In December, the CJEU dealt with the data protection effect and judicial reviewability of company agreements in Germany (judgment of December 19, 2024, case no. C-65/23). The focus is on the question of the conditions under which national legislation and collective agreements may lay down specific rules for the processing of employee data. The CJEU also provided guidance on the judicial reviewability of company agreements. The decision is also important for international groups of companies with subsidiaries in Germany. If a works council exists in these companies, existing group-wide regulations must also meet the requirements of the new CJEU ruling.
Background
Art. 88 GDPR allows member states to adopt regulations on employee data protection at national level. With the introduction of Section 26 BDSG, the German legislator has made use of this option and, in Section 26 (4) BDSG, made it possible for the parties to a company to base the processing of personal data on a works agreement.
Although the CJEU has already expressed considerable doubts about the effectiveness of the general clause of Section 26 para. 1 sentence 1 BDSG (judgment of March 30, 2023, Ref. C-34/21), these concerns expressed by the CJEU do not apply to data processing on the basis of collective agreements in accordance with Section 26 para. 4 BDSG.
Requirements for works agreements
With regard to the first question referred, the CJEU initially states that the parties are entitled to adopt "more specific provisions" on data processing in accordance with Art. 88 para. 1 GDPR. However, the CJEU has clarified that national legislation and collective agreements must not only meet the specific requirements of Art. 88 para. 2 GDPR, but must also comply with the general provisions of the GDPR, in particular Art. 5, 6 and 9 GDPR. Otherwise, national legislation and collective agreements could undermine the protection standards of the GDPR. Art. 88 GDPR does not allow the provisions of the GDPR to be undermined.
In practice, we therefore believe that there is effectively no longer any room for works agreements as an independent legal basis for data processing in the employment context. Due to the CJEU's reference to the fact that the requirements of Art. 6 and Art. 9 GDPR must always be met, all data processing must therefore meet the requirements of at least one of the legal bases mentioned therein. Accordingly, works agreements can only specify these legal bases standardized in the GDPR. Consequently, the parties to the works agreement can - as was previously the case - agree which data processing or which performance and conduct checks are carried out in the employment relationship, but they do not create any new independent legal bases, but rather specify the legal bases from the GDPR - for example Art. 6 para. 1 letter b) GDPR (data processing for the performance of the employment relationship) or Art. 6 para. 1 letter f) GDPR (balancing of interests between the legitimate interests of the employer and the interests of the employees worthy of protection).
Judicial reviewability
With regard to the second question referred, the CJEU emphasized that collective agreements are subject to full judicial review pursuant to Art. 88 GDPR. The parties to a collective agreement have an equivalent margin of discretion to that of the Member States when adopting national legislation.
In practice, this means that works agreements under employment law must always be measured against all relevant requirements of the GDPR and are not sufficient as the sole legal basis. Employers must also ensure that works agreements do not fall below the level of protection provided by the GDPR. Data processing that is not permitted under the provisions of the GDPR cannot be made lawful by an effective works agreement.
Outlook on the prohibition of the use of evidence
The CJEU ruling makes no statement as to whether employee data processed on the basis of an ineffective works agreement is subject to a ban on the use of evidence in a legal dispute. The CJEU will still have to decide on this by way of a referral from the Lower Saxony Higher Labor Court (decision of 8.5.2024 - 8 Sa 688/23 in German only).
Practical tips
- Check legal basis: Even if collective agreements pursuant to Section 26 (4) BDSG and Art. 88 GDPR can be formally used as a basis for the processing of employee data, company parties should always (additionally) rely on one of the general legal bases of Art. 6 and 9 GDPR.
- Comply with GDPR requirements: As data controllers under data protection law, employers must ensure that all processing of employee data complies with the general requirements of the GDPR. This applies in particular to the principles of Art. 5 GDPR (e.g. lawfulness, transparency, purpose limitation and necessity) as well as the specific requirements of Art. 6 and 9 GDPR.
- Consider judicial reviewability: Works agreements, like national legislation, are subject to full judicial review. Works councils therefore do not run the risk of undermining the rights of employees through a works agreement. Employers as data protection officers must also keep an eye on the decision-making practice on data protection issues when concluding works agreements and should always involve the data protection team in the negotiation of works agreements.
- Review of existing works agreements: The parties should review existing works agreements to determine whether they comply with the requirements of the CJEU ruling and make any necessary adjustments.
'/%3e%3c/svg%3e){kind=small}
'/%3e%3c/svg%3e){kind=small}
