The case

The employer had initially concluded a temporary works agreement with the works council formed at the company and later a works agreement on the use of the software ‘Workday’ with the works council. This works agreement provided, inter alia, that specifically identified employee data may be transferred to a server of the parent company in the US. An employee brought an action before the Labour Court for access to certain information, for the deletion of data concerning him and for damages. He argued, among other things, that his employer had transferred personal data concerning him to the parent company’s server, some of which were not specified in the toleration works agreement. Since he did not fully prevail before the Labour Court, the employee appealed to the Federal Labour Court (BAG). The BAG referred three questions to the ECJ for a preliminary ruling.

General requirements of the GDPR to which the parties are bound

The ECJ answered the first question submitted for a preliminary ruling by stating that Art. 88 (1) and (2) of the GDPR is to be interpreted as requiring a national law adopted under Art. 88 (1) of the GDPR must not only meet the requirements arising from Art. 88 (2) of the GDPR, but also those arising from Art. 5, Art. 6 (1) and Art. 9 (1) and (2) of the GDPR. The court thus makes it clear that the parties to a works agreement must also observe the requirement of necessity (as part of the lawfulness of processing under Art. 6 (1) and Art. 9 (1) and (2) of the GDPR) in the context of a works agreement, but also the principles of data processing (Art. 5 of the GDPR). Accordingly, processing operations regulated in works agreements would also have to fulfil the requirements of the GDPR for the lawfulness of processing. This would not only be consistent with the context of Art. 88 GDPR and the wording of the provision, but also with the objective of the GDPR, which is to ensure a high level of protection for employees with regard to the processing of their personal data.

Comprehensive judicial review of works agreements

If the parties to the works agreement enact ‘more specific rules’ in a works agreement with regard to the processing of employees’ personal data in the employment context, these rules are subject to comprehensive review by the national (labour) courts, according to the ECJ in response to the second question submitted for a preliminary ruling. The courts would have to examine whether the provisions in the works agreement violate the content and objectives of the GDPR. If this is the case, these provisions would be inapplicable. The works council’s and the employer’s regulatory authority under Art. 88 (1) of the GDPR does not include any discretion to apply the requirements of necessity less strictly or to dispense with them. For reasons of efficiency or simplicity, the parties to the works agreement may not compromise in a way that unduly compromises the GDPR’s goal of ensuring a high level of protection for employees.

A response to the third question, which concerned the extent to which judicial review may be restricted, was no longer necessary due to the response to the second question.

Practical note

The ECJ’s decision comes as little surprise and finally puts to rest the position held in Germany at least until the GDPR came into force, that a works agreement could legitimise data processing that is unlawful under the legal provisions because it is not ‘necessary’. Now it is clear that the parties to a works agreement by no means act outside the law and must observe the requirements of the GDPR for the lawfulness of data processing. In legal terms, the decision has little impact, since in practice the employer and works council were hardly in a position to meet the strict requirements of Article 88 (2) GDPR in a works agreement anyway. Nevertheless, many companies still base individual processing operations of employee data on the ‘legal basis of a works agreement’. These companies should check whether other legal bases can be used, in particular to avoid the threat of fines and claims for damages from employees. Furthermore, these companies are advised to adapt their data protection documentation accordingly. Finally, the ECJ ruling must be taken into account by all companies when negotiating works agreements on technical devices (Section 87 (1) no. 6 of the German Works Constitution Act (BetrVG)).

After several failed attempts in recent decades to summarize and codify the data protection provisions relating to employees and other workers in a single Employee Data Protection Act, the current government is once again attempting to do so.

Current legal situation in Germany

Currently, employee data protection in Germany is largely determined by case law. In Article 88(1) of the EU General Data Protection Regulation (GDPR), national legislators can adopt provisions that specify data protection requirements in the employment context. However, Germany has only made very cautious use of this “opening clause” under Article 88 GDPR, with Section 26 of the Federal Data Protection Act (BDSG) containing specific requirements relating to the protection of employee data. However, many of the requirements and specifications regulated within Section 26 BDSG  have been criticized as being too narrow and not going  beyond those of the GDPR.

Even more problematic, however, is the fact that numerous provisions of Section 26 BDSG do not meet the conditions set out in Art. 88 (2) GDPR for national regulations on employee data protection. After the European Court of Justice (ECJ) specified the terms set out in Art. 88 (2) GDPR last year (Judgment of March 30, 2023 – C-34/21), the Federal Labour Court found that Section 26 (1) sentence 1 BDSG did not meet these terms and declared the provision invalid and inapplicable (Decision of May 09, 2023 – 1 ABR 14/22). Other individual provisions in Section 26 BDSG could share this fate in the future.

A new approach and actual regulatory objectives

The responsible ministries seem to have taken this situation as an opportunity to expedite the legislative process for the Employee Data Protection Act. However, the draft announced for the fourth quarter of 2023 has not yet been published. So far, the only indication of possible regulations is a position paper published in April 2023 by the Federal Ministry of Labor and Social Affairs (BMAS) and the Federal Ministry of the Interior and Home Affairs (BMI) entitled ‘Proposals for modern employee data protection’.

In this paper, the ministries outline the objectives pursued with the bill. For example, the personal scope of application is to be kept as broad as possible in order to also cover solo self-employed platform workers. On the other hand, monitoring measures by the employer, are to be limited in order to avoid constant monitoring pressure. In addition, the conditions under which concealed or open surveillance measures should be permitted are to be regulated. Questions relating to the use of artificial intelligence are also to be addressed in the bill, with particular emphasis on synergy with the EU regulations issued and planned in this regard. Applicants should be better protected with regard to data processing in the recruitment process; as this has been identified by the legislator as an area in particular need of protection.

Another aim of the bill is to make the balancing of interests to be carried out with regard to the permissibility of data processing operations more manageable in practice. This will be achieved by shaping the requirements for the voluntary nature of consent given. The announced regulations on data transfers within the group are also particularly relevant in practice.

Open questions and additional workload for companies

In order to further protect employees, data subject rights found in the GDPR are to be extended,  with additional rights for employees. Considering the challenges faced by many companies with regard to requests for information in accordance with Art. 15 GDPR in particular, the announced provisions are likely to result in additional bureaucracy for employers. From an academic perspective, the question also remains as to how the requirements of Art. 88 (2) GDPR can be met in a legally secure manner. In any case, the repeated passing of data protection provisions which violate EU law, would lead to even more uncertainty.

We will continue to monitor the legislative process for the Employee Data Protection Act, for further information, please contact your usual DLA Piper lawyer.