Umfang und Inhalt der aufgabenbezogenen Datenverarbeitung durch den Betriebsrat
The longstanding question of the responsibilities of employer and/or the works council under data protection law is now answered succinctly by the legislator in § 79a p. 2 BetrVG: Employers are solely responsible for task-related data processing by the works council. However, this answer does not provide clarity. Therefore, the question arises - also in view of the increased assertion of claims for information under data protection law in termination processes - as to the scope and content of the works council's support obligations when complying with data protection rights of employees.
It is clear that the works council has a large amount of personal data at its disposal. The works council often obtains particularly sensitive data, such as data on incapacity to work due to illness, severe disability or pregnancy, in the exercise of its participation rights. It is obvious that it must take data protection regulations into account when processing task-related data. This obligation is now also enshrined in Section 79a BetrVG; it says:
"When processing personal data, the works council must comply with the provisions on data protection."
Whether the works council also has its own responsibility under data protection law was highly controversial before and still is after Section 79a BetrVG came into force. The legislator now clarifies in § 79a p. 2 BetrVG as follows:
"Insofar as the works council processes personal data in order to fulfill the tasks within its competence, the employer is the controller of the processing within the meaning of the data protection regulations."
What is the role of the controller important for?
The concept of a data controller serves to determine an addressee for organizational obligations under data protection law and sanctions imposed by supervisory authorities.
Organizational duties under data protection law are, for example:
the appointment of a data protection officer(s) (Art. 37 (1) DS-GVO, Section 38 (1) BDSG),
ensuring technical and organizational security measures (Art. 24, 32 DSGVO),
keeping a processing directory (Art. 30 DSGVO),
preparing a data protection impact assessment (Art. 35 DSGVO),
Reporting obligations in the event of data breaches (Art. 33 f. DSGVO),
the fulfillment and protection of data subject rights from Art. 15 to 21 DSGVO.
What does the sole responsibility of the employer lead to?
As a result of the stipulation in Section 79a sentence 2 BetrVG, the employer is also the addressee of data subject rights, organizational obligations and sanctions for the task-related data processing of the works council as the person responsible and is thus solely responsible. At the same time, due to the "institutional independence" of the works council anchored in works constitution law, employers cannot guarantee that the works council acts in compliance with data protection laws when processing task-related data. Neither do they have a right of control, nor can employers give the works council instructions for the processing of personal data within the framework of the exercise of participation rights. At the same time, however, they are liable for all data violations of the works council that cannot be controlled.
Can support obligations of the works council be a solution?
This evident imbalance between liability and a lack of control and decision-making power is what the legislator is trying to compensate for with very vaguely formulated support obligations of the works council:
"Employers and works councils shall support each other in complying with data protection regulations."
However, the content and scope of these support obligations are not specified in the statute. This means that practice must fill the norm with life. However, it can already be stated that the legally standardized duty to provide support is more far-reaching than the duty to cooperate in a spirit of trust between the parties to the company. The works council must enable the employer(s) to fulfill their obligations under data protection law.
Particularly relevant in practice are the duties to provide support in the fulfillment of data subject rights under data protection law, such as the right to information under Article 15 of the GDPR. Here, employers are significantly dependent on the works council providing information about the personal data processed in the works council office.
If the works council simply does not cooperate and refuses to provide support, the employer will not be able to fully comply with data protection obligations. The objection that the works council did not properly or sufficiently assist in the fulfillment of data protection obligations will not exempt the employer from liability. This shows how immature the legislator's attempt is to compensate for the created imbalance between liability and lack of decision-making power by imposing support obligations on the works council.
Notes for practical use:
It is currently unclear whether the provision of Sec. 79a Sentence 2 BetrVG is compatible with European law and can therefore be effectively applied. If one comes to the entirely justifiable conclusion that the sole responsibility of the employer for the task-related data processing of the works council is contrary to European Union law, it will have to be clarified again and at the latest by the ECJ whether the works council is responsible for the task-related data processing.
For now, however, employers are advised to work together with the works council to establish binding regulations and structures for compliance with data protection law in task-related data processing. The instrument of a regulatory agreement (“Regelungsabrede”) is a good choice here.
Fast and structured cooperation with the works council is required in order to fulfill the claims for information under Article 15 of the GDPR, which have been increasingly asserted by employees in separation situations in recent years. Here, too, it is advisable to define mutual support obligations in the fulfillment of the data protection rights of data subjects in the context of a regulatory agreement.
In order to avoid their own liability for data protection violations for which they are liable to pay damages and fines, employers should, if necessary, take legal action to enforce the works council's support obligations, which are now enshrined in law.