In mid-October, a new draft of an Employee Data Protection Act (Referentenentwurf Beschäftigtendatenschutzgesetz, RefE BeschDG) from October 8, 2024 was published. The question of whether and how employee data protection in Germany should be regulated in addition to the BDSG (Federal German Data Protection Act), the EU Data Protection Directive and later the GDPR has been on the minds of German legislators since the mid-1980s. However, all previous draft laws have never been enacted. Today we analyze the planned changes with regard to the GDPR.
1 - Introduction
I) Legal Background
Article 88 of the GDPR stipulates that the member states can issue more specific regulations for the processing of personal employee data. To date, Germany has only made very general provisions on employee data protection in Section 26 of the Federal Data Protection Act (BDSG). In its ruling of March 30, 2023 (Case C-34/21), the European Court of Justice (ECJ) expressed considerable doubts as to whether the provision of Section 23 (1) of the Hessian Data Protection and Freedom of Information Act, which is identical to Section 26 (1) BDSG, is compatible with the GDPR. The government draft of the RefE BeschDG that has now been submitted repeatedly emphasizes that it has considered the deficits identified by the ECJ and meets the requirements of Art. 88 GDPR.
II) Scope of application of the law
The RefE BeschDG exclusively regulates the processing of personal employee data. The term "employee" is defined in Section 2 (2) RefE BeschDG - as in Section 26 (8) BDSG - and now also expressly includes former employees.
What is new is that the regulations should also apply to data processing by third parties (Section 1 (2) RefE BeschDG), provided that joint contollership between the employer and the third party can be assumed. According to the wording, this would also cover third parties outside Germany, e.g. Social Media plattforms or affiliated companies in other member states or in third countries. In our opinion, it is doubtful whether Art. 88 GDPR actually grants the member states regulatory powers for personal data in other countries. In view of the ECJ's broad interpretation of joint controllership responsibility, this regulation is likely to be highly problematic for companies and international groups in particular.
The RefE BeschDG is also intended to continue the previous regulation of Section 26 (7) of the Federal Data Protection Act (BDSG) by ensuring that the law – in this respect broader than the scope of the GDPR – also applies in principle if non-automated processing of personal employee data occurs.
2 - Legal Bases under Data Protection Law
The RefE BeschDG makes a very strong distinction between different processing scenarios when structuring the legal bases under data protection law.
While Section 3 of the RefE BeschDG sets out the basic principles of data processing, Part 2 of the RefE BeschDG contains specific regulations on individual subject areas. The RefE BeschDG distinguishes between data processing prior to the establishment of an employment relationship, the monitoring of employees, profiling and (further) special processing situations, for example in the context of data processing within the Group.
I) Permitted Processing Purposes
Section 3 (1) of the RefE BeschDG initially states when the processing of employee data in connection with an employment relationship is generally permissible. Although the provisions are largely based on the previous principles of Section 26 (1) sentence 1 BDSG, they do include some more specifics. For example, such data processing should be expressly permitted if it is carried out for a specific purpose
- to decide on the establishment, implementation or termination of an employment relationship (No. 1),
- to fulfill the employer's obligations laid down by law (No. 2),
- to fulfill the employer's obligations laid down in a collective agreement (No. 3),
- to exercise or fulfill the rights and obligations of employee representation arising from a law or a collective agreement (No. 4),
- to protect the vital interests of the employee concerned or another natural person (No. 5),
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in the employer (No. 6), or
- to safeguard a legitimate business interest of the employer (No. 7)
is necessary. According to the legislative intent, permissible purposes include the planning and organization of work, management, equality and diversity in the workplace, health and safety at work, environmental and climate protection, protection of the property of employers, employees or customers, and the enjoyment of individual or collective rights and benefits related to employment.
Pursuant to Section 3 (3) RefE BeschDG, the purposes pursued by the employer must be defined so specifically that the lawfulness of the processing can be assessed on the basis of the purpose. In addition, the purposes must be defined prior to data processing in accordance with the express provisions of the RefE BeschDG. In practice, this means that the respective processing steps must be documented in more detail than it has been the case to date. In view of the differentiated structure of the RefE BeschDG, purely generic information will no longer be sufficient in the future. In order to meet these requirements, it is advisable to make the respective entry in the record of processing activities pursuant to Art. 30 para. 1 GDPR correspondingly precise from the outset and, if necessary, to provide additional columns for legal justification.
With regard to data processing on the basis of Section 3 (1) nos. 1 and 7 RefE BeschDG, it should also be noted that the interests of the employer in the processing must outweigh the interests of the employees concerned in the exclusion of processing. While the provision of Art. 6 para. 1 lit. f) GDPR can also be used in the employment relationship, an independent balancing of interests clause has now been introduced in the RefE BeschDG, which is stricter overall with regard to its wording. According to the RefE BeschDG, the obligation to document the balancing of interests also applies additionally to the legal bases “contract execution” and “legal obligation” (Art. 6 para. 1 lit. b, c GDPR).
Section 4 RefE BeschDG sets out in detail when data processing is to be considered "necessary". In addition to the fact that the existing dependency of the employees must be considered in each individual case, a balancing exercise must be carried out in which a wide range of other aspects must be considered. This concerns, for example, the weight of the employer's interests pursued with the processing, the associated interference with fundamental rights, which is further influenced by various factors, as well as the technical and organizational measures taken in the individual case. It is very clear in several places in the draft of the RefE BeschDG that the legislator is attempting to specify the previously undefined legal terms in Section 26 BDSG as comprehensively as possible.
In summary, the new regulations in Section 3 RefE BeschDG focus in particular on the requirement for comprehensive consideration and documentation. Although the general provisions of the RefE BeschDG only bring a few real innovations in terms of content, they are associated with a large number of further specifications and a documentation effort that should not be underestimated.
II) Consent in the Employment Relationship
Consent as the basis for data processing is set out in Section 5 RefE BeschDG. While the question of the voluntary nature of consent has also played a significant role in the assessment under data protection law to date, the draft RefE BeschDG now contains some clarifications. When assessing the voluntariness of consent, the dependency of the employee in the employment relationship and the circumstances under which the consent was given must be considered. In the case of the processing of applicant data, this is referred to as an increased imbalance of power.
Section 5 (2) RefE BeschDG lists a number of cases in which consent can be assumed to be voluntary. This concerns, among other things
- inclusion in an applicant pool,
- the use of photos for the intranet,
- the private use of company IT systems and
- the use of biometric data to facilitate identification, provided that equivalent alternatives are available.
Essentially, it is always a question of constellations in which the employer and the employee pursue similar interests or the employee achieves a legal or economic advantage. These constellations are also not new in principle, but are now explicitly included in the draft of the RefE BeschDG.
Consent must continue to be given in writing or electronically, unless another form is appropriate due to special circumstances. The recommendation should continue to be made that written consent is generally advisable for reasons of verifiability alone.
3 - Specific Rights of Data Subjects
Section 10 RefE BeschDG contains some real innovations that address specific rights of employees and information obligations of the employer.
If the employer bases the data processing on a legitimate business interest in accordance with the provisions of the RefE BeschDG, he must explain to the data subject the main considerations in weighing up the interests, including the examination of necessity, in a way that is comprehensible to the data subject. The employer must also provide information about the existence of this right in the data protection notices in accordance with Art. 13, 14 GDPR.
These new requirements represent a considerable tightening of the previous review and documentation obligations, as the corresponding considerations previously only had to be provided to the data protection supervisory authority.
The use of AI systems in the company is subject to further requirements in that employees must be provided with meaningful information on the functioning of the AI system and the function of the processed employee data within the AI system as well as the protective measures taken in each individual case in accordance with Section 9 RefE BeschDG (Section 10 (3) RefE BeschDG). While the scope of the corresponding provision of information has been the subject of increased discussion to date, the legislator has aligned itself with the generally strict legal opinion of the data protection supervisory authorities in the draft of the RefE BeschDG. In future, it will therefore no longer be sufficient to merely provide generic information on the AI system.
4 - General Ban on the Use of Data Processed in Breach of Data Protection Regulations
While the details of prohibitions on the use of personal employee data as a result of processing in breach of data protection law have so far been defined by the case law of the labor courts on a case-by-case basis, Section 11 RefE BeschDG clarifies this accordingly. In future, data that has been processed in violation of data protection law may no longer be used in court proceedings regarding the legality of a personnel measure taken by the employer against an employee based on this data (e.g. in the event of dismissal), unless there is an obvious disproportion between the interference with the general personal rights of the employee concerned by the judicial utilization and the employer's interest in the judicial utilization, which is protected by fundamental rights. Due to the wording of the provision, the burden of presentation and proof for the application of this exception lies with the employer. It remains to be seen whether the provision will ultimately provide the legal clarity hoped for by the legislator, as it will continue to depend on a consideration in each individual case.
5 - Extended Co-Determination Right of the Works Council
The RefE BeschDG introduces that the works council has a right of co-determination in the appointment and dismissal of the data protection officer. If no agreement is reached, the decision of the Conciliation Committee (specific court proceeding in Germany) is to replace the agreement. In our opinion, the German legislator is clearly going beyond the opening clause of Art. 88 GDPR here, as the regulations on the data protection officer are not specific regulations for employee data protection. It is therefore doubtful whether the regulation is GDPR-compliant. The data protection officer is responsible for all data protection issues of the controller and not just for employee data. Giving the works council a de facto right of veto against the appointment of a data protection officer goes well beyond the previous co-determination rights of the works council and can significantly delay the appointment or replacement of a legally required DPO. This also raises questions about the independence of the data protection officer.
6 - Monitoring of Employees
Due to the sensitive nature of the topic in terms of data protection law, the monitoring of employees has been given its own chapter in the RefE BeschDG. The individual regulations differentiate between general principles for the surveillance of employees (§ 18), surveillance measures that are not only short-term (§ 19), covert surveillance (§ 20), video surveillance (§ 21), tracking (§ 22) and a ban on the further processing of the data obtained in this way for performance monitoring (§ 23).
The processing of employee data by means of monitoring measures is generally only permitted if it is necessary for a specific purpose for the performance of the employment relationship, for the fulfillment of obligations of the employer stipulated by law or collective agreement or for the protection of important business interests and that the interests of the employer in the processing outweigh the interests of the employees concerned in the exclusion of the processing. In principle, the respective monitoring may only take place for a short period of time and either on an ad hoc or random basis.
The RefE BeschDG defines surveillance measures as all measures for the targeted observation of persons or objects by persons or technical equipment. In practice, the question will arise as to whether the labor courts will hold on to this strict limitation to the objective or whether the view developed under Section 87 BetrVG will also prevail here that the suitability of the measure is sufficient. According to Section 18 (2) RefE BeschDG, the purpose of such monitoring may relate to the protection of the health and safety of employees as well as the prevention and detection of criminal offenses and breaches of duty. While the "pure" breach of duty has so far at least not been expressly mentioned in Section 26 (1) sentence 2 BDSG, the draft of the RefE BeschDG now contains a corresponding clarification. While the scope of application of Section 26 (1) BDSG has so far been subject to some differentiation depending on the type of breach of duty and monitoring measure in question, criminal offenses and breaches of duty are now covered together in Section 18 RefE BeschDG. From a company's perspective, it is positive to emphasize that breaches of duty are now also clearly included. Previously, it was often disputed whether breaches of security obligations, e.g. in the area of IT security, could be prosecuted, as in such cases the threshold for criminal liability was often not reached - but without the possibility of prosecution, compliance with security standards and thus the appropriate TOM was not possible.
What has already been recognized as a general principle is explicitly stated in Section 18 (5) RefE BeschDG: The processing of employee data relating to the core area of private life, as well as the processing of areas that also serve as collective and communicative retreats and private living arrangements, is expressly prohibited. This is likely to pose major challenges with regard to working from home and mobile working. Here, the obligations to protect data from the GDPR collide with the protection of private living spaces pursued by the RefE BeschDG. Complex considerations and documentation need to be drawn up.
Surveillance measures that are only permitted in exceptional cases and are not only carried out for a short period of time are set out in Section 19 RefE BeschDG. In this respect, significantly stricter requirements must be observed, as a corresponding procedure is only permissible if it is necessary for a specific purpose to protect the life or limb of employees or third parties or to safeguard particularly important operational or official interests and the interests of the employer in the processing significantly outweigh the interests of the employees concerned in the exclusion of the processing.
While Section 19 RefE BeschDG also places stricter requirements on the purpose of the monitoring measure, it also excludes corresponding data processing for the purpose of performance monitoring as well as supplementary requirements for the protective measures to be taken in accordance with Section 9 RefE BeschDG.
With regard to covert surveillance measures, there are deviations from the otherwise existing obligation to provide information in accordance with Art. 13 and 14 GDPR. Accordingly, information about data processing is not required if
- factual indications to be documented justify the suspicion that a criminal offense or serious breach of duty has been committed by a geographically and functionally definable group of employees,
- the data processing is carried out to uncover this criminal offense or serious breach of duty and
- there is no other way to uncover this criminal offense or serious breach of duty.
However, such information must be provided immediately as soon as the purpose of the surveillance measure is no longer jeopardized. Section 20 (3) RefE BeschDG also stipulates that the data protection officer must be involved in advance in the event of covert surveillance.
With regard to the video surveillance and tracking of employees, Sections 21 and 22 RefE BeschDG contain further special regulations that set out requirements for the type and scope of the respective surveillance measures. For example, in the case of video surveillance, areas or persons that are not necessary for the purpose of the surveillance must now be technically hidden or made unrecognizable. Pitkograms to create transparency and the previously prevailing view of the data protection supervisory authorities on the regular obligation to delete data after 72 hours are now also expressly set out in the RefE BeschDG. In any case, this will significantly increase the effort involved in video surveillance, as it will probably be necessary to document more clearly whose data needs to be recorded and whose does not. It is also questionable whether 72 hours is really sufficient (e.g. over Easter). Requirements for the configurability of video surveillance systems will increase, and it may not be possible to continue operating old systems under these conditions.
With regard to the overwhelming requirements for the monitoring of employees, it can also be stated that few real innovations have been added, as the respective requirements have also been set out in this way by the data protection supervisory authorities to date.
7 - Initial Assessment and Outlook
The current draft is currently being coordinated by the departments and, as far as we know, will be discussed and approved by the cabinet at the end of the year. It is to be expected that there will still be changes to the text.
The draft incorporates many of the strict recommendations of the German Data Protection Conference (DSK resolution April 29, 2022 (available in Germany only)), but in some cases goes beyond them. In some cases, we believe that the regulations are not covered by the opening clause of Art. 88 GDPR. This applies in particular to the co-determination of the works council in the appointment and dismissal of the data protection officer and to the extraterritorial effect for joint controllers.
The draft significantly increases the documentation and information obligations for employers. The proposed regulations are fragmented and often seem somewhat out of date. The ongoing digitalization of the economy and the rapid spread of artificial intelligence make it difficult in practice to draw boundaries between processing purposes and objectives. The legislator's approach of not relying on the principles and established systems of the GDPR, but instead creating national case-by-case regulations, is likely to lead to a great deal of uncertainty and significantly increase the bureaucratic burden for businesses.