The General Data Protection Regulation (GDPR) is aimed at extensive harmonization of data protection in the EU, and will be applicable with effect from May 25, 2018. The GDPR will replace the current EU Data Protection Directive (Directive 95/46/EC) and will be directly applicable in all EU member states.
The new regulations mean that German employers will also have to prepare for changes as regards the protection of employees’ personal data. The German legislator has implemented the escape clause in the GDPR concerning employment law in the new Section 26 BDSG (German Federal Data Protection Act). This will become applicable at the same time as the GDPR and will essentially correspond to the current Section 32 BDSG. Employers should however pay attention to several points.
Consent is one of several possibilities for the lawfulness of data processing. It is particularly important that consent is given voluntarily by the data subject. The new Section 26 (2) BDSG- now expressly regulates consent in the context of an employment relationship. The legislator also offers help concerning the question of how this must be done and when voluntariness is given. Any consent already issued in the past will however remain effective, provided it has been legally obtained.
Art. 88 (1) GDPR as well as the new Section 26 BDSG now also expressly regulate that the processing of personal data on the basis of works agreements is admissible. The works agreements must of course comply with the data protection standard of the GDPR. If they lower the standard of protection and if data processing in accordance with the provisions of any such works agreement is continued, there is a risk of a fine. It is therefore advisable to check all existing works agreements in terms of their compatibility with the new data protection law. It may be advisable to conclude a general works agreement. This can be used as guideline for the implementation of the GDPR, and can include rules on how existing works agreements should be adapted to the new data protection law in future.
The current Section 5 BDSG includes the commitment to data secrecy on the part of the persons involved in data processing. While this express rule will cease to apply, the GDPR does however establish principles that are to be observed during all data processing, and compliance with which must be demonstrated by the controller. For example, technical and organizational measures are required in order to be able to guarantee and demonstrate that processing is carried out in accordance with the GDPR. Consequently, a written commitment to comply with data protection requirements must still be obtained from the employees.
As is currently the case, the new law likewise does not contain any privileges related to data exchange within a group of companies. Rather, the same conditions apply for the lawfulness of data transfer as with respect to other third parties. The new law does however at least facilitate the exchange of personal data within a group of companies for internal administration purposes. Corresponding forwarding and processing can be legitimized on the basis of such purposes. However, even in these cases, the justified interest must be defined and weighed against the interests of the employee. The mere, unspecified desire to forward the data will still not suffice.
Employers should use the time remaining before the GDPR becomes applicable and check any related need for adaptation: any consent given should be checked and updated in the immediate future, the commitment to the principles of the GDPR should be ensured, and works agreements should be subjected to a compatibility check.