Works agreements as a key element of GDPR compliance
By Dr. Daniel Klösel and Dr. Thilo Mahnhold
May 25, 2018: enough time
Nearly all national and international companies maintaining branches or at least doing business in the European Union are currently facing the following major challenge: Given that the GDPR will take effect on May 25, 2018, how do we manage to introduce adequate data privacy compliance practices or appropriately adapt existing data privacy compliance practices? At this point, it is helpful to remember that the GDPR will not only change substantive data privacy requirements, but also change the extent of monetary fines and thereby increase the risk of liability for noncompliance, which should be a major incentive for reviewing existing data privacy compliance practices and eliminating any deficits. The general challenges for GDPR-compliant data privacy practices was the topic of an earlier article we published in Labor Law Magazine 1/2017 (see Labor Law Magazine 1/2017).
The role of works agreements – general permission for data processing
In view of the various elements of GDPR compliance, one thing has become increasingly clear over the past few months in Germany: The crucial role of works agreements. This is due not only to the structural weaknesses of other instruments, for example voluntary consent that can be revoked at any time, but also in particular to the double function of a works agreement. Due to the codetermination rights under § 87 paragraph 1 no. 1 and 6 of the German Works Constitution Act (Betriebsverfassungsgesetz, BetrVG), works agreements are often unavoidable in any event. But at the same time, they also provide a reliable legal basis for data privacy-compliant employee data processing.
The aforementioned data privacy function of works agreements will be substantially reinforced by the GDPR because Article 88 paragraph 1 of the GDPR expressly provides that the parties to a works agreement may include more specific provisions on the protection of employee data in works agreements. Such an express statutory reference to works agreements is new to both German and European data privacy law. What was controversial for a long time thus has now been settled by law: Works agreements are an independent legal basis for data privacy-compliant data processing!
Statutory minimum requirements for works agreements
This legal certainty comes at a price, however, as Article 88 paragraph 2 of the GDPR, as supplemented by Article 26 paragraph 4 of the German Federal Data Protection Act ([as revised], Bundesdatenschutzgesetz, BDSG), expressly provides for certain minimum requirements that must be satisfied for a works agreement to function as a legal basis for data privacy-compliant processing data. Under these code sections, work agreements must, above all, satisfy the following two requirements: (i) they must provide for special measures to protect the human dignity, legitimate interests, and constitutional rights of data subjects, and (ii) they must guarantee transparency of data processing. This applies, in particular, to the transfer of personal data within the same corporate group and to any monitoring systems at the workplace. Remember: The GDPR provides only for a limited intragroup privilege, according to which an exchange of data between different group affiliates is generally appropriate but not permitted per se (see Labor Law Magazine 1/2017).
In a nutshell, a works agreement must satisfy, above all, the following two requirements: First, it must include provisions that limit data processing to a reasonable extent as appropriate for the purposes of data processing and, second, it must include provisions that make data transfers transparent for the employees as data subjects.
The important role of transparency standards
In particular the latter requirement, transparency, plays an important role throughout the GDPR as is reflected by numerous provisions therein, especially Article 12 et seq. These provisions require answers to the following questions to make data processing transparent for employees: Which employee data will be collected in the first place (master data, performance data, banking data, etc.)? What are the purposes of data processing (payroll, effective human resources, job applicant management, etc.)? Where will data be stored (internally or in a cloud, within the EU or in a third country; if the latter, what is the legal basis)? Who will have access to the collected data (certain HR and/or IT staff, line managers, etc.)? How long will data be stored and when or under which conditions will they be erased? In short: Employees must know which of their personal data will be collected, for what purpose, where and for how long such data will be stored, and which individuals within the company will have access to their data. Generally, such provisions will at the same time also satisfy the substantive requirements limiting data processing to a reasonable extent as appropriate for the purposes of data processing.
Discretion of employers and works councils – the invincible advantage of works agreements!
However, one thing is becoming increasingly clear: These general GDPR requirements must not necessarily be included in works agreements as such given that transparency can also be achieved by other means. Nonetheless, works agreements are a convenient way to kill two birds with one stone. First, a works agreement is a suitable instrument for satisfying the aforementioned transparency requirements. Second, if a works agreement meets the minimum legal requirements, it will, as a result, also provide an independent legal basis for data privacy-compliant data processing. If so, deciding whether data processing is data privacy-compliant under generally applicable data privacy laws, a notoriously difficult process, will no longer be necessary.
Furthermore, according to what is increasingly becoming the accepted view, the parties to a works agreement also enjoy a certain amount of discretion in terms of how they spell out data privacy requirements in works agreements and, ultimately, how they implement data privacy requirements in view of their specific business needs. Thus, at least in practice, the old debate whether works agreements may (negatively) deviate from the statutory level of data privacy has therefore become moot for the most part. As long as works agreements comply with the aforementioned (minimum) requirements of Article 88 paragraph 2 of the GDPR, they will also serve as a suitable legal basis for data privacy-compliant data processing.
Works agreements in practice – necessary amendments and adjustments
But what does this mean for existing or future works agreements in practical terms? As a general rule, the following differentiation must be made: To the extent that in view of the formerly somewhat unclear laws on the requirements for works agreements and the acceptable penalties for noncompliance, companies used to rely on short documents that merely described data processing procedures in abstract terms while providing no information about the specific purposes, other details, limitations on data processing, or on the rights of data subjects, etc., such works agreements will in many cases no longer be in compliance with the data privacy requirements of the GDPR. On the other hand, to the extent that existing works agreements already include more detailed provisions for the aforementioned topics, a (much less extensive) need for revisions will arise in many cases, if only because the many references to the statutory provisions of the GDPR will have to be updated. Irrespective of such cosmetic changes, a need for more detailed revisions will often arise as a result of the new provisions of Article 88 of the GDPR and the corresponding references in a works agreement, in particular references to statutory transparency requirements.
Provisions of works agreements on data privacy standards
The provisions that must be included in a works agreement under the GDPR depend, to begin with, on the role of a works agreement as an independent legal basis for data privacy-compliant data processing, which should also be clarified by an appropriate provision in the works agreement. Moreover, we recommend that the provisions of works agreements be in conformity with the principles defined in Article 5 of the GDPR, and that additional data privacy provisions that may be applicable to certain types of data processing be reviewed. Examples are the provisions of Article 28 et seq. of the GDPR governing outsourced data processing or the provisions of Article 44 et seq. governing international data transfers. Given the additional requirements of Article 88 paragraph 2 of the GDPR, the many different works agreements that may be involved, and other provisions elsewhere that may supplement such works agreements, it is almost impossible to make any generally valid statements about what provisions must be included in a works agreement. Nonetheless, it is generally the case that defining the purposes of data processing and providing additional information, in particular regarding the transparency of data processing (see, above all, the information obligations under Article 13 et seq. of the GDPR, including the rights of data subjects under Article 15 through 21 of the GDPR), are highly important.
Standard/single/master works agreements and supplementary measures
In practice, the most important thing will be to coordinate the provisions of the various standard, single and master works agreements, and supplementary measures (such as information made available in the intranet, etc.) and to merge them into a cohesive system. As noted above, according to what is increasingly the accepted view, it is at least not necessary for every works agreement in and of itself to satisfy the far-reaching GDPR requirements so that appropriate references, for example references to information made available elsewhere (such as general data privacy provisions that can be viewed online), or even such announcements alone, may be sufficient. Therefore, what matters most here is a coordinated compliance system. As we mentioned above, master works agreements may be an important part of any such compliance system.
Works agreements on IT tools
In view of the stricter transparency requirements, caution should be exercised when designing compliance systems, especially if provisions on data processing using IT systems or on associated data transfers are concerned (which, in practice, will generally be the case). Due to the complexity of numerous data transfers, it may make sense in such cases to draft appropriate standard schedules that spell out the relevant details (purpose, detailed definition of processed data, location of data storage, access rights, safeguards, contractual arrangements, etc.), which will then be completed by the responsible IT staff. Which data processing information must be included will vary from case to case depending on the details of data processing and additional data privacy setups at the company or operation.
2018 works agreements
In summary, works agreements have the potential to develop into cornerstones of GDPR compliance. As an independent legal basis for data privacy-compliant data processing, they offer the most legally sound basis for all types of data processing in the employment context, while the expense of necessary amendments and adjustments should be acceptable given that the parties to a works agreement enjoy considerable leeway for drafting the relevant provisions. All in all, a works agreement therefore is an option that should be even more attractive considering the tough penalties for noncompliance that may be incurred under the GDPR. This is an opportunity not to be missed.