Employee Data Protection in Germany
How are employers and employees subject to data protection law?
Employee data protection is becoming increasingly important in the daily practice as a result of a gradually digitalized working environment. Data are not only produced when working at modern workstations using IT-infrastructures but also at various conceivable work steps involving the use of technical aids.
Ban on Handling Personal Data in Germany
Due to the constitutionally protected informational self-determination in Germany, the
- collection,
- processing, and
- use
of an employee's personal data by an employer is legally permitted in certain cases only and prohibited in all others. Infringements of employee data privacy regulations may entail heavy fines.
German employers should therefore ensure they observe data protection regulations and make the company's internal processes compliant. This applies in particular as the General Data Protection Regulation (GDPR), by which data privacy laws have been revised and strengthened, entered into force in May 2018.
Prohibition with reservation of permission and justification
According to German data protection law, the handling of personal data is subject to a general prohibition with a reservation of permission. This also applies to employment relationships and data privacy for employees.
The collection, processing, and use of personal data is, hence, only admissible if expressly permitted by law or other legal provision or if the employee has given his/her consent. The Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) expressly provides that the collection, processing, and use of personal data is permitted if required in the context of
- taking a decision on whether to establish an employment relationship (selecting candidates naturally involves the collection and processing of personal data), and
- executing or terminating an employment relationship (this applies especially to payroll accounting and keeping personnel files).
Company policies necessary
In view of the open wording of the BDSG regarding employee data protection, companies should conclude their own company policies with regard to any other type of data collection or use that may be relevant for the employment relationship, including
- the use of the company's means of information and telecommunication, including any private use by an employee where appropriate (so-called IT policy);
- the use of an electronic time-recording system;
- the possibility to analyze call and internet logs by the employer, where appropriate; or
- video monitoring at the company, where appropriate.
The legally compliant drafting of such company policies often causes problems to companies and organizations in Germany. We will be pleased to determine the need for regulations within your company and assist you step by step in drafting, negotiating, and concluding legally valid company policies.
Employee consent of minor significance
When collecting or processing data as part of the employment relationship, the employee's consent is only of minor significance as a justification because the employee can revoke it at any time.
Certain situations involving aspects of data protection law cannot be solved by way of comprehensive company policies, however. In such cases, the employer may need the employee's consent. As the wording of an adequately defined consent has to meet stringent legal requirements, there are numerous sources of errors lurking here. Our German employment law attorneys will be pleased to assist you in drafting a legally compliant wording.
Data protection officer for 20 or more employees
In companies employing 20 or more employees, the employer has to appoint a data protection officer to monitor compliance with the Federal Data Protection Act. At the same time, the works council is entitled to demand information from the employer within the scope of its general monitoring tasks.
In relations with the data protection officer and/or the employer, conflicts regularly occur when the works council believes that applicable data protection regulations are inadequately or not at all observed by the employer. Even in this regard, the employer will be well advised to set up work processes in line with the strict statutory provisions and to make sure they are complied with.
Take care when transmitting German employee data
Special care must be taken when transmitting employee data within a group of companies or in matrix organization structures as no intra-group exemption rule applies with respect to employee data security.
According to the limits set by the German federal data protection law, only the employer company is entitled to collect, process, and use the data, but no other group company. This applies even if such other company runs the HR department for the whole group. In this case, the conclusion of a (group-wide) company policy is recommended.
Heavy fines for employers in Germany
According to the GDPR, among other aspects, the obligations imposed on employers with respect to the production of documentation and other supporting material are very stringent. Infringements regarding the employee data privacy may be severely punished due to the new provisions relating to applicable fines.
Fines of up to 4% of the overall global turnover will be possible. At the same time, any natural persons involved may be exposed to fines up to EUR 20 million. To avoid such consequences, we can help you in drafting and implementing a legally compliant employee data protection policy.
Your German lawyers for employee data protection
Our attorneys for all issues relating to German employment law and employee data protection are happy to assist. Please contact us by e-mail (info@winheller.com) or by phone (+49 69 76 75 77 85 29).
Employment Law: Recent blog posts
Do you need support?
Do you have questions about our services or would you like to arrange a personal consultation? We look forward to hearing from you! Please fill in the following information.
Or give us a call: +49 69 76 75 77 85 29