Is a new Employee Data Protection Act on the horizon?

The Federal Ministry of the Interior and Community (BMI) and the Federal Ministry of Labor and Social Affairs (BMAS) have worked out proposals for a new German Employee Data Protection Act. The proposals have already been distributed on the Internet.

Creating a new Employee Data Protection Act is one of the objectives of the current German governing coalition. In addition, the European Court of Justice had recently found Section 23(1) HDSIG (Hessian Data Protection and Freedom of Information Act) to be in breach of European law, as it states that personal data of employees may be processed provided that the processing is required for the implementation of the employment relationship (see ECJ, Judgment of March 30, 2023 – C-34/21). Therefore, the central federal standard of Section 26(1) sentence 1 BDSG (German Federal Data Protection Act), which is almost identically formulated, would also be in breach of European law. In any case, it is now the turn of the legislator to create new regulations in employee data protection that are in compliance with the GDPR.

I. Content of the proposals of the BMI and the BMAS

In terms of content, the proposals of the BMI and the BMAS provide for the following regulatory areas:

• In personal terms, solo self-employed platform workers in particular should also be included in the scope of the new law. Due to the particular structures and business models in the platform economy, this group of individuals is also often in need of protection with regard to the processing of their data in a manner comparable to that of employees.
• Limits should be set for the monitoring of employees: (i) Measures for permanent monitoring should be permissible only in exceptional cases. It should not be allowed to create complete movement and performance profiles for employee evaluation (unlike Administrative Court of Hanover, see our Update Data Protection No. 138); (ii) concealed monitoring measures should be allowed only when there is no other possibility for clarifying a specific suspicion of a criminal offence in the company; (iii) clear conditions should be specified with regard to overt monitoring measures.
• Transparency in particular should protect employees when using artificial intelligence in connection with the employment relationship.
• It should be expressly specified for applicants as to which questions are permissible and under which requirements medical examination can be carried out in the scope of job application processes.
• In the area of particularly sensitive data, e. g., health data, using typical case groups it should be specifically determined as to when the employer may process these in exceptional cases. Regulations should be adopted for biometric data in particular.
• For data processing for which balancing of interests is required, the legislator intends to create manageable criteria for this balancing. 
• The voluntariness of consent of employees is always a matter of controversial discussions. In many cases, the voluntariness of such a declaration of consent is negated due to the existing dependency relationship. Here too, the legislator intends to provide assistance with specific application examples.
• Data transmission within a company group should be regulated for practice-relevant use cases, such as the centralized administrative organization.
• To secure the rights of data subjects, deletion obligations, for example, should be defined for employers regarding applicants’ data. In addition, at least the procedural bans on exploitation in case of impermissible data processing should be examined. 
• It should also be examined (i) whether regulations for "Bring-Your-Own-Device", i. e., use of private end devices for work activity, are necessary, (ii) whether the Works Council Modernization Act (Betriebsrätemodernisierungsgesetz) must be amended in terms of socio-ecological transformation and digitization, and (iii) whether clarifications and specifications for collective agreements are possible as regulations for data processing in employment context.

II. Conclusion and outlook

The catalog of proposals of both ministries for creation of a new German Employee Data Protection Act sounds very promising. Many of the controversial topics in the German jurisprudence and literature, such as e.g., the permissibility of monitoring employees or the voluntariness of consent in employee context, should be expressly regulated under the law. Thus, some of the existing uncertainties could (finally) be eliminated. It would also be desirable to finally settle the question as to whether the regulations concerning telecommunications secrecy are applicable to employers who allow for private use of email and internet. 

The judgment of the European Court of Justice on the incompatibility of Section 23 HDSIG and therefore that of Section 26(1) sentence 1 BDSG with European law suggests that the legislative process is now gaining momentum. However, the above-mentioned proposals also suggest that the individual regulatory areas are yet to be examined (see above Section I – last bullet point). A quick draft legislation is therefore not to be expected. 

For the time being, data processing in employment relationships must therefore be based on the applicable regulations, particularly Art. 6(1) GDPR. For data processing that requires the balancing of interests, the casuistry of the labor and administrative courts in particular must continue to be observed. However, the proposals for a new Employee Data Protection Act can already contain starting points here and there for the future statutory regulations, so that they should at least be taken into account for the introduction of new data processing.