The waves are running high: No more legal basis for processing personal data in the employment relationship? In its ruling of 30 March 2023 (C-34/21), the ECJ declared Section 23(1) sentence 1 of the Hessian Data Protection and Freedom of Information Act (HDSIG) and Section 86(4) of the Hessian Civil Service Act (HBG) to be incompatible with Article 88(1) and (2) of the GDPR. The excitement is great, as this contradicts the consistent case law of the Federal Labour Court, which previously considered Section 26 BDSG, which is almost congruent in its wording, to be “manifestly” compatible with Article 88 DSGVO (most recently BAGE 166, 309 marginal no. 47 f. = NZA 2019, 1218). This article will explain why it is not advisable to get too excited.
The original proceedings
During the Covid 19 pandemic, measures were taken throughout Germany to maintain the schooling of pupils; this was also the case in Hesse. The conversion from face-to-face to digital teaching was one of the central measures, which also sparked the present dispute.
The Ministry of Education and Cultural Affairs of Hesse therefore arranged for pupils to be able to participate in lessons by connecting via a video conferencing service. In accordance with data protection regulations, consent was obtained from the students or their parents. For the teachers, the regulation did not provide for any leeway in decision-making; anyone who taught for the state could be obliged to hold live-stream lessons, for which § 23 para. 1 p. 1 HDSIG was used as the legal basis. This norm thus became the subject of the subsequent administrative court proceedings:
Personal data of employees may be processed for the purposes of the employment relationship if this is necessary (…) after the establishment of the employment relationship for its implementation (…).
The Wiesbaden Administrative Court had doubts about the compatibility of Section 23(1) sentence 1 of the HDSIG and Section 86(4) of the HBG, which is relevant for civil servants, with Article 88(2) of the GDPR and referred two questions to the ECJ for a preliminary ruling:
- Is Article 88(1) of the GDPR to be interpreted as meaning that, in order to be a more specific provision ensuring the protection of rights and freedoms with regard to the processing of personal employee data in the employment context within the meaning of Article 88(1) of the GDPR, a legal provision must meet the requirements imposed on such provisions under Article 88(2) of the GDPR?
- If a national provision clearly does not meet the requirements under Article 88(2) of the GDPR, can it still remain applicable?
The decision of the ECJ
First question:
In answer to the first question, the ECJ states fundamentally:
Member States “may” provide for more specific rules, i.e. they have a margin of appreciation. However, this discretion may not be exercised in such a way that it violates the provisions and objectives of the GDPR and leads to a breach of harmonisation. It must be taken into account that Art. 88 (1) GDPR speaks of “more specific provisions”; however, a provision can only be “more specific” if it regulates “more” than the general rules of the GDPR.
Second question:
The GDPR not only provides for a possibility for the national legislator to legislate in Art. 88(1) and (2) GDPR, opening clauses can also be found in other places in the GDPR. For example, the ECJ points out that Article 6 (3) sentence 1 no. 2 of the GDPR in conjunction with recital 45 of the GDPR is not applicable. Recital 45 of the GDPR provides that the legal basis for processing pursuant to Article 6(1)(c) and (e) of the GDPR is determined by the law of the member states. The GDPR thus leaves a “back door” that allows to keep a provision that has already been enacted, even if it was originally intended to flesh out Art. 88 (1). While the application of the opening clause from Art. 88(1) may not be exhausted in the repetition of the legal bases of Art. 6(1) of the GDPR, Art. 6(3) of the GDPR refers to processing pursuant to Art. 6(1) sentence lit. c and e of the GDPR and merely provides the framework for these. Thus, it is in any case conceivable in principle to maintain Member State standards via this opening clause.
The effects of the decision
section 23 (1) sentence 1 HDSIG is confusingly similar to Section 26 (1) sentence 1 BDSG:
§ 23 para. 1 sentence 1 HDSIG | § Section 26(1) sentence 1 BDSG |
Personal data of employees may be processed for purposes of the employment relationship if this is necessaryfor the decision on the establishment of an employment relationship or, after the establishment of the employment relationship, for its implementation, termination or settlement as well as for the implementationof internal planning, organisational, social and personnel measures. | Personal data of employees may be processed for purposes of the employment relationship if this is necessary for thedecision on the establishment of an employment relationship or, after the establishment of the employment relationship, for its implementation or termination or for the exercise or fulfilment of the rights and obligations of the employees’ interest representation resulting from a law or a collective agreement, a works agreement or a service agreement (collective agreement). |
Other Länder also provide for similar standards, which are therefore equally affected by the ECJ’s ruling: Section 26 (1) sentence 1 of the Brandenburg Data Protection Act, Section 10 (1) sentence 1 of the Mecklenburg-Western Pomerania Data Protection Act and Section 18 (1) sentence 1 of the North Rhine-Westphalia Data Protection Act shall only be cited as examples.
With its decision, the ECJ emphasises the prohibition of repetition of norms under Union law: since the GDPR has direct effect in the Member States, it is also directly part of the legal order of each Member State. Its validity does not require any conversion into national law. Therefore, an implementation of regulations by legislators of the member states is not only superfluous, but impermissible (Roßnagel / Roßnagel, Europäische Datenschutz-Grundverordnung, Vorrang des Unionsrecht – Anwendbarkeit des nationalen Rechts, p. 75). Moreover, the decision results in a confirmation of the legal opinion of the VG Hamburg(ruling of 16.1.2020 – 17 K 3920/19, para. 57), according to which, in addition to Section 26 BDSG, Article 6 (1) sentence 1 lit. e and c DSGVO are also applicable to data processing in the employee context.
As the comparison of Section 23 (1) sentence 1 HDSIG at issue with Section 26 (1) sentence 1 BDSG shows, the wording of both norms is almost identical; both norms ultimately permit data processing that is necessary for the purposes of the employment relationship in a general clause-like manner. As in the legal framework set by the GDPR, the purpose specifically pursued by the data processing determines the applicability of Section 26 BDSG Schwartmann/Jaspers/Thüsing/Kugelmann / Thüsing/Schmidt, 2nd ed. 2020, Annex GDPR Art. 88 para. 2 ff).
The ECJ has now established this parallelism with the GDPR (para. 81) with regard to the German provisions at issue: since these provide that the processing of personal employee data must be necessary for certain purposes in connection with the performance of an employment or service relationship and this must be necessary for the performance of the employment or service relationship, the processing of personal employee data must be necessary for certain purposes in connection with the performance of the employment or service relationship. Since they provide that the processing of personal employee data must be necessary for specific purposes in connection with the performance of an employment or service relationship and this is already the condition for the general lawfulness of the processing set out in Article 6(1)(b) of the GDPR, they merely repeat a provision of EU law without adding a more specific provision within the meaning of Article 88(1) of the GDPR. It is precisely this inadmissible repetition of content by merely transferring the necessity standard to Section 26 BDSG that the ECJ now appears to declare inadmissible(Thüsing / Peisker, NZA 2023, 213).
Of course, it could be countered that the open-ended proportionality assessment in Section 26 BDSG within necessity is intended precisely to take into account circumstances that affect the human dignity, legitimate interests or fundamental rights of the data subject, as required by Article 88 (2) of the GDPR, since data processing may not impose an excessive burden on the data subject according to the established case law of the BAG(Thüsing / Peisker, NZA 2023, 213 (214)).
In data protection practice in companies, however, this rather academic consideration is unlikely to be fruitful and ultimately the new regulation of German employment data protection, which is already set out in the current coalition agreement of the German government, will have to be awaited.
The practice until the new regulation by the German legislator
Since the ECJ is attacking the parallelism of the German norms with those of the GDPR, it also follows that employers are not left without a legal basis for data processing in the context of employees. Even if the ruling only has direct effect inter partes, i.e. between the parties to the legal dispute, and a final decision will only be made by the VG Frankfurt a.M., which took over the case from the Wiesbaden Administrative Court due to a redistribution of jurisdiction, the German data protection supervisory authorities will adapt their practice.
For companies, this means that data processing from areas central to employment relationships, such as recruiting, staff deployment, work organisation and control, will have to be assessed in accordance with Art. 6(1)(b) or (f) of the GDPR in the future. Where the relevant legal bases are stored in the data protection documentation – in particular the list of processing activities pursuant to Art. 30 of the GDPR – adjustments must be made. The other contents of Section 26 BDSG, such as the investigation of criminal offences or the extended requirements for consent in the employment relationship, on the other hand, are not likely to be affected by the ECJ case law. In this respect, the assessment of the Hamburg Commissioner for Data Protection and Freedom of Information that Section 26 BDSG is likely to be considered inapplicable with the decision of the ECJ appears too far-reaching. Insofar as the individual regulatory contents of Section 26 BDSG are more specific than the requirements of the GDPR, in particular from Article 6 (1), this is still covered by the opening clause from Article 88 (1) of the GDPR.
Conclusion
The decision results above all in a need for action for the legislator, who is now called upon to implement the legislative plan already anticipated in the coalition agreement. For data protection practice in companies, however, there is no reason to sound the alarm bells now. However, it is advisable to adapt the legal basis in the data protection documentation and to wait for the practice of the supervisory authorities and, above all, the subsequent case law. The topic of data protection in the context of employees is more topical than ever.