Germany enacts new data privacy laws to adapt to the GDPR
By Dr. Daniel Hund, LL.M. and Dr. Anja Branz
In an attempt to adapt national data privacy laws in the employment relationship to new European standards, the German parliament passed a new bill on April 27, 2017. These new standards derive from the General Data Protection Regulation (GDPR) enacted by the European Union in 2016 and due to take effect on May 25, 2018 in all Member States. Given that the GDPR regulates the processing of personal data of employees by employers and imposes fines of up to 4% of the total revenue of a group or company per year in the case of any violations, it has attracted a great deal of attention from compliance officers, HR managers and
Processing personal data
The GDPR lays down certain principles relating to the processing of personal data. Personal data shall be lawful, fair and transparent (Article 5 1. (a)); collected for specified, explicit and legitimate purposes only and not be processed in a manner that is incompatible with these purposes (Article 5 1. (b)); adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Article 5 1. (c)); accurate and kept up-to-date (Article 5 1. (d)); stored for no longer than necessary for the purpose for which they are processed (Article 5 1. (e)); and processed confidentially while ensuring data integrity (Article 5 1. (f)). Employers will be held accountable for complying with these principles and will be required to document compliance accordingly (Article 5 2.).
Moreover, the GDPR gives those employees that are subject to the processing of personal data certain rights, for instance the right to obtain information about the use of their personal data (Article 14) as well as the right to have their personal data erased under certain circumstances (the right to be forgotten, article 17) and the right to data portability (Article 20).
It also requires employers to assess the impact of any planned data processing on the protection of their employees’ personal data and consult with regulatory authorities when such assessment indicates that the processing would result in a high risk (Article 36).
Compliance and noncompliance with GDPR
In cases of noncompliance with the GDPR, the regulatory authorities can impose fines of up to 4% of the total annual revenue of the relevant group or company. It is however not yet clear what precise measures must be taken by an employer in order to be 100% compliant. Many employers in Germany had hoped that the German legislature, which has to some extent the power to specify requirements, would provide more clarity and legal certainty, but this has not been the case.
While the new bill refers to the principles and requirements laid down in the GDPR, it does not elaborate on them and does not give any further guidance for employers on how to comply with the GDPR. Essentially, the general structure of employees’ data protection will remain unchanged.
In a nutshell, employees’ personal data may only be processed if
- necessary for a decision regarding the formation, execution or termination of the employment relationship;
- allowed by collective bargaining or works council agreements;
- the employee has consented; or
- facts indicate that an employee has committed a crime during the course of his or her employment.
While it has been established by case law already that employees can give their consent to the processing of personal data in the employment context, the new law states this expressly. Yet the degree of dependency and the circumstances of the consent must be considered when assessing whether the consent was actually given voluntarily. According to the new law, the employee can consent in particular to the processing of his or her personal data in the employment context where he or she gains a legal or financial benefit from said processing or where the employer and employee share the same interests. While this new clarification constitutes an improvement, it will remain a challenge for practitioners to determine on a case-by-case basis whether the employee consented voluntarily or not.
The German regulations concerning the processing of personal data in the employment context will not change significantly under the new bill. Given that German legislators failed to clarify new obligations under the GDPR, it will essentially be a matter for regulatory authorities and the courts to provide such guidance. In the meantime, employers can only hope that any reasonable efforts to comply with the GDPR will be taken into consideration. Until then, employers would be well advised to informally consult with regulatory authorities where the mandatory data protection impact assessment indicates that the processing of personal data will result in a high risk for employees’ data. It is difficult to imagine that measures taken by the employer and approved (or at least tolerated) by the regulatory authorities will result in significant fines in practice.