Skip to content

The core statement of the GDPR regarding employee data protection according to §26 BDSG and the handling of special situations

data protection

Employee data protection: What is the boss allowed to do? 


Employee data protection: It is about the monitoring of employees. How far may it go, where are the limits and which law regulates it. In other words: what is the boss allowed to do? 

There is still no law of its own, but there are numerous regulations that provide pointers. Negotiations toward a uniform employee data protection law are underway again, however, after the last draft from 2010 was never passed. So far, only Finland has such an employee data protection law; the other EU countries work with individual regulations. 

It is therefore important to keep up to date with the latest developments. Currently, the GDPR in particular regulates employee data protection. However, should a separate law be passed, the GDPR would have to be further specified. 

Where do we currently stand in employee data protection? 

The core statement of the GDPR with regard to employee data protection according to Section 26 of the German Federal Data Protection Act (BDSG) is that personal data of employees may be collected if it is necessary for the fulfillment, commencement or termination of an employment relationship. The collection then does not require the consent of the data subject. 

This includes  

  •     Applicant data
  •     general personal and contact data 
  •     bank account details 
  •     job profile or position 
  •     Health data 
  •     Religious affiliation (necessary for payroll accounting) 

The collection of data beyond this may require the consent of the data subject. 

Why do we need an employee data protection law? 

The question is: How should special situations be handled? What about video surveillance in production, for example? Is the boss allowed to read the emails sent from the work computer? Is he allowed to monitor the chronicle of internet usage?  

The generally held regulations of the GDPR are not very concrete and are only designed for individual cases to a limited extent; they rather cover standard situations. It is difficult to clarify which data is actually required for the fulfillment, commencement or termination of an employment relationship.  

The interests of employees and supervisors can be very far apart. There are opportunities for abuse on both sides. 

The decisive argument for more employee data protection is the power imbalance between employees and their superiors. Here, one cannot speak of “equal rights for all.” The dependency on wages and jobs pushes employees into an unsovereign role and makes them swallow many a bitter pill for fear of consequences. One such bitter pill is data that is collected about him, but against which he does not dare to defend himself.  

A law could provide clarity and protection for all concerned. 


The independent advisory board set up by the Federal Ministry of Labor and Social Affairs and the German Trade Union Confederation have drawn up recommendations and proposals, some of which, however, are not very detailed. Legislators therefore still have a great deal of leeway when it comes to the details. 

Nevertheless, the recommendations and the draft legislation have already been published (see below). In view of the provisions in the coalition agreement, it is possible that a law could be enacted during this legislative period. Let’s see how the legislature works out the drafts and what the Bundestag and Bundesrat have to say about it. 

If you have any further questions about employee data protection, please do not hesitate to contact us.  

    Employment law: Patrick Jardin 

    Data protection: Lena Wassermann 


Wir freuen uns auf Ihre Anfrage zu diesem und weiteren Themen!