A few days ago, the Federal Ministry of Labor and Social Affairs and the Federal Ministry of the Interior and Home Affairs drew up the “Draft of a law to strengthen the fair handling of employee data and for more legal certainty for employers and employees in the digital world of work”. Coordination with the other ministries on a draft Employee Data Act (BeschDG-E) is now to begin. There is therefore a chance that an Employment Data Act could come into force before the end of this legislative period.
The aim of the planned law is to provide more legal certainty for employers. They inevitably collect and process large amounts of (sometimes sensitive) data on the people they employ. The new regulation is intended to create legal certainty for typical processing situations. At the same time, the legislator also wants to allow the use of AI applications within certain limits.
In a general part, the criticized Section 26 of the Federal Data Protection Act (BDSG), which was conceived as an authorization basis for any data processing in the employment context, is to be replaced by a detailed regulation on the basics of data processing and its necessity in Section 3 BeschDG-E et seq. The highly controversial issue of consent to data processing in the employment context is also addressed in Section 5 BeschDG-E, stating when and for what purposes consent can be given in the employment context. Another key new regulation for employers is the creation of a co-determination requirement for the appointment and dismissal of (internal and external) data protection officers in accordance with Section 12 BeschDG-E. In the future, the works council is to have a say in this – if no agreement is reached, a conciliation body is to decide.
In the following we would like to highlight some of the regulations planned in the special part of the draft bill:
Right to question during recruitment and obligation to delete applicant data
The right to question during the application process is to be set out in a more specific regulation in Section 14 BeschDG-E. Where necessary to determine suitability, it is intended that employee data from various areas may be collected and processed. What is new here is that no information about a severe disability may be requested before an employment relationship is established, nor be derived from profiling.
The deletion obligations for applicant data are also to be clearly regulated. According to Section 17 BeschDG-E, this data must be deleted no later than three months after the end of the application process, provided that no legal dispute is pending or likely. A provision is also to be introduced according to which the data of applicants who withdraw their candidacy must be deleted immediately.
Monitoring
The draft bill distinguishes between short-term monitoring measures (Section 18 BeschDG-E) and “not only short-term monitoring measures” in accordance with Section 19 BeschDG-E. Short-term surveillance measures are to be permitted if it is necessary to protect the health and safety of employees or to prevent and detect criminal offenses. Parameters are defined as to how the specific surveillance measure can be designed in terms of type and scope as well as the expected consequences. Occasion-related measures to uncover criminal offenses must be weighed against the strength of the suspicion, the severity of the identified or suspected violation of legal interests and the extent of the damage incurred.
In the case of “monitoring measures that are not merely short-term” (Section 19 BeschDG-E), the law is to stipulate that these should be permissible for a specific purpose to protect the life and limb of employees or third parties. The protection of particularly important official or operational interests should also be able to justify a longer-term measure. Processing the collected data for performance monitoring purposes is explicitly excluded.
GPS Tracking
Section 22 BeschDG-E will now also set out the requirements for tracking. Among other things, this should be permitted by law for the purpose of coordinating the changing deployment of employees at different locations. It is also envisaged that the tracking function can be switched off, for example if the tracking device is installed in a company car that is also available to employees for private use.
Profiling / AI
The processing of employee data based on profiling is now to be dealt with in Section 24 et seq. BeschDG-E. It should be regulated that the purpose of the use of profiling should relate in particular to the use of company systems for further training and development opportunities. A balancing of interests must be carried out, in which a catalog of legally prescribed aspects must be taken into account. The analysis or prediction of employees’ emotions and the analysis of social relationships between employees from communication processes should be excluded.
If profiling is used, the employer should have to comply with special information obligations under Section 25 BeschDG-E. In particular, they must provide information about the categories of input data and whether AI systems are used. The employer must also make transparent the logic behind the profiling, central evaluation criteria and their weighting, as well as the decision-making processes that may be influenced by profiling.
Authorization / authentication
Section 28 BeschDG-E is to regulate the processing of biometric employee data. This should only be permitted for authorization and authentication in particularly security-relevant areas.
Data processing within the group
Disclosure/forwarding of employee data in group structures is also to be newly regulated (Section 30 BeschDG-E). For this purpose, a framework is to be created in which this disclosure/forwarding is to be permitted after weighing up interests, in particular for the cross-company deployment of employees, for administrative tasks performed centrally by a group company (such as a joint HR department) or administrative processes to be designed uniformly throughout the group.
Conclusion
The draft bill that has now been published was hardly expected at this stage. Even though the legislative process is still at a very early stage, we believe that implementation should be as swift as possible. In our view, the planned law is suitable for ensuring greater clarity and legal certainty for all employers in Germany. The current, rudimentary regulations on employee data protection are, in view of the user risk borne solely by the employers, only suitable to a limited extent and create unnecessary and avoidable risks. The planned law can ensure greater user certainty, which is urgently needed, particularly when using AI systems, but also in the extremely important area of monitoring.
Photo: shutterstock / Prae_Studio