The central - and probably most well-known - norm in German employee data protection law is Section 26 German Dazta Protection Act (BDSG). According to Section 26 (1) BDSG, personal data may be processed if this is necessary for the establishment, implementation or termination of an employment relationship or for the exercise or fulfillment of other rights and obligations under employment law. With this standard, the German legislator has made use of the opening clause of Article 88 (1) GDPR and thus of the possibility of establishing more specific regulations for employee data protection, which are intended to take into account the national particularities of working life. The European Court of Justice (ECJ) has now put Section 26 (1) BDSG to the test and ruled on March 30, 2023 (Case C-34/21) that this standard does not meet the requirements of the GDPR and is therefore no longer applicable.
What happened?
The case occurred in the context of the Corona pandemic: Hessian students who were unable to attend classes in person due to the Corona pandemic were given the opportunity to follow the lessons via video conference. To ensure that this was done in compliance with data protection regulations, parents were asked to give their consent to the associated data processing - but not the teachers concerned.
In this respect, the Hessian Minister of Education based the processing of personal data on the legal basis of Section 23 (1) sentence 1 HDSIG, a state law provision which is almost similar in wording to Section 26 (1) sentence 1 BDSG. In 2020, the main staff council of teachers at the Hessian Office of Education filed a complaint against this against the Hessian Secretary of Education before the Wiesbaden Administrative Court (VG). In the course of the proceedings, the VG doubted whether Section 23 (1) sentence 1 of the HDSIG met the requirements for a standard that specifies the GDPR in the area of employee data protection. In particular, it argued that this standard does not have its own and thus more "specific" regulatory content, since Art. 6 (1) (b) GDPR already permits data processing if it is necessary for the performance of a contract. However, Section 26 (1) sentence 1 BDSG would not regulate more than that.
The Administrative Court therefore referred to the ECJ and asked it whether a national standard that legitimizes data processing must have a more specific regulatory content within the meaning of Article 88(1) of the GDPR and must also meet the requirements of Article 88(2) of the GDPR and whether a standard that does not do so must continue to be applied. In other words, are national standards that (1.) do not have any new regulatory content compared to the opening clause and (2.) do not meet the requirements of Art. 88(2) GDPR permissible and applicable as "more specific" standards within the meaning of Art. 88(1) GDPR?
The ECJ ruled that a national provision is only a "more specific" standard if it does not merely repeat already existing regulations. In addition, the ECJ held that such a "more specific" standard must also meet the requirements of Article 88(2) GDPR. This means that it must aim to protect the rights and freedoms of employees with regard to the processing of their personal data in the employment context and must include appropriate and specific measures to safeguard the human dignity, legitimate interests and fundamental rights of the data subject. This is not the case with Section 23 (1) sentence 1 HDSIG and thus also not with Section 26 (1) sentence 1 BDSG, which is why these standards do not apply.
What does that mean for employers?
Far-reaching obligations for companies to take action are not to be expected. Nevertheless, it is advisable to take a critical look at processing directories and check the lawfulness of individual processing operations:
If the processing is not "necessary" but only "appropriate", Section 26 (1) BDSG could not be used as legal basis for the processing in the past either. So nothing changes here.
Processing operations required in the employment relationship, such as the processing of bank data for the payment of salary, of course remain permissible - they are only based on a different norm, namely Art. 6 lit. b DSGVO. This should now be adapted in the processing directories.
Caution should also be exercised if the processing is based on a works agreement. Although it was previously popular practice to create legal bases through works agreements for the processing of employee data for which no basis could be found in the GDPR, this practice is also currently under scrutiny by the ECJ (Case 8 AZR 209/21).
In addition, data protection declarations should also be considered: If they explicitly refer to Section 26 (1) BDSG, this reference should be updated and replaced by the applicable standard - Article 6 lit. b DSGVO.
Will everything stay the same? Pressure on the legislator
In the recent past, there have been calls from all sides for the legislature to no longer have central labor law issues clarified by the courts, but to address them themselves in a comprehensive legislative package. The courts have once again shown the legislature that there is a considerable need for regulation, and not only in the area of the recently hotly debated recording of working hours. Specifically, the Data Protection Conference (DSK) had also called for the creation of an Employee Data Protection Act as early as April 2022. At least the Federal Ministry of Labor and Social Affairs (BMAS) of the governing coalition now seems to want to take the initiative. Thus, an advisory board of independent and interdisciplinary experts submitted a final report to the BMAS at the beginning of 2022. According to the BMAS, this is to be followed by regulations on employee data protection before the end of this legislative period. So it remains exciting.