The new data protection in labor law after the 25.05.2018
As part of the European standardization of data protection, the new DSGVO came into force on 25.05.2018.
In this context, the BDSG applicable to Germany was also reformed to a considerable extent. For labor law data protection, this means a few innovations. We will show you selected examples of where new data protection regulations come to fruition and where the previous legal position on employee data protection continues to apply.
The aim of the introduction of the GDPR was the harmonization of data protection within the European Union. However, this objective was only partially achieved in the field of employment law, since the GDPR contains numerous opening clauses in this area, according to which the individual member states can make their own regulations for employee data protection. This circumstance made the comprehensive reform of the BDSG necessary for Germany. The BDSG thus continues to play a decisive role in the area of employee data protection. For labor law advice, this means that in the future, both the provisions of the GDPR and those of the BDSG, which are linked by numerous cross-references, must be observed for employee data protection.
Since there are no special regulations on employee data protection in the GDPR, Art. 88 DSGVO is of crucial importance. This opening clause allows the German legislator to make independent regulations in the field of employee data protection. This applies, for example, to the topics of data processing for the purpose of recruitment, fulfillment of employment obligations, planning and organization of work, health and safety at work or for the purpose of terminating the employment contract.
The opening clause was made use of by the new § 26 BDSG (Data Processing for the Purpose of Employment). In the new version, the German legislature has mainly based on the former § 32 BDSG. However, a few additional provisions have now been made, most of which have only a clarification function.
Employee privacy is always relevant when it comes to the processing of personal data. This does not only apply to electronic processing. It captures virtually every information about the individual employee, even if this z. B. only handwritten nature. Employee data protection therefore also involves handwritten notes, application folders, questions in the interview, etc.
The following applies - even according to the new legal situation! - In employee data protection, the fact that the collection and processing of personal data is regulated as a prohibition with reservation of permission. This means that the collection or processing of personal data is only permitted if this is permitted by a legal norm or the person concerned has consented. In addition to the special § 26 BDSG, the more general norms of Art. 6 Paragraph 1 GDPR and Art. 9 Paragraph 2 GDPR can also be considered as permissions.
§ 26 BDSG, the new central standard in employee data protection, allows, for example, the collection, storage and processing of personal data, if necessary for purposes of establishing, carrying out or terminating the employment relationship or for exercising / fulfilling rights and obligations towards the employees' advocacy is. The term "necessary" requires a balance between the different legal positions of employers and employees. This has been handled by the jurisdiction so far, so that there are no changes here by the new § 26 BDSG. The new § 26 BDSG, however, does not conclusively clarify whether, for example, preventive measures by the employer to prevent crime in the workplace have a legal basis in § 26 BDSG. For the most part, this is currently the case, but it is not undisputed.
In addition to the permit standards for data collection and processing specified in the Act, according to the new legislation, company agreements are now also possible (§ 26 Paragraph 4 BDSG). However, the relevant company agreements must provide for appropriate and specific measures to safeguard the human dignity of the legitimate interests and the fundamental rights of data subjects. This requires, in particular, that the company agreements meet the requirements for data collection / processing and also withstand the balancing of interests required by the case law. Older works agreements must be checked in this regard, as there is no grandfathering protection.
In order to remove the prohibition of data collection, there is also the possibility of the consent of the employee concerned. However, this requires compliance with special requirements. Thus, the conclusion of an employment contract can not be made dependent on consent to data processing, unless the data processing is mandatory for the employment relationship.
The consent of the employee must be given in writing, § 26 paragraph 2 sentence 3 BDSG. However, the consent can be revoked at any time by the employee at any time. The employer must explicitly point this out.
It is recommended for the future that the employment contract and consent to data collection / processing should not be combined in one document but should be signed separately by the employee.
The new employee data protection also regulates extinguishing obligations of the employer. Here is the principle that data should be deleted when it is no longer necessary. This means that data must not only be deleted at the request of the employee, but the employer must independently and constantly check this. For example, application folders / documents must be destroyed or deleted by the employer if the assertion of claims under the General Equal Treatment Act can not be expected. In each case, the statutory limitation periods plus a possible safety margin are to be set in terms of time.
Overall, it should be noted that the new employment data protection is based to a considerable extent on the previous legal situation, which should at least lead to a degree of legal certainty. On the other hand, new regulations have to be observed, which in particular will lead to information and extinguishing requirements playing a far greater role in practice. Employers should not take these regulations lightly, as they face serious penalties for violations. In that regard, legal advice and protection by a lawyer specializing in data protection is essential.