Update Data Protection No. 101
The German Works Council Modernisation Act [Betriebsrätemodernisierungsgesetz] clarifies: The employer is controller for data processed by the works council — what needs to be considered now?
Sec. 79a of the German Works Constitution Act (BetrVG), which was implemented by the German Works Council Modernisation Act and has been in force since 18 June 2021, stipulates that the employer is controller for the works council's data processing. The discussion that has prevailed since the GDPR came into force regarding the question of whether the works council is considered an independent controller because of its freedom from instruction (e. g. represented by the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg) or is rather seen as belonging to the employer because of the close cooperation, has come to an end. On closer inspection, however, many questions remain unanswered, despite the legal clarification.
A. New regulation of the BetrVG
Sec. 79a sentence 2 BetrVG explicitly clarifies that the employer is controller for data processed by the works council, insofar as this processing is performed in order to fulfil the tasks for which the works council is responsible. The German Federal Ministry of Labour and Social Affairs (BMAS) justifies this assignment of responsibility by the fact that the works council is not a legally independent institution.
The other provisions of Sec. 79a BetrVG state, however, that the works council should not be treated like an ordinary part of a controller. Sentence 1 stipulates that the works council itself must comply with data protection regulations. Such a separate obligation for parts of the controller is not compatible with the data protection system of the GDPR. Since, according to the GDPR, only the controller is obliged to comply with data protection regulations and enforce them internally.
Sentence 3 also stipulates a cooperation requirement between the works council and the employer, obliging the two parties to provide mutual support. As an example of this cooperation, the BMAS specifies in the explanatory memorandum that the employer must keep records of processing activities, but the works council is responsible for the implementation of the technical and organisational measures. Such a distribution of responsibilities rather reminds of joint controllership pursuant to Art. 26 GDPR.
In the light of European law it is questionable that the new regulation declares the employer as sole controller for data processing in the works council office. It is true that the Member States can determine themselves who is controller for certain types of data processing. However, Art. 4 No. 7 half sentence 2 GDPR only allows this if both the purposes and means of data processing are specified. This is not the case with the processing of employee data by the works council. In fact, the works council alone decides for what reason and how to process employee data. Due to the direct application of the GDPR, Sec. 79a BetrVG would not be applicable if it violates European law. That will ultimately be up to the courts to decide.
The obligation for works councils to adhere to data protection regulations and the principle of cooperation creates a special role for them. On the one hand, this seems necessary because works councils cannot be treated like a normal part of an employer due to their intra-organisational independence and freedom from instruction. This is the case because the employer only has a very limited influence on the implementation of data protection measures within the works council. On the other hand, such a construct is not compatible with data protection principles and will inevitably lead to problems and questions. It is not specified how the cooperation is to take place in specific terms. There is also no regulation of what happens if a works council refuses to cooperate and the employer is therefore unable to fulfil its obligations as controller (in particular the rights of data subject or the implementation of appropriate safety standards). The legislator assigns liability for data protection violations under the area of activity of the works council to the employer in its role as sole controller for data processing, without the employer being able to prevent such violations. This threatens serious gaps in protection.
C. Recommended action
The employer and works council should conclude a works agreement on their data protection cooperation as soon as possible in order to eliminate as many of the uncertainties described above as possible and to reduce liability risks for the employer. In particular, the following areas should be regulated in the works agreement:
- the works council’s support for the employer in fulfilling the rights of the data subjects;
- the work council’s provision of the information required for keeping records of processing activities and privacy policies;
- reporting and notification obligations on the part of the works council in the event of a data protection infringement;
- provisions on the technical methods of processing as well as all related technical and organisational measures for data security;
- regulations for how the works council is advised and controlled by the company data protection officer