Employee data protection in the 2nd draft bill for the new Federal Data Protection Act

The General Data Protection Regulation (GDPR) will apply throughout Europe as from May 25, 2018. Nevertheless, it contains hardly any rulings aimed specifically at employee data protection. At the same time there is an opening clause (Article 88 GDPR) that allows rulings by member states in this area. The Federal Ministry of the Interior (BMI) has now prepared its second draft bill for legislation to adapt data protection law to the Regulation.

However, the draft itself also contains only very limited statements on employee data protection.

Rulings in the draft version of the Federal Data Protection Act (BDSG-E)

Data processing in employment relationships is regulated in Section 24 of the new draft bill. In terms of its content, Subsection 1 of the draft corresponds to the current Section 32 of the Federal Data Protection Act. Under this, data must only be processed for purposes related to the employment relationship if this is necessary for the creation, execution or termination of the employment relationship.

Data use should also remain possible for the purpose of uncovering criminal offences - if there is actual evidence indicating such and the measures are proportionate.

Both shall also continue to apply to non-automated processing.

As in the current Federal Data Protection Act, it is also made clear that the participation rights of the employee representatives remain unaffected (Section 24 Subsection 3 Federal Data Protection Act - Draft).

A new aspect is that the statutory definition of the employee shall now be regulated in Section 24 Subsection 4 Federal Data Protection Act - Draft. This definition was previously at the beginning of the Federal Data Protection Act. However, no content alterations have been incorporated other than the consideration for the Federal Volunteer Service.

Compatibility with Article 88 GDPR?

Nevertheless, it is questionable whether the new Section 24 Federal Data Protection Act - Draft meets the requirements of the GDPR. Although the opening clause in Article 88 GDPR gives the member states the possibility of further defining employee data protection through national rulings, this leeway is by all means limited.

Article 88 GDPR contains quite a few requirements on the national rulings whose observance is mandatory. The national rulings must include special measures to safeguard fundamental rights. This applies particularly to the transparency of the processing, the forwarding of personal data within a group of companies, and in terms of surveillance systems at the workplace. However, the new draft bill does not contain rulings providing for "special measures".

The measures provided for must also be "appropriate" and "special". At the same time, the meaning of these terms is not defined in the Regulation. Consequently, it is likewise not yet possible to foresee how the ECJ will ultimately interpret these terms and which national rulings it will accept. The ECJ could therefore play a ground-breaking role in employee data protection in the future.

Summary

Thus far, also the second draft bill of the Federal Ministry of the Interior fails to convince in terms of employee data protection. It is questionable whether the wording - that is more or less identical to the previous legal situation - complies with the requirements of Article 88 GDPR. Therefore, legal certainty for companies is not yet established.