On 4 May 2022, the German Conference of the Federal and State Data Protection Authorities (DSK) published a call for an Employee Data Protection Act. As a reminder, in Germany, data protection is organised by state, so there are 17 state data protection authorities: one for each of the 16 German states and two for Bavaria (one each for public and for private data controllers). Together with the Federal Data Protection Authority of Germany (which is in charge of Federal Public data controllers), they comprise the DSK.
In their call for a specific employee data protection act, the DSK are referring to the announcement by the German governing parties in the Federal coalition agreement (of November 2021) that a distinct employee privacy act would be created by the coalition parties that are planning on being in government until 2025.
This Act would be in addition to the EU GDPR, which of course applies in Germany, and in addition to s26 of the German Data Protection Act (BDSG), which was enacted in May 2018 along with the GDPR. Currently a single provision of the BDSG regulates the basics of national employee privacy protection, as provided for in Article 88 of the GDPR.
It can be assumed that the discussion on whether a specific employee data privacy act is needed, and what it should contain, will continue over the coming weeks and months. It is further to be expected that draft legislation will be presented by the Federal Ministry of Labour and Social Affairs (BMAS) and possibly the Ministry of the Interior (BMI) in the coming months. Employers in Germany can look forward to – hopefully – greater legal clarity in the future and, presumably, will have to forego some leeway in return.
As mentioned above, at the moment, specific German regulations on employee data protection can be found in s26 of the German Federal Data Protection Act (BDSG), a provision with many general and abstract clauses that are then being interpreted by German labour courts and data protection authorities. Individual questions such as the permissibility of secret video surveillance at supermarket checkouts or social media background checks on new job applicants are currently pure case law based on s26 BDSG as well as on the general principles in the GDPR and the BDSG.
Efforts to introduce a more detailed German Employee Data Protection Act have already been made in the past, for example from 2010 to 2013 under the Conservative-Liberal government coalition at that time (Merkel II).
More recently, in January 2022, an interdisciplinary advisory board commissioned by the Federal Ministry of Labour completed a detailed final report on the status of German employee data protection, concluding that specific legislation will be needed. In February 2022, the German Trade Union Confederation (DGB) published a draft of an Employee Data Protection Act. The DGB proposal is a very detailed draft of a law for the maximum protection of employee data, including added rules for enforcement, such as an explicit prohibition on using data as evidence if it has been obtained in breach of any data protection rules. It also includes a claim for employees to injunctive relief and a right for unions to start class actions in the event of breaches.
In contrast, the DSK resolution published in May 2022 limits itself for the most part to neutrally listing points in need of regulation and only making few proposals on the content of individual points. Even though the details will not be known until the law is passed, employees and employers can expect regulations on the following points:
The use of AI in the employment relationship should remain possible, according to the DSK statement, but should be regulated more strictly the more severe the possible infringement of fundamental rights. Approval procedures, preliminary checks and requirements for avoiding discrimination are to be standardised. Profiling is to be prohibited in principle even if it is not used for automated decision-making. It remains to be seen whether the Federal German legislator will comply with this demand and pass legislation on AI, despite the fact an EU proposal for a law on artificial intelligence was published in April 2021.
Monitoring employee conduct and performance
Where monitoring of employee behaviour and performance is carried out secretly, it should only be allowed in specific exceptional cases according to the DSK. Concrete regulations are also demanded for the monitoring of employee e-mails, for video surveillance and GPS tracking, and for biometric procedures.
Employees’ consent as a legal basis for data processing must be viewed critically because of the existing inequality of power in the employment relationship. The DSK states there is a need for legal examples of when the conditions for consent, in particular its voluntary nature, are met.
It should be clarified, according to the DSK, to what extent collective agreements can constitute an additional legal basis for data processing. This touches on the controversial question among German lawyers of whether data processing which would not be permissible under general data protection principles could nevertheless be allowed on the basis of company agreements.
The processing of sensitive data of employees should be regulated better than before, the DSK states. At present, it is not clear whether it may also be processed on the basis of general rules on the processing on sensitive data, without introducing further requirements for employee sensitive data, such as a balancing of interests.
No use of unlawfully obtained data as evidence
The DSK expressly supports a statutory prohibition on the use of evidence for unlawfully obtained employee data (similar to the DGB suggestion described above). According to the case law of the Federal Labor Court (BAG), so far, evidence obtained in violation of data protection law must only be disregarded if the processing is disproportionate and significantly interferes with the employees’ fundamental rights, such as in the case of locker checks or secret eavesdropping on telephone calls.
Finally, the processing of job applicants’ data needs to be regulated according to the DSK statement. This relates to the employer’s right to ask questions about pregnancy or union membership etc., to background checks as well as to medical examinations and assessment centre data. The DSK paper also demands a maximum retention period of six months for job applicants’ data.
The question is whether we need a special German law for employee data protection. The answer depends on how you look at it. From the perspective of an employment lawyer specialised in data protection law, we don’t need it. If, on the other hand, the goal is that those subject to the law, who are not lawyers, should be able to understand the legal situation as well as possible by simply looking at the statute, we do indeed need a more detailed and specific act.
However, the approach of introducing a law that is as detailed as possible instead of a few general clauses has a risk: it could quickly become outdated. There is a reason why the EU GDPR has been drafted to be as technology neutral as possible (EC 15 paragraph 1 GDPR). The hope was and is that the GDPR it will remain applicable and relevant in the future, despite rapid technological progress. The explicit regulations now demanded by the DSK, for example, on the monitoring of emails or GPS tracking, could be outdated by new technologies in just a few years.
For more information about amployee data privacy