Authors: Eleni Alexiou, Katharina Pauls
Although key German provisions are in breach of EU law, there will only be little changes in practice – What still needs to be taken into account
On 30 March 2023, the European Court of Justice (ECJ) ruled on the requirements for national legal bases regarding employee data protection in the context of a referral procedure. Based on its ruling, the German provision that gave rise to the referral procedure (Sec. 23 (1) sentence 1 of the Data Protection and Freedom of Information Act of the German federal state of Hessen – HDSIG) is in all likelihood contrary to EU law, as it does not comply with the requirements of the opening clause in Art. 88 of the General Data Protection Regulation (GDPR). Sec. 23 (1) sentence 1 HDSIG, as a key provision regarding employee data protection, regulates the permissibility of processing personal data by public bodies in the German federal state of Hessen. Since the provision is almost identical in wording to the corresponding key German federal provision in Sec. 26 (1) sentence 1 of the Federal Data Protection Act (BDSG), the ruling is also of nationwide significance in the non-public sector. Employers in Germany have so far extensively relied on Sec. 26 (1) sentence 1 BDSG as the legal basis for processing personal data of their employees. This practice should now be reviewed and – where necessary – adjusted.
The case decided by the ECJ (C-34/21) is based on a reference for a preliminary ruling of the Administrative Court of Wiesbaden. The referring court dealt with Sec. 23 (1) sentence 1 HDSIG in the context of a legal dispute and doubted its conformity with EU law. Due to the opening clause in Art. 88 GDPR, national legislators have a wide scope for legislation regarding the processing of personal employment data in the context of employees and may create their own legal bases in this respect. However, according to Art. 88 (1) GDPR, an essential prerequisite for this is that the provisions are “more specific”. Sec. 23 (1) sentence 1 HDSIG, though, merely reflects the content of Art. 6 (1) (b) GDPR, which is why the referring court asked itself whether this can be a “more specific” provision. The court then asked the ECJ, on the one hand, what makes a legal provision more specific within the meaning of Art. 88 (1) GDPR and, on the other hand, whether a provision can remain applicable even if it does not meet the requirements of the opening clause.
In his opinion published on 22 September 2022, the Advocate General expressed that he does not consider the requirements of the opening clause to be met in the provision of the German federal state of Hessen. It would merely be a repetition of the provisions of Art. 6, 88 (1) and 5 GDPR and not a more specific provision as required by Art. 88 (1) GDPR. A legal provision issued by a member state is only a “more specific” provision within the meaning of Art. 88 (1) GDPR if it meets the specific requirements of Art. 88 (2) GDPR, which is not the case with Sec. 23 (1) sentence 1 HDSIG. The provision is therefore considered to be contrary to EU law and superfluous.
The ECJ has now endorsed the view of the Advocate General in its ruling issued on 30 March 2023. According to the ECJ, a “more specific provision” within the meaning of Art. 88 GDPR may not be limited to repeating the provisions of the GDPR but must meet the requirements of Art. 88 (2) GDPR and therefore include “specific measures to safeguard the human dignity, legitimate interests and fundamental rights of the data subject[s]”. Even though it is ultimately the responsibility of the Administrative Court of Wiesbaden to decide whether Sec. 23 (1) sentence 1 HDSIG meets these requirements, the ECJ makes it clear in its ruling that in its view this is not the case: Sec. 23 (1) sentence 1 HDSIG merely repeats the conditions for lawful processing set out in Art. 6 (1) (b) GDPR. It can be assumed that the Administrative Court of Wiesbaden shares this view. This would have the consequence that Sec. 23 (1) sentence 1 HDSIG would in principle be inapplicable and could not constitute an effective legal basis for the processing of personal data. An exception to this – based on the ruling of the ECJ – would only apply if the provision constituted a legal basis within the meaning of Art. 6 (3) GDPR, which, if at all, would only be the case in narrowly defined scenarios.
The wording of the provision of the German federal state of Hessen largely corresponds to that of the corresponding German federal provision, Sec. 26 (1) sentence 1 BDSG. German employers broadly rely their processing of personal data in the employment context on this provision, as it allows processing for hiring decisions or, after hiring, for carrying out or terminating the employment contract, if this is necessary. Accordingly, the ECJ’s ruling is also likely to have an indirect impact on the German federal provision. Even though the ECJ did not directly address Sec. 26 (1) sentence 1 BDSG (due to lack of relevance to the questions to be answered), it does mention the provision in its ruling as part of the “legal framework” and thus emphasizes its relevance at the federal level as well. Even though this may seem alarming at first, the consequences of the ruling are quite limited at second glance. Nevertheless, employers should now take action (please see below).
Consequences of the decision for the practice
In practice, the question arises as to what concrete significance the ECJ’s decision has for German employers with regard to the processing of employee data.
In light of the ECJ ruling, it is indeed possible that Sec. 26 (1) sentence 1 BDSG cannot be classified as a “specific provision” within the meaning of Art. 88 GDPR either and is therefore (in general) inapplicable. Just like Sec. 23 (1) sentence 1 HDSIG, the German federal provision does not contain a more specific regulation that goes beyond the GDPR.
Furthermore, it seems likely that Sec. 26 (3) BDSG could also be contrary to EU law for the same reasons: This provision regulates the processing of special categories of personal data, such as health data, of employees. However, the processing requirements are only very limitedly more specific than the corresponding regulation in Art. 9 (2) (b) GDPR. In addition, only a further balancing of interests is included (“the processing … is permissible if … there is no reason to assume that the data subject’s legitimate interest in the exclusion of the processing overrides”).
Even if this has not yet been decided by the courts, employers are already well advised at this point in time to cite Art. 6 (1) b GDPR as a legal basis at least in addition to Sec. 26 (1) sentence 1 BDSG or Art. 9 (2) b GDPR in addition to Sec. 26 (3) BDSG. However, this should not change which processing activities are permitted to them. For documents such as privacy notices, records of processing activities and/or data protection impact assessments, in which Sec. 26 (1) sentence 1 BDSG is mentioned as a legal basis, an adjustment is recommended as part of a routine audit.
The specific legal basis for the investigation of criminal acts committed by employees (Sec. 26 (1) sentence 2 BDSG) is also likely to remain applicable. This is because it contains requirements that are more specific than the otherwise relevant legal basis of processing on the basis of legitimate interests (Art. 6 (1) (f) GDPR). It is precisely this provision and its specific requirements that are often overlooked by international companies.
The question of the conformity of Sec. 26 BDSG with EU law has been discussed for some time already (so far, the Federal Labor Court has assumed compatibility with EU law). Due to its open wording the provision has also led to legal uncertainties in other respects when assessing the data protection conformity in various matters. In order to address these legal uncertainties, more specific regulations have been demanded by the German legislature and German data protection authorities already over a long period of time. The fact that these are necessary is now confirmed by the present ruling of the ECJ. With reference to this ruling, the Data Protection Authority Hamburg (“Hamburgische Beauftragte für Datenschutz und Informationsfreiheit”) also emphasizes the importance of implementing a new and concise legal framework regulating the processing of personal data in the employment context and has promised to actively take action in pushing forward new legislative measures. While previous legislative initiatives have all failed it remains to be seen whether the German legislature will now truly go forward and also complete such legislative processes.