Tim Wybitul, who is Of Counsel at Hogan Lovells in Frankfurt, provides this analysis of forthcoming German legislation on employee privacy. James Denvil, an associate in our Washington office, contributed to the entry.
Companies with employees in Germany should pay attention to data privacy legislation that is likely to affect their operations this year.
That is because the German government’s ruling coalition has unexpectedly announced that it intends to soon pass employee data protection legislation. The legislation has been highly debated since was first released in 2010, and a revised draft was released on January 10. The revised bill will likely be consulted in the German parliament in late January, and the law would take effect six months after enactment.
The proposed changes to the Federal Data Protection Law (Bundesdatenschutzgesetz or BDSG) would offer limited relief with respect to intra-group data transfers. In the main, however, the new provisions impose additional restrictions on employers; provide little clarity about which data processes are permissible; and will likely remain in effect even after the passage of the EU’s proposed Data Protection Regulation. And in light of the six-month implementation deadline, employers in Germany will be under considerable time pressure to prepare for compliance.
The proposed law would require most companies to change existing HR data privacy compliance programs and policies. For example, the legislation would limit the utility of works council agreements as a justification for data use and likely will require companies to review (and probably renegotiate) existing agreements. A new balancing test will make it more challenging to establish a basis for HR data use. Any breach or unintended use of data will need to be reported to employees regardless of harm. Employers violating the bill’s requirements would be liable for fines of up to 300,000 Euros per infringement. And employees will be able to claim damages for alleged infringements and works councils can apply for injunctive relief.
The overview below summarizes the proposed changes more fully.
Questions to applicants must be suitable
- Job applicants may be asked questions only relating to information necessary to determine whether they are qualified and suited for the job in question. Questions regarding sensitive data are permissible only where this information pertains to “essential and decisive requirements” of the respective job position.
- Collecting information from former employers or other references will require the prior consent of the applicant. Data from social media or other publicly available sources may be gathered only after a balancing of interests and after the employer has informed the applicant of its plan to collect publicly available information.
Permissibility of assessment centers and medical reviews of applicants and employees will be restricted
- Assessment centers and medical testing of applicants will be permissible only when necessary to assess the qualifications of applicants and when they have consented to the data collection.
New limits and requirements for the collection of employee data
- An employee’s personal data may be gathered only when necessary for the execution, termination, or winding-up of the employment relationship. This requirement covers employee data necessary to fulfill statutory duties and satisfy obligations to employees, including assessing employee performance and conduct.
Using and processing employee data only under specified preconditions
- The use of employees’ personal data is permissible only where such data was collected lawfully and where it is necessary for purposes of the employment relationship. And employer use of employee data will be permissible only to the extent that the employer has sufficiently considered the legitimate interests of affected employees.
Data screenings involving employee data and covert employee monitoring restricted
- Screenings involving employee data and covert surveillance are often used for compliance purposes. Moving forward, screenings will be permissible only if there is concrete evidence of a criminal offense relating to the business of the employer or to fulfill statutory audit or control obligations. And covert surveillance will be permitted only if there is concrete evidence suggesting that the target has committed a business-related criminal offence or other violations that would justify a termination under the German employment law.
- In the first stage of a screening, only anonymized data may be screened. Employers will have to document the reasons for their investigations and inform affected employees immediately when notice would not compromise the investigations. Violations of these requirements could result in fines of up to 50,000 Euros per infringement.
Special rules for particular cases of employee data collection and use
- The draft bill contains special rules for video surveillance, location data, biometrics, and telecommunications data.
Employers are obliged to inform employees immediately in case of data loss or data breaches
- When an employer suspects the occurrence of a data security breach resulting in the accidental or unauthorized transfer or access of employee data, the employer must inform all concerned employees immediately. This duty does not depend on whether affected employees are at risk of harm resulting from the data loss or breach.
Consent may justify only favorable use of employee data
- To date, the freely offered consent of employees could justify the use of their personal data. Under the draft bill, employee consent will permit data collection and use only as explicitly stipulated in the employee data protection provisions of the BDSG, or when the data requested is necessary to achieve legally or economically favorable outcomes for the consenting employees (e.g., in case of company pensions or stock option programs).
New rules for data use based on works agreements
- Under German data protection law, works agreements between employers and their works councils can permit the collection and use of employee data. In the past, these agreements have proven to be a feasible means to implement practical systems and policies for processing employee data. According to the draft bill, future works agreements may not deviate from the new statutory rules if the deviation would result in detrimental consequences for affected employees. This change may require numerous companies to review and possibly renegotiate existing works agreements.
Group interests may justify intra-group data transfers of employee data
- The transfer of employee data between affiliated companies will be greatly facilitated. The draft bill contains a group privilege for employee data where this serves group purposes. Please note that the strict general German requirements regarding data transfer to states outside the EU still apply. Among other things, this proposed change lowers the precondition for group-wide personnel data banks.