In the context of the European standardization of the data security the new GDPR came into force to 25.05.2018.

In this context, the Federal Data Protection Act (Bundesdatenschutzgesetz), which applies to Germany, has also been substantially reformed. This means some innovations for data protection under labour law. Using selected examples, we will show you where new data protection regulations come into effect and where the previous legal situation on employee data protection continues to apply.

The aim of introducing GDPR was to harmonise data protection within the European Union. However, this goal was only partially achieved in the area of labour law, since the GDPR contains numerous opening clauses in this area, according to which the individual member states can make their own regulations for the protection of employee data. This circumstance necessitated a comprehensive reform of the BDSG for Germany. The BDSG thus continues to play a decisive role in the area of employee data protection. For the labor-legal consultation this means that for the employee data protection in the future both the regulations of the GDPR and those of the BDSG, which are connected with each other over numerous cross-references, are to be considered for the regulations of the GDPR as well as those of the BDSG.

Is there something special to note in Germany?

Yeah, there’s something to keep in mind. Since there are no special regulations in the GDPR to the employee data protection, first Art. 88 GDPR of crucial importance is GDPR. This opening clause enables the German legislator to make independent regulations in the area of employee data protection. This applies, for example, to data processing for the purpose of recruitment, fulfilment of contractual obligations, planning and organisation of work, health and safety at work or for the purpose of terminating the employment contract.

The opening clause was made use of by the new § 26 BDSG. In the new version, the German legislator has mainly oriented itself on the former § 32 BDSG. However, a number of additional regulations have now been adopted, most of which have only a clarifying function.

What about employee privacy?

Employee data protection always becomes relevant when it comes to the processing of personal data. However, this does not only apply to electronic processing. Practically all information about the individual employee is recorded, even if it is only handwritten, for example. This means that employee data protection also covers handwritten notes, application folders, questions in job interviews, etc.

This also applies – even according to the new legal situation! – in the area of employee data protection, that the collection and processing of personal data is regulated as a prohibition subject to permission. This means that personal data may only be collected or processed if this is permitted by a legal provision or if the data subject has consented. In addition to the special § 26 BDSG, the more general standards of Art. 6 (1) GDPR and Art. 9 (2) GDPR can also be considered as grounds for permission.

§ Section 26 BDSG, the new central standard in employee data protection, permits the collection, storage and processing of personal data, for example, insofar as this is necessary for the purposes of establishing, implementing or terminating the employment relationship or for exercising/fulfilling rights and obligations vis-à-vis the representation of employees’ interests. The concept of “necessary” requires a balance to be struck between the different legal positions of employers and employees. This has been handled in the same way by the courts so far, so that the new § 26 BDSG does not result in any changes here. However, the new § 26 BDSG does not conclusively clarify whether, for example, preventive measures taken by the employer to prevent criminal offences at the workplace also have a legal basis in § 26 BDSG. This is currently seen mainly in this way, but is not uncontroversial.

Is there anything to be considered in the works agreements as well?

In addition to the permission standards for data collection and processing specified in the law, works agreements can now also be considered according to the new legal situation (§ 26 Paragraph 4 BDSG). However, the relevant works agreements shall provide for appropriate and specific measures to safeguard the human dignity of the legitimate interests and fundamental rights of the persons concerned. This requires in particular that the works agreements fulfil the requirements for the necessity of data collection/processing and also stand up to the balance of interests required by case law. Older works agreements must be reviewed in this respect, as there is no protection of existing agreements in this respect.

What must the employer take into account when collecting the data?

In order to lift the prohibition of data collection, there is also the possibility of the consent of the employee concerned. However, this requires compliance with special requirements. For example, the conclusion of an employment contract cannot be made dependent on consent to data processing unless data processing is absolutely necessary for the employment relationship.

The employee’s consent must be in writing, § 26 paragraph 2 sentence 3 BDSG. However, the employee may revoke this consent at any time at a later date. The employer must expressly point this out.

In the future, it might be advisable not to combine an employment contract and consent to data collection/processing in one document, but to have the employee sign it separately.

Does the employer have to delete data again?

The new employee data protection also regulates the employer’s deletion obligations. Here the principle applies that data must be deleted when they are no longer required. This means that data must not only be deleted at the employee’s request, but that the employer must check this independently and continuously. For example, application portfolios/documents must be destroyed or deleted by the employer if the assertion of claims under the General Equal Treatment Act is not to be expected. The statutory periods of limitation plus any security surcharge in respect of time shall be applied in each case.

So what’s really new?

Overall, it should be noted that the new data protection for employees is to a considerable extent linked to the previous legal situation, which should at least lead to a certain degree of legal certainty. On the other hand, new regulations must also be observed, which in particular lead to information and deletion obligations playing a far greater role in practice. Employers should not take these rules lightly, as there is a risk of significant fines for non-compliance. In this respect, legal advice and protection by a lawyer specialising in data protection is indispensable.

If you have any questions on the subject of employee data protection or data security in general, our team headed by Stephan Hendel and Michael Gabler will be happy to assist you.


We explain to you what the EU-U.S. Privacy Shield is all about.

You are a European company and now want to gain a foothold in the USA?

Should personal data of your customers be transferred from the EU to the USA? Then, at the latest now, you should consider whether the EU-U.S. Privacy Shield might be the right legal basis for the transfer of data to the US for your company.

The EU-U.S. Privacy Shield is a data protection agreement between the European Commission and the U.S. Department of Commerce that governs the transfer of personal data from the EU to the United States. Since 12.07.2016, this has been regarded as the successor model to the Safe Harbor Agreement, which has been declared ineffective, and above all aims to achieve better protection of the privacy of European consumers and to increase transparency with regard to the collection, use and sharing of data. The advantage for American companies is that they can immediately prove that European data protection standards are adhered to in the company by means of a public certification under the Privacy Shield.

At the same time, the new Privacy Shield regulations also lead to an extensive need for action on the part of participating American companies, as various data protection regulations must be adhered to.

What do I need to know about Privacy Shield?

First of all, it is necessary to certify yourself for the Privacy Shield at and to ensure that you accept and comply with the Privacy Shield Principles. Once this has been done, it is now necessary to pay particular attention to the extensive information obligations that Principle I of the Privacy Shield provisions prescribes. This information shall be made unmistakable and clearly recognisable to the customer. This includes the types of data collected and the purpose for which the data was collected. In addition, whether a disclosure to third parties takes place and if so, for what purpose. In this context, the possible liability of your company must also be clarified if data is passed on to third parties not named or if the third party itself uses the data incorrectly. The consumer shall also be informed of his right of access to the data, of his right to choose the purpose for which the data may be used and of his right to correct or update the data collected. In addition, your company must have an independent dispute settlement mechanism in place and communicate it to the consumer.

In addition to these, there are other information obligations and internal company requirements that you as an American company must fulfill. Violation of these principles can lead to complaints from consumers as well as to official or court orders and, as a result, to substantial fines.

What does a company have to inform to participate in the EU-U.S. Privacy Shield?

In order to participate in the EU-U.S. Privacy Shield, the following information must be kept clearly visible:

  1. their participation in the privacy shield with a link to the privacy shield list or the web address of this list,
  2. the types of personal data collected and, where appropriate, the organisation’s entities or subsidiaries which also comply with the Principles,
  3. its obligation to apply the principles to all personal data received from the EU on the basis of the data protection notice,
  4. the purpose for which it collects and uses personal data about you,
  5. how to contact the organisation in the event of queries or complaints, including information on a relevant EU body that can respond to such queries or complaints,
  6. the category and identity of third parties to whom the data will be disclosed and the purpose of the disclosure,
  7. the right of individuals to have access to their personal data,
  8. the ways and means it makes available to private individuals to restrict the use and disclosure of their personal data,
  9. the independent Dispute Settlement Body designated to handle complaints and provide free redress to the individual, and whether it is 1) the body set up by data protection authorities, 2) an EU-based alternative dispute resolution provider, or 3) an US-based alternative dispute resolution provider,
  10. the investigative and enforcement powers of the FTC, Department of Transportation or any other authorized U.S. agency applicable to the organization,
  11. the possibility of initiating binding arbitration under certain conditions,
  12. the provision to disclose personal data upon legitimate request by public authorities in order to comply with national security or law enforcement requirements, and
  13. the liability of the organisation in the event of disclosure to third parties.

It is therefore particularly important to seek advice from an expert on this complex subject from the outset and not to take any risks.

We have already certified and advised well-known companies such as TeamSpeak Systems Inc. for the EU-U.S. Privacy Shield and therefore know exactly what is important.

Our attorney Stephan Hendel and the entire Gabler and Hendel law firm will be pleased to answer any questions you may have. We are also happy to take on the self-certification and the preparation of a legally compliant Privacy Shield declaration for you.