Germany

Status quo of the legislative procedure for an Employee Data Protection Act - need for employers to take action?

18 January 2024 3 min read

By Barbara Angene and Maximilian Plote

At a glance

  • The EU General Data Protection Regulation (GDPR) allows national legislators to adopt provisions that specify data protection requirements in the employment context.
  • Germany has made use of the opening clause the GDPR (Art. 88 GDPR) in Section 26 of the Federal Data Protection Act (BDSG).
  • However, in response to a ruling of the European Court of Justice (ECJ), the Federal Labor Court (BAG) declared Section 26 para. 1 s. 1 BDSG invalid and inapplicable.
  • The responsible ministries have taken this situation as an opportunity to expedite the legislative process for the Employee Data Protection Act. A draft announced for the fourth quarter of 2023 has not yet been published.
  • So far, the only indication of possible regulations is a position paper published in April 2023 called ‘Proposals for modern employee data protection’.
  • The implications of the regulations in the paper would be far-reaching for employers.
  • Although the duration of the legislative process cannot be foreseen, employers should take action now by reviewing their data protection documentation and adapt it if necessary.

After several failed attempts in recent decades to summarise and codify the data protection provisions relating to employees and other workers in a single Employee Data Protection Act, the current government is making a new attempt.

Current legal situation in Germany

Currently, employee data protection in Germany is largely determined by case law. The EU (GDPR) allows national legislators to adopt provisions that specify data protection requirements in the employment context. However, Germany has only made very cautious use of this opening clause under Art. 88 GDPR: Section 26 of the Federal Data Protection Act (BDSG) contains specific requirements relating to the protection of employee data. However, many of the requirements and specifications regulated within Section 26 BDSG have been criticised as being too narrow and not going beyond those of the GDPR.

Even more problematic, however, is the fact that numerous provisions of Section 26 BDSG do not meet the conditions set out in the GDPR (Art. 88 para. 2) for national regulations on employee data protection. The European Court of Justice (ECJ) recently specified the conditions set out in Art. 88 para. 2 GDPR (judgment of 30 March 2023 - C-34/21). The Federal Labor Court (BAG) subsequently declared Section 26 para. 1 s. 1 BDSG invalid and inapplicable, as it did not meet the requirements of the GDPR (decision of 9 May 2023 – 1 ABR 14/22). Other individual provisions in Section 26 BDSG could share this fate in the future.

A new approach and actual regulatory objectives

The responsible ministries have taken this situation as an opportunity to expedite the legislative process for the Employee Data Protection Act. However, the draft announced for the fourth quarter of 2023 has not yet been published. So far, the only indication of possible regulations is a position paper published in April 2023 by the Federal Ministry of Labor and Social Affairs and the Federal Ministry of the Interior and Home Affairs called ‘Proposals for modern employee data protection’.

In this paper, the ministries outline the objectives pursued with the bill. For example, the personal scope of application is to be kept as broad as possible in order to also cover solo self-employed platform workers. On the other hand, monitoring measures by the employer, are to be limited in order to avoid constant monitoring pressure. In addition, the conditions under which concealed or open surveillance measures should be permitted are to be regulated. Questions relating to the use of artificial intelligence are also to be addressed in the bill, with particular emphasis on synergy with the EU regulations issued and planned in this regard. Applicants should be better protected with regard to data processing in the recruitment process since this has been identified by the legislator as an area in particular need of protection.

Another aim of the bill is to make the balancing of interests to be carried out with regard to the permissibility of data processing operations more manageable in practice. This will be achieved by shaping the requirements for the voluntary nature of consent. The announced regulations on data transfers within the group are also particularly relevant in practice. In order to further protect employees, data subject rights found in the GDPR are to be extended, with additional rights for employees.

Takeaways for employers

Considering the challenges faced by many companies with regard to requests for information in accordance with Art. 15 GDPR, the announced provisions are likely to result in additional bureaucracy for employers. It remains to be seen what specific changes the Employee Data Protection Act will bring. Employers should take action now: In light of the inapplicability of Section 26 para. 1 s. 1 BDSG and the fact that the enactment of the amendment is not yet foreseeable, they should review their data protection documentation and adapt it if necessary. The ECJ clarified that Section 26 para. 1 s. 1 BDSG is not a suitable authorisation for processing. In this respect, only the provisions of the GDPR can be relied upon.

More to explore

New guidance on personal data protection

Oman

New guidance on personal data protection

On 28 January 2024, a Ministerial Decision came into force, issuing the implementing regulation for Oman‘s personal data protection law.

22 April 2024 4 min read
New measures on generative AI

China

New measures on generative AI

On 13 July 2023, China's Cyberspace Administration of China ( CAC ) and six other regulators have jointly passed the Interim Measures for the Management of Generative Artificial...

24 July 2023 5 min read
Personal Data Protection Decree

Vietnam

Personal Data Protection Decree

The government’s Decree 13/2023/ND-CP dated 17 April 2023 on personal data protection, came into effect on 1 July 2023.

26 March 2024 1 min read
Artificial intelligence and the future of work: The German government provides information on its plans for AI and employee protection

Germany

Artificial intelligence and the future of work: The German government provides information on its plans for AI and employee protection

In response to a comment made by the CDU/CSU parliamentary group, the German government addressed the impact of the use of AI on employees and the labour market.

13 February 2024 3 min read
Data Protection Authority issues recruitment Code of Conduct

Italy

Data Protection Authority issues recruitment Code of Conduct

The Data Protection Authority has published a Code of Conduct that Workforce Supply Agencies must comply with during their recruitment processes.

4 March 2024 1 min read
New York City set to enforce AI law

United States

New York City set to enforce AI law

New York City (NYC) plans to begin enforcing its employment-related artificial intelligence law on 5 July 2023. In this alert, we outline key considerations for NYC employers to...

2 May 2023 5 min read