

Zurück
© 2011–2025 GINDAT GmbH

Hinweis zu Cookies

Unsere Website verwendet Cookies. Einige davon sind technisch notwendig für die Funktionalität unserer Website und daher nicht zustimmungspflichtig. Darüber hinaus setzen wir Cookies, mit denen wir Statistiken über die Nutzung unserer Website führen. Hierzu werden anonymisierte Daten von Besuchern gesammelt und ausgewertet. Eine Weitergabe von Daten an Dritte findet ausdrücklich nicht statt.

Ihr Einverständnis in die Verwendung der Cookies können Sie jederzeit widerrufen. In unserer Datenschutzerklärung finden Sie weitere Informationen zu Cookies und Datenverarbeitung auf dieser Website. Beachten Sie auch unser Impressum.

Technisch notwendig

Diese Cookies sind für die einwandfreie Funktion der Website erforderlich und können daher nicht abgewählt werden. Sie zählen nicht zu den zustimmungspflichtigen Cookies nach der DSGVO.

Name Zweck Ablauf Typ Anbieter
CookieConsent Speichert Ihre Einwilligung zur Verwendung von Cookies. 1 Jahr HTML Website
fe_typo_user Dieser Cookie wird gesetzt, wenn Sie sich im Bereich myGINDAT anmelden. Session HTTP Website
PHPSESSID Kurzzeitiger Cookie, der von PHP zum zwischenzeitlichen Speichern von Daten benötigt wird. Session HTTP Website
__cfduid Wir verwenden eine "Content Security Policy", um die Sicherheit unserer Website zu verbessern. Bei potenziellen Verstößen gegen diese Policy wird ein anonymer Bericht an den Webservice report-uri.com gesendet. Dieser Webservice lässt über seinen Anbieter Cloudflare diesen Cookie setzen, um vertrauenswürdigen Web-Traffic zu identifizieren. Der Cookie wird nur kurzzeitig im Falle einer Bericht-Übermittlung auf der aktuellen Webseite gesetzt. 30 Tage/ Session HTTP Cloudflare/ report-uri.com
Statistiken

Mit Hilfe dieser Statistik-Cookies prüfen wir, wie Besucher mit unserer Website interagieren. Die Informationen werden anonymisiert gesammelt.

Name Zweck Ablauf Typ Anbieter
_pk_id Wird verwendet, um ein paar Details über den Benutzer wie die eindeutige Besucher-ID zu speichern. 13 Monate HTML Matomo
_pk_ref Wird verwendet, um die Informationen der Herkunftswebsite des Benutzers zu speichern. 6 Monate HTML Matomo
_pk_ses Kurzzeitiger Cookie, um vorübergehende Daten des Besuchs zu speichern. 30 Minuten HTML Matomo
_pk_cvar Kurzzeitiger Cookie, um vorübergehende Daten des Besuchs zu speichern. 30 Minuten HTML Matomo
MATOMO_SESSID Kurzzeitiger Cookie, der bei Verwendung des Matomo Opt-Out gesetzt wird. Session HTTP Matomo
_pk_testcookie Kurzzeitiger Cookie der prüft, ob der Browser Cookies akzeptiert. Session HTML Matomo