Employee Data Protection in Germany

Due to the constitutionally protected informational self-determination in Germany, the

• collection,
• processing, and
• use

of an employee's personal data by an employer is legally permitted in certain cases only and prohibited in all others. Infringements of employee data privacy regulations may entail heavy fines.

German employers should therefore ensure they observe data protection regulations and make the company's internal processes compliant. This applies in particular as the General Data Protection Regulation (GDPR), by which data privacy laws have been revised and strengthened, entered into force in May 2018.

According to German data protection law, the handling of personal data is subject to a general prohibition with a reservation of permission. This also applies to employment relationships and data privacy for employees.

The collection, processing, and use of personal data is, hence, only admissible if expressly permitted by law or other legal provision or if the employee has given his/her consent. The Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) expressly provides that the collection, processing, and use of personal data is permitted if required in the context of

• taking a decision on whether to establish an employment relationship (selecting candidates naturally involves the collection and processing of personal data), and
• executing or terminating an employment relationship (this applies especially to payroll accounting and keeping personnel files).

In view of the open wording of the BDSG regarding employee data protection, companies should conclude their own company policies with regard to any other type of data collection or use that may be relevant for the employment relationship, including

• the use of the company's means of information and telecommunication, including any private use by an employee where appropriate (so-called IT policy);
• the use of an electronic time-recording system;
• the possibility to analyze call and internet logs by the employer, where appropriate; or
• video monitoring at the company, where appropriate.  

The legally compliant drafting of such company policies often causes problems to companies and organizations in Germany. We will be pleased to determine the need for regulations within your company and assist you step by step in drafting, negotiating, and concluding legally valid company policies.

When collecting or processing data as part of the employment relationship, the employee's consent is only of minor significance as a justification because the employee can revoke it at any time.

Certain situations involving aspects of data protection law cannot be solved by way of comprehensive company policies, however. In such cases, the employer may need the employee's consent. As the wording of an adequately defined consent has to meet stringent legal requirements, there are numerous sources of errors lurking here. Our German employment law attorneys will be pleased to assist you in drafting a legally compliant wording.

In companies employing 20 or more employees, the employer has to appoint a data protection officer to monitor compliance with the Federal Data Protection Act. At the same time, the works council is entitled to demand information from the employer within the scope of its general monitoring tasks.

In relations with the data protection officer and/or the employer, conflicts regularly occur when the works council believes that applicable data protection regulations are inadequately or not at all observed by the employer. Even in this regard, the employer will be well advised to set up work processes in line with the strict statutory provisions and to make sure they are complied with.

Special care must be taken when transmitting employee data within a group of companies or in matrix organization structures as no intra-group exemption rule applies with respect to employee data security.

According to the limits set by the German federal data protection law, only the employer company is entitled to collect, process, and use the data, but no other group company. This applies even if such other company runs the HR department for the whole group. In this case, the conclusion of a (group-wide) company policy is recommended.

According to the GDPR, among other aspects, the obligations imposed on employers with respect to the production of documentation and other supporting material are very stringent. Infringements regarding the employee data privacy may be severely punished due to the new provisions relating to applicable fines.

Fines of up to 4% of the overall global turnover will be possible. At the same time, any natural persons involved may be exposed to fines up to EUR 20 million. To avoid such consequences, we can help you in drafting and implementing a legally compliant employee data protection policy.