The core German legal basis for processing employee personal data was recently annulled by the European Court of Justice (CJEU). The practical implications should be limited though because in most cases there will be an alternative legal basis for data processing. However, the recent publication of a German government position paper laying out their intentions to further shape employee privacy governance may have a more significant impact.
Further regulatory action required following recent CJEU ruling
Article 88 General Data Protection Regulation (GDPR) enables member states to enact specific rules governing the processing of employees' personal data in the employment context. Germany has made use of Article 88 GDPR by enacting the German Federal Data Protection Act (Bundesdatenschutzgesetz; BDSG), which among other things, sets out specific purposes for processing employee data and the rules on obtaining consent. Following the recent CJEU ruling, the German legislator will have to revise the BDSG, adding another regulatory action item to those identified in the German government’s position paper.
On March 30, 2023 the CJEU ruled that a section of the Hessian Data Protection Act, which is identical to the one in the BDSG, does not constitute a ‘more specific rule’ within the meaning of Article 88 GDPR as it merely repeats the conditions set out in the legal basis for processing for the performance of contracts, set out in Art. 6(1)(b) GDPR (CJEU C-34/21).
Practical implications of the CJEU’s ruling
The practical implications for processing operations based on the BDSG are limited. Following the CJEU’S ruling, companies may still rely on alternative legal bases of processing set out in Article 6(1) GDPR. However, companies will have to adapt their documentation (eg processing records and data protection impact assessments).
Recent proposals in a position paper by the German government
Both the current and previous German government coalitions had announced in their respective coalition agreements to develop distinct national rules on employee data protection. The German government aims to achieve legal clarity for employers as well as employees and effectively protect privacy in the workplace.
Most recently, the Federal Ministry of the Interior and Community and the Federal Ministry of Labour and Social Affairs have set out key points for the development of a German employee data protection law in a joint position paper. The paper confirms current trends in data protection law that employers should closely monitor.
Key takeaways from the German government’s position paper
- Broad scope of application. Those who need it should be subject to sufficient protection. For example, platform workers (eg crowd workers), for whom the EU is currently discussing the introduction of a draft directive on platform work, are explicitly mentioned as beneficiaries in the position paper.
- Limitations to employee monitoring. Generally, the position paper’s emphasis on limiting permanent monitoring of employees to exceptional cases under narrowly defined conditions is not new. As examples of legitimate workplace monitoring the position paper mentions the safety of employees as well as occupational health and safety. A covert monitoring of employees is only to be considered lawful if the employer does not have any other possible means at his disposal to investigate a criminal offence that has been committed. In addition to that, the law shall set out clear conditions for the lawfulness of overt employee monitoring. Nonetheless, the position paper also stresses that future legislation on employee data protection should explicitly recognise that employers need to use technical solutions in the workplace, in particular to meet the demands of a modern working world.
- Governed AI and algorithm use. The aim is to establish rules governing the use of AI or algorithms (within the meaning of the EU’s (draft) Artificial Intelligence Act) in the application process. The specification of permissible questions that can be asked in the application process, as laid out in the position paper, would be a new aspect. It remains unclear whether this would bring changes to the long-standing Federal Labour Court’s case law on this point, but it is unlikely.
- Limited health examinations for applicants. Medical ('pre-employment') examinations are to be considered lawful only if they are necessary for the performance of a particular task or are required by law (eg for pilots). It remains to be seen whether this would also apply to board members, for whom regular medical examinations are not uncommon.
- Balancing of interests. The position paper’s proposal to define the criteria underlying the balance of interests test for determining the necessity of processing of personal data could prove useful in practice. The position paper refers, by way of example, to the (legitimate) purpose, the duration and quantity, the nature and scope as well as the number of persons involved in the processing of personal data.
- Guidance on intra-group data transfers. The position paper’s aim to introduce rules regarding intra-group data transfers (eg for the purposes of working in matrix structures or agile teams) is to be welcomed.
It remains to be seen whether the proposals made in the position paper will translate into a more concrete draft law and how the German legislator will react to the CJEU’s ruling. A draft bill for the law is expected to follow in the near future.