The General Data Protection Regulation (GDPR) entered into force

On 25 May 2018, the General Data Protection Regulation (GDPR) entered into force harmonizing the regulations for the processing of personal data by companies and public authorities within the EU. Under the GDPR, employees’ data protection rights are significantly reinforced. Infringement of the GDPR regulations may now result in high administrative fines of up to 20 million euros or up to 4% of the total worldwide annual turnover of the preceding financial year. Therefore employers are urgently advised to ensure compliance with the GDPR.

Particularly, the common practice of obtaining an employee’s individual consent to the processing of their personal data will in most cases not provide a sufficient legal basis to ensure compliance with the GDPR. Rather, employers should provide candidates and employees with detailed privacy notices, informing them on the legal bases for the processing of their personal data and their respective rights.

Works agreements with works councils will continue to be permissible as a legal basis for the processing of employee data. However, the GDPR sets up new strict prerequisites for works agreements which regulate the processing of employee data. In particular, Article 88 para. 2 GDPR requires them to include “suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.”

Employers whose works agreements are not yet compliant with the GDPR should, as a first step, consider concluding a framework works agreement on the implementation of the GDPR with the works council. Such framework agreement should contain general guidelines for the transfer of the requirements of the GDPR to existing works agreements and clarify that they are to be applied and interpreted in conformity with the GDPR. In this context, it is advisable for such a framework agreement to be drafted in as much detail as possible in order to meet the requirements of the GDPR. Such a framework agreement may also have to be followed up with specific updates to the existing works agreements.