Germany enacts new Data Privacy Laws to comply with GDPR
In an attempt to adapt national laws regulating data privacy in the employment relationship to new European standards, the German parliament passed a new bill on 27th of April 2017. The adaption was necessary due to the General Data Protection Regulation (GDPR), which was enacted by the European Union in 2016 and will be effective as of 25th of May 2018 in all member states. Given that GDPR regulates the processing of personal data of, inter alia, employees by employers, and provides for fines of up to four percentage of total revenue generated by a group or company per year in case of any violations, it has attracted a lot of attention from compliance officers, HR managers and legal counsel.
The GDPR states certain principles relating to the processing of personal data. Personal data must be lawful, fair and transparent; collected for specified, explicit and legitimate purposes only and not be processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; accurate and kept up to date; stored for no longer than necessary for the purpose for which they are processed; and processed in an ethical and confidential manner. Employers will be accountable for complying with those principles and, therefore, will be required to provide for proper documentation of their compliance. The GDPR also requires employers to assess the impact of any envisaged processing operations on the protection of personal data of their employees and consult with the regulatory authorities when such assessment indicates a high risk. Moreover, the Regulation gives relevant employees the right to obtain information as to the use of their personal data as well as the “right to be forgotten”, i.e. the right to obtain erasure of personal data under certain circumstances.
Yet, so far it is still not completely clear what exact measures have to be taken by an employer in order to be 100 % compliant with the GDPR. Many employers in Germany have hoped that the German legislature, which has to some extent, the legislative power to specify the requirements under the GDPR, would provide for more clarity and legal certainty. As it turns out now, those hopes have not been justified.
The general structure of employee's data protection will remain essentially the same as before. In a nutshell, employees’ personal data may only be processed if
Necessary for decisions regarding the formation, execution or termination of the employment relationship;
Allowed by collective bargaining or works council agreements;
The relevant employee has given his consent; or
Evidence indicates that the employee in question has committed a crime in the course of his employment.
While the new bill refers to certain principles and requirements stated in the GDPR, it does not however, elaborate on those principles and requirements and does not give any more guidance for employers on how to comply with the GDPR than the Regulation itself. Given that the German legislature missed this chance, it is now up to regulatory authorities and the courts to provide such guidance. Employers can only hope that, in the meantime, any reasonable efforts to comply with the GDPR will be taken into consideration when being audited or judged.
If you have any questions related to this topic, please feel free to contact
Dr Daniel Hund (Lawyer, LL.M., Licensed Specialist for Labour Law ) and Dr Anja Branz (Lawyer, Licensed Specialist for Labour Law).