Legal certainty in handling employee data? Draft bill for an employee data act

Art. 26 of the German Federal Data Protection Act (“BDSG”) currently regulates data processing for the purposes of the employment relationship. However, on March 30, 2023 (Case C-34/21), the ECJ ruled that Art. 23 of the Hessian Data Protection and Freedom of Information Act (“HDSIG”) violates the GDPR. This is problematic insofar as Art. 23 HDSIG is identical in wording to Art. 26 BDSG. The German Federal Labor Court (“BAG”) (Case no. 1 ABR 14/22) has therefore ruled that Art. 26 BDSG is only partially applicable.

The draft bill for the Employee Data Act is intended to take into account and regulate the increasing (new) challenges of digitalization in the relationship between employees and employers. The German government has set itself the goal of promoting the innovative and responsible handling of employee data. For the sensitive context of employment, this means that a reasonable legal framework combines innovative data use with strong data protection for employees. But what does the draft bill regulate in detail?

The provisions of the BeschDG-E in detail

1. Art. 3 BeschDG-E stipulates that employee data may only be processed for a specific purpose. This provision is not new in this respect, as the principle of purpose limitation is already included as a general principle in Art. 5 GDPR.
2. Art. 5 BeschDG-E regulates the more detailed requirements for the consent of employees. In particular, consent must be voluntary. Until now, it has been problematic to what extent voluntariness can be assumed in the employment relationship, as it is a relationship of dependency. Art. 5 BeschDG-E now provides examples of when voluntariness can be assumed. Voluntariness is assumed in particular for the use of photos for the intranet, for permission for private use of company IT systems and for contacting people to invite them to corporate events.
3. Art. 10 BeschDG-E grants employees specific rights as data subjects. In particular, the employer must inform the employee about the use of AI systems.
4. Art. 11 BeschDG-E stipulates that the processing of employee data in violation of data protection law generally results in a prohibition of exploitation. This is new, as the Federal Labor Court had previously ruled that data protection violations do not generally preclude exploitation. In particular, a prohibition of exploitation was not possible in the case of intentional breaches of duty and open video surveillance.
5. Pursuant to Art. 12 BeschDG-E, the works council is granted a right of co-determination in the appointment and dismissal of the data protection officer. The right of co-determination also includes the fundamental question of whether internal or external data protection officers should be appointed. If the employer and works council are unable to reach an agreement, a conciliation committee must be consulted. The committee’s decision replaces the agreement between the employer and the works council. The granting of a comprehensive right of co-determination represents a considerable encroachment on entrepreneurial freedom of decision. In addition, the independence of the company data protection officer is no longer guaranteed if he or she can generally be dismissed by the conciliation committee at any time.
6. Art. 17 BeschDG-E regulates in particular the deletion periods for applicant data. Previously, there were no statutory retention periods. According to the principle of purpose limitation, personal data must be deleted as soon as it is no longer required for the relevant purpose. Against the background of the assertion of any violations under the German General Equal Treatment Act, six months was considered necessary. The draft now stipulates that employee data can be deleted after three months.
7. Art. 24 et seq. BeschDG-E regulates further details on profiling. Employees are granted a right to information, in particular as to whether profiling has taken place and whether AI systems have been used. They also have a comprehensive right to information and a right to an explanation and review of the decision. 
8. Art. 18 et seq. BeschDG-E regulate the requirements for the surveillance measures of employees in detail. Surveillance measures are legally defined as measures for the targeted observation of persons or objects by persons or technical equipment.

• Short-term and either ad hoc or random monitoring measures are regulated in Art. 18 BeschDG-E. They are only permitted for a short period of time and either on an ad hoc or random basis.
• A stricter standard applies to longer-term surveillance measures. According to Art. 19 BeschDG-E, such a measure is required if it serves to protect the physical integrity of employees or is necessary to safeguard particularly important operational or official interests and outweighs the interests of the employer. The involvement of the data protection officer is required.
• Art. 20 BeschDG-E regulates covert surveillance. In such section, the legislator has codified the principles already developed by the BAG and the Data Protection Conference. Accordingly, covert surveillance is only permitted in cases of suspected criminal offenses and is prohibited for performance monitoring purposes.

Draft bill creates legal certainty – but also more administrative effort for companies

In part, the draft bill provides legal certainty and codifies the existing legal situation. In some cases, however, companies will also be confronted with more administrative work, e.g., due to new information obligations regarding the use of AI applications and administrative requirements for the appointment of data protection officers or the management of applicant data. It remains to be seen how this draft will develop in the legislative process. We hope that some points will be revised.

As soon as a new regulation comes into effect, the company’s own contracts (employment contracts, privacy notice, etc.) and operational processes (recruiting, performance management, time recording, security systems, etc.) must be reviewed accordingly and adapted if necessary. In view of the break-up of the “traffic-light” coalition, it currently appears questionable whether this legislative process will be implemented in the short term. We advise companies to observe the further legislative process, to evaluate possible scenarios now and to check what implications they would have for their respective organizations.