Drumbeat by CJEU: No general clauses in employee data protection

In its ruling of 30 March 2023 (Case C-34/21), the Court of Justice of the European Union (CJEU) has now taken a position on the question of the extent to which the national legislator has (no) leeway in the drafting of clauses in employee data protection. The background to the decision was a referral on a provision in the Hessian employee data protection law, which is almost identical in wording to the provision in Section 26 para. 1 cl. 1 of the Federal Data Protection Act (Bundesdatenschutzgesetz “BDSG”). The core statement of the CJEU can be summarised as follows: national general clauses issued in the context of employment are inapplicable, as they contradict the opening clause of Article 88 of the GDPR.

The following article is intended to show the legal background of the decision and the resulting practical implications.

Background to the decision

The purpose of the GDPR- compare recital 3 - is to achieve a European data protection law that is as harmonised as possible. This means that it is not possible for the national legislator to create independent standards on data protection without further ado. If the GDPR already clearly addresses a certain issue, national regulations created in this context are generally inapplicable (so-called primacy of application). At the same time, the so-called prohibition of the repetition of norms must be observed, which in principle prohibits the national legislator from merely repeating European regulations in identical wording.

An exception to this, however, are so-called opening clauses. This mechanism enables the national legislator - to the extent provided for in each case - to enact independent regulations on a matter which actually represents a self-contained set of rules. The mechanism was adopted in the GDPR in particular in connection with employee data protection, as there are some differences in this respect in the respective member states.

The aforementioned opening clause of Article 88 para. 1 of the GDPR therefore enables the national legislator to enact "more specific regulations" in employee data protection. This is specified in Article 88 para. 2 of the GDPR to the effect that these regulations must meet certain minimum requirements, for example by providing for appropriate and specific measures to safeguard human dignity, legitimate interests and the fundamental rights of the data subject. In addition, the corresponding regulations must be more "specific", which in particular prohibits a mere repetition of the provisions of the GDPR.

The German legislator has used the aforementioned opening clause to the extent that it has transferred the provision in the old Federal Data Protection Act, which was already provided for before the entry into force of the GDPR, almost word-for-word into the new provision of Section 26 para. 1 cl. 1 BDSG. According to this provision, personal data of employees may be processed if this is necessary for the establishment, implementation or termination of an employment relationship. Similar provisions are also partly contained in the data protection laws of the individual federal states.

The question that the CJEU now had to ask itself - in the specific case of Hessian employee data protection - was which concrete requirements were imposed by the provision of Article 88 of the GDPR. At the same time, the CJEU was to rule on how to proceed in the absence of these requirements.

The CJEU has now made it clear in unambiguous terms that general clauses in employee data protection are inapplicable, as they do not constitute more specific rules within the meaning of Article 88 para. 1 of the GDPR. The provision of Section 26 para. 1 cl. 1 BDSG - as well as comparable provisions in the data protection laws of the federal states - are therefore no longer suitable to reflect the processing of personal data in the context of employment. These regulations neither stand out separately from the general regulation of Article 6 para. 1 (b) of the GDPR, nor are the special requirements of Article 88 para. 2 of the GDPR implemented accordingly.

What are the practical implications of the decision?

For companies and employers, this means that in the future - as far as the "classic" processing processes in the employment relationship are concerned - the rules of the GDPR must be applied. Thus, the processing of personal data will continue to be permissible if it is necessary for the performance of a contract - such as an employment contract - in accordance with Article 6 para. 1 (b) of the GDRP. However, if the necessity cannot be regarded as given in the individual case, the balancing of interests clause of Article 6 para. 1 (f) of the GDPR must sometimes be used, unless the employees' consent is obtained. While in the majority of practically significant cases there will probably be no major innovations, the labour courts in particular will have to give up some of their influence on employee data protection. Whereas previously in labour law disputes only the provision of Section 26 para. 1 cl. 1 BDSG had to be interpreted, it is now a matter of interpreting and applying directly European law provisions, which may or must lead to a referral to the CJEU. Overall, it can therefore be assumed that there will be greater standardisation of employee data protection.

However, it should be expressly noted at this point that it is currently unclear how the above-mentioned decision of the CJEU will affect the other paragraphs in Section 26 of the BDSG. While the provision of Section 26 para. 1 cl. 2 BDSG - due to its context in connection with the detection of criminal offences - may be considered specific enough, the provision of Section 26 para. 3 BDSG in particular will play an important role in the discussion. The above provision allows the processing of special categories of personal data in the employment relationship and can (also) be based on the opening clause of Article 9 para. 2 (b) of the GDPR. Section 26 para. 3 cl. 2 in conjunction with Section 22 para. 2 BDSG also provides for a data protection clause. Section 22 para. 2 of the BDSG establishes specific measures for this processing context. It also remains possible to obtain consent under data protection law and to create employment-specific regulations in a works agreement as provided for in Section 26 para. 4 BDSG.

The decision of the CJEU nevertheless thoroughly shakes up German employee data protection, at least once. This is nothing new insofar as the Data Protection Conference (Datenschutzkonferenz “DSK”) already stated in its resolution of 29 April 2022 that Section 26 of the BDSG was "not sufficiently practicable, clear and appropriate".

Practical advice

The above explanations are, of course, largely of a dogmatic nature, as they do not have any practically noticeable effects on a large number of processing operations. Insofar as data processing for the purposes of implementing the employment relationship cannot be ignored, it will continue to be permissible. Nevertheless, companies should take the decision of the CJEU seriously, as it will nevertheless have a noticeable effect on seemingly unimportant parameters.

In this respect, data protection notices pursuant to Article 13 of the GDPR, which must be made available to the data subjects both in the employment relationship and in the application process, are of particular practical importance. These should be adapted, at least in the medium term, to the effect that primarily the legal bases provided for in the GDPR must be stated. Whether the provision of Section 26 of the BDSG should (also) continue to be cited - for clarification purposes, for example - is probably a matter of taste. Although the decision of the CJEU does not explicitly address the applicability of Section 26 BDSG, the statements made there can hardly be ignored. It is therefore advisable to at least primarily name the relevant provisions of the GDPR, especially in order to avoid any "mistakes" in finding the now relevant legal basis as early as possible.

Until the German legislator has reacted to the judgment of the CJEU, companies must now convert the relevant legal basis to the GDPR. For companies operating on a group-wide basis, this may even be easier, as fewer national peculiarities have to be taken into account.

We will be happy to answer any questions you may have in the context of employment data protection and will also be pleased to provide you with a concrete recommendation for action.