After several failed attempts in recent decades to summarize and codify the data protection provisions relating to employees and other workers in a single Employee Data Protection Act, the current government is once again attempting to do so.
Current legal situation in Germany
Currently, employee data protection in Germany is largely determined by case law. In Article 88(1) of the EU General Data Protection Regulation (GDPR), national legislators can adopt provisions that specify data protection requirements in the employment context. However, Germany has only made very cautious use of this “opening clause” under Article 88 GDPR, with Section 26 of the Federal Data Protection Act (BDSG) containing specific requirements relating to the protection of employee data. However, many of the requirements and specifications regulated within Section 26 BDSG have been criticized as being too narrow and not going beyond those of the GDPR.
Even more problematic, however, is the fact that numerous provisions of Section 26 BDSG do not meet the conditions set out in Art. 88 (2) GDPR for national regulations on employee data protection. After the European Court of Justice (ECJ) specified the terms set out in Art. 88 (2) GDPR last year (Judgment of March 30, 2023 – C-34/21), the Federal Labour Court found that Section 26 (1) sentence 1 BDSG did not meet these terms and declared the provision invalid and inapplicable (Decision of May 09, 2023 – 1 ABR 14/22). Other individual provisions in Section 26 BDSG could share this fate in the future.
A new approach and actual regulatory objectives
The responsible ministries seem to have taken this situation as an opportunity to expedite the legislative process for the Employee Data Protection Act. However, the draft announced for the fourth quarter of 2023 has not yet been published. So far, the only indication of possible regulations is a position paper published in April 2023 by the Federal Ministry of Labor and Social Affairs (BMAS) and the Federal Ministry of the Interior and Home Affairs (BMI) entitled ‘Proposals for modern employee data protection’.
In this paper, the ministries outline the objectives pursued with the bill. For example, the personal scope of application is to be kept as broad as possible in order to also cover solo self-employed platform workers. On the other hand, monitoring measures by the employer, are to be limited in order to avoid constant monitoring pressure. In addition, the conditions under which concealed or open surveillance measures should be permitted are to be regulated. Questions relating to the use of artificial intelligence are also to be addressed in the bill, with particular emphasis on synergy with the EU regulations issued and planned in this regard. Applicants should be better protected with regard to data processing in the recruitment process; as this has been identified by the legislator as an area in particular need of protection.
Another aim of the bill is to make the balancing of interests to be carried out with regard to the permissibility of data processing operations more manageable in practice. This will be achieved by shaping the requirements for the voluntary nature of consent given. The announced regulations on data transfers within the group are also particularly relevant in practice.
Open questions and additional workload for companies
In order to further protect employees, data subject rights found in the GDPR are to be extended, with additional rights for employees. Considering the challenges faced by many companies with regard to requests for information in accordance with Art. 15 GDPR in particular, the announced provisions are likely to result in additional bureaucracy for employers. From an academic perspective, the question also remains as to how the requirements of Art. 88 (2) GDPR can be met in a legally secure manner. In any case, the repeated passing of data protection provisions which violate EU law, would lead to even more uncertainty.
We will continue to monitor the legislative process for the Employee Data Protection Act, for further information, please contact your usual DLA Piper lawyer.