The new data protection in labor law after the 25.05.2018

Since there are no special regulations on employee data protection in the GDPR, Art. 88 DSGVO is of crucial importance. This opening clause allows the German legislator to make independent regulations in the field of employee data protection. This applies, for example, to the topics of data processing for the purpose of recruitment, fulfillment of employment obligations, planning and organization of work, health and safety at work or for the purpose of terminating the employment contract.

Employee privacy is always relevant when it comes to the processing of personal data. This does not only apply to electronic processing. It captures virtually every information about the individual employee, even if this z. B. only handwritten nature. Employee data protection therefore also involves handwritten notes, application folders, questions in the interview, etc.

The following applies - even according to the new legal situation! - In employee data protection, the fact that the collection and processing of personal data is regulated as a prohibition with reservation of permission. This means that the collection or processing of personal data is only permitted if this is permitted by a legal norm or the person concerned has consented. In addition to the special § 26 BDSG, the more general norms of Art. 6 Paragraph 1 GDPR and Art. 9 Paragraph 2 GDPR can also be considered as permissions.

In addition to the permit standards for data collection and processing specified in the Act, according to the new legislation, company agreements are now also possible (§ 26 Paragraph 4 BDSG). However, the relevant company agreements must provide for appropriate and specific measures to safeguard the human dignity of the legitimate interests and the fundamental rights of data subjects. This requires, in particular, that the company agreements meet the requirements for data collection / processing and also withstand the balancing of interests required by the case law. Older works agreements must be checked in this regard, as there is no grandfathering protection.

In order to remove the prohibition of data collection, there is also the possibility of the consent of the employee concerned. However, this requires compliance with special requirements. Thus, the conclusion of an employment contract can not be made dependent on consent to data processing, unless the data processing is mandatory for the employment relationship.

The new employee data protection also regulates extinguishing obligations of the employer. Here is the principle that data should be deleted when it is no longer necessary. This means that data must not only be deleted at the request of the employee, but the employer must independently and constantly check this. For example, application folders / documents must be destroyed or deleted by the employer if the assertion of claims under the General Equal Treatment Act can not be expected. In each case, the statutory limitation periods plus a possible safety margin are to be set in terms of time.

Overall, it should be noted that the new employment data protection is based to a considerable extent on the previous legal situation, which should at least lead to a degree of legal certainty. On the other hand, new regulations have to be observed, which in particular will lead to information and extinguishing requirements playing a far greater role in practice. Employers should not take these regulations lightly, as they face serious penalties for violations. In that regard, legal advice and protection by a lawyer specializing in data protection is essential.