In the context of the European standardization of the data security the new GDPR came into force to 25.05.2018.
In this context, the Federal Data Protection Act (Bundesdatenschutzgesetz), which applies to Germany, has also been substantially reformed. This means some innovations for data protection under labour law. Using selected examples, we will show you where new data protection regulations come into effect and where the previous legal situation on employee data protection continues to apply.
The aim of introducing GDPR was to harmonise data protection within the European Union. However, this goal was only partially achieved in the area of labour law, since the GDPR contains numerous opening clauses in this area, according to which the individual member states can make their own regulations for the protection of employee data. This circumstance necessitated a comprehensive reform of the BDSG for Germany. The BDSG thus continues to play a decisive role in the area of employee data protection. For the labor-legal consultation this means that for the employee data protection in the future both the regulations of the GDPR and those of the BDSG, which are connected with each other over numerous cross-references, are to be considered for the regulations of the GDPR as well as those of the BDSG.
Is there something special to note in Germany?
Yeah, there’s something to keep in mind. Since there are no special regulations in the GDPR to the employee data protection, first Art. 88 GDPR of crucial importance is GDPR. This opening clause enables the German legislator to make independent regulations in the area of employee data protection. This applies, for example, to data processing for the purpose of recruitment, fulfilment of contractual obligations, planning and organisation of work, health and safety at work or for the purpose of terminating the employment contract.
The opening clause was made use of by the new § 26 BDSG. In the new version, the German legislator has mainly oriented itself on the former § 32 BDSG. However, a number of additional regulations have now been adopted, most of which have only a clarifying function.
What about employee privacy?
Employee data protection always becomes relevant when it comes to the processing of personal data. However, this does not only apply to electronic processing. Practically all information about the individual employee is recorded, even if it is only handwritten, for example. This means that employee data protection also covers handwritten notes, application folders, questions in job interviews, etc.
This also applies – even according to the new legal situation! – in the area of employee data protection, that the collection and processing of personal data is regulated as a prohibition subject to permission. This means that personal data may only be collected or processed if this is permitted by a legal provision or if the data subject has consented. In addition to the special § 26 BDSG, the more general standards of Art. 6 (1) GDPR and Art. 9 (2) GDPR can also be considered as grounds for permission.
§ Section 26 BDSG, the new central standard in employee data protection, permits the collection, storage and processing of personal data, for example, insofar as this is necessary for the purposes of establishing, implementing or terminating the employment relationship or for exercising/fulfilling rights and obligations vis-à-vis the representation of employees’ interests. The concept of “necessary” requires a balance to be struck between the different legal positions of employers and employees. This has been handled in the same way by the courts so far, so that the new § 26 BDSG does not result in any changes here. However, the new § 26 BDSG does not conclusively clarify whether, for example, preventive measures taken by the employer to prevent criminal offences at the workplace also have a legal basis in § 26 BDSG. This is currently seen mainly in this way, but is not uncontroversial.
Is there anything to be considered in the works agreements as well?
In addition to the permission standards for data collection and processing specified in the law, works agreements can now also be considered according to the new legal situation (§ 26 Paragraph 4 BDSG). However, the relevant works agreements shall provide for appropriate and specific measures to safeguard the human dignity of the legitimate interests and fundamental rights of the persons concerned. This requires in particular that the works agreements fulfil the requirements for the necessity of data collection/processing and also stand up to the balance of interests required by case law. Older works agreements must be reviewed in this respect, as there is no protection of existing agreements in this respect.
What must the employer take into account when collecting the data?
In order to lift the prohibition of data collection, there is also the possibility of the consent of the employee concerned. However, this requires compliance with special requirements. For example, the conclusion of an employment contract cannot be made dependent on consent to data processing unless data processing is absolutely necessary for the employment relationship.
The employee’s consent must be in writing, § 26 paragraph 2 sentence 3 BDSG. However, the employee may revoke this consent at any time at a later date. The employer must expressly point this out.
In the future, it might be advisable not to combine an employment contract and consent to data collection/processing in one document, but to have the employee sign it separately.
Does the employer have to delete data again?
The new employee data protection also regulates the employer’s deletion obligations. Here the principle applies that data must be deleted when they are no longer required. This means that data must not only be deleted at the employee’s request, but that the employer must check this independently and continuously. For example, application portfolios/documents must be destroyed or deleted by the employer if the assertion of claims under the General Equal Treatment Act is not to be expected. The statutory periods of limitation plus any security surcharge in respect of time shall be applied in each case.
So what’s really new?
Overall, it should be noted that the new data protection for employees is to a considerable extent linked to the previous legal situation, which should at least lead to a certain degree of legal certainty. On the other hand, new regulations must also be observed, which in particular lead to information and deletion obligations playing a far greater role in practice. Employers should not take these rules lightly, as there is a risk of significant fines for non-compliance. In this respect, legal advice and protection by a lawyer specialising in data protection is indispensable.
If you have any questions on the subject of employee data protection or data security in general, our team headed by Stephan Hendel and Michael Gabler will be happy to assist you.