On March 30, 2023, the European Court of Justice (ECJ) dealt with questions regarding the compatibility of regulations on German employee data protection with the European General Data Protection Regulation (GDPR) in a preliminary ruling. According to this ruling, the previous regulation of Sec. 26 of the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which allowed employers to process personal data in the context of employment, likely is not compliant with European law. Although the preliminary ruling did not relate directly to Sec. 26 of the BDSG, it did relate to a provision from the Hessian Data Protection and Information Security Act (Hessisches Datenschutz- und Informationsfreiheitsgesetz – HDSIG) whose wording is identical to that in the BDSG in the key points.
What prompted the decision?
During the coronavirus pandemic, the Ministry of Education of the State of Hesse issued two decrees regarding the implementation of online lessons via live stream videoconferencing. In the context of the implementation of the online lessons, the Ministry relied on Sec. 23 HDSIG and believed that the processing of teachers’ personal data in connection with the online lessons was legitimized by Sec. 23 (1) sent. 1 HDSIG. In their view, the data processing was necessary in the context of the employment relationship.
However, the Wiesbaden Administrative Court, which dealt with this data protection issue, doubted whether Sec. 23 HDSIG met the special European law requirements of Art. 88 (2) GDPR and decided to refer this preliminary question, which is decisive for the administrative court proceedings, to the ECJ for a preliminary ruling.
Ever since the GDPR entered into force, all national regulations on data protection have been overruled by the European regulation. National regulations may only be applied in cases where the GDPR does not conclusively regulate a matter or in cases where an opening clause allows national regulations. Art. 88 GDPR does contain such an opening clause for the employment context. According to this clause, member states may provide for more specific rules to ensure the protection of the rights and freedoms of natural persons with regard to the processing of personal data in the employment context by means of legislation or collective agreements. The German legislator has made use of this with Sec. 26 of the BDSG as well as a number of provisions under state law.
How did the ECJ rule?
The ECJ clarified in its decision that national provisions referring to the opening clause of Art. 88 GDPR must include appropriate and specific measures to safeguard human dignity, legitimate interests and fundamental rights of data subjects, as also regulated in para. 2 of the same Article in the Regulation. Sec. 23 HDSIG permits the processing of personal data of employees to the extent necessary for the establishment, performance and termination of the employment relationship. In this respect, Sec. 26 BDSG is identical. However, in the opinion of the judges, this necessity test already results from the general facts stated in Art. 6 (1) b) GDPR. Against this background, the provision of the HDSIG does not constitute a “more specific” provision within the meaning of Art. 88 of the GDPR. It is therefore contrary to European law.
In addition, the ECJ found that the reference in Sec. 23 (5) of the HDSIG that the controller must comply in particular with the principles set out in Art. 5 GDPR does not meet the requirements of the GDPR. Art. 88 (2) GDPR requires the establishment of appropriate and specific measures to safeguard the human dignity, legitimate interests and fundamental rights of the data subject, which cannot be reconciled with a mere reference by the national legislator to the principles of Art. 5 GDPR.
What are the implications of the decision for national employee data protection?
Although the decision of the ECJ only relates to standards of the Hessian employee data protection law, the decision could also indirectly affect Sec. 26 BDSG, and thus the legal basis for data processing almost always used in the employment context in Germany. This is because Sec. 26 BDSG contains almost identical wording to Sec. 23 HDSIG. Caution is therefore advised when applying Sec. 26 BDSG.
Nevertheless, the effects for employers are likely to be limited for the time being, because the processing of employees’ personal data can usually also be directly legitimized by Art. 6(1)(b) GDPR. Thus, it cannot be assumed that all data processing in the employment context is or will become unlawful in the foreseeable future. However, to be on the safe side, employers may want to check whether other legal bases for specific data processing are available in addition to Sec. 26 BDSG. In addition, employers may want to ensure that the information provided is (still) accurate according to Art. 13, 14 DSGVO.
Photo: Shutterstock / ImageFlow