In the modern world of work, which is increasingly characterised by digitalisation and data-driven processes, the protection of employee data is becoming more and more important. Despite its importance, there is still no separate law in Germany that comprehensively regulates this complex area. The Act to Strengthen Fair Handling of Employee Data and for More Legal Certainty for Employers and Employees in the Digital World (RefE-BeschDG) is intended to regulate data processing in the context of employment relationships in the future.

What do employers need to be aware of in the near future?

Background to the law

Employee data protection is essentially based on the general requirements of the General Data Protection Regulation (GDPR) and the specific provisions of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). In particular, Section 26 of the BDSG plays a central role as it regulates the processing of personal data of employees. The Employee Data Protection Act is currently still available as a draft bill. The European Court of Justice (ECJ C-34/21) has ruled that Section 26 of the Federal Data Protection Act (BDSG), which previously regulated data processing in employment relationships, does not comply with the principles of the GDPR because it only repeats the legal basis from the GDPR, in particular for the performance of a contract, and is therefore inapplicable.

Regulations issued by national legislators must take into account special measures to safeguard human dignity, legitimate interests and fundamental rights of the persons concerned, which is why a mere repetition of the wording of the GDPR is not sufficient. After this decision, it was clear that there had to be a more differentiated regulation to ensure transparency and legal certainty for both employers and employees.

Key points of employee data protection

The draft bill for the Data Protection Act is a comprehensive law that is supposed to regulate the protection of employees’ personal data. It applies to both private and public employers and covers a wide range of applications.

Central aims and content

The draft bill aims to strike a balance between the interests of the company and those of its employees. This is reflected in the fact that a balance of interests must be carried out in individual cases if consent has not been granted. On the employer’s side, there are then (legitimate) operational reasons and on the employee’s side, there is their right of privacy. When weighing up the interests, the employee’s relationship of dependency must always be taken into account.

If consent is given, it must be given voluntarily and in an informed manner. To this end, the employee must be informed at an early stage.

If the data processing is based on legitimate business interests, these interests must be adequately explained to the data subject.

In addition, the law also contains regulations regarding artificial intelligence in the employment relationship.

Furthermore, attention is paid to the monitoring of employees. Surveillance measures are subject to strict regulations. For example, audio recordings are prohibited, and video recordings are only permitted to fulfil the employer’s obligations under legislation or collective agreements or to protect important business interests. Even in such cases, a balance of interests must be carried out. Recordings may be made for a short period of time and for a specific purpose, or on a random basis, with a maximum storage period of 72 hours.

Special aspects

A special feature is the exclusion of evidence of data processed in violation of data protection law in legal proceedings concerning personnel measures. An exception should only be made if there is a disproportion between the infringement of the employee’s right of privacy and the employer’s constitutionally protected interests in the judicial utilisation. In its rulings, the Federal Labour Court has so far tended to favour a practice that is more conducive to utilisation. Now, even intentional conduct in breach of contract does not yet appear to speak in favour of exploitation, because this does not automatically justify an obvious imbalance.

The data processing by group companies is also covered. These may process employee data exclusively for a specific purpose necessary for the performance of the employment relationship, for the fulfilment of an obligation established by law or collective agreement, or for the protection of the legitimate interests of the employer or the group company. Furthermore, it is necessary that the interests of the employer prevail.

The processing of employee data relating to the core area of private life is not permitted.

Relationship to the GDPR

The two regulations complement each other. The GDPR provides the general framework, while the draft of the new law specifies and supplements the specific area of employee data protection. It will therefore not replace the GDPR, but build on it.

Outlook

It is not yet clear when the law is expected to come into force. Summer 2025 is being predicted. The bill still has to go through the parliamentary process. It remains to be seen what changes will arise in the course of the deliberations.

One thing is certain: a separate Employee Data Protection Act would significantly change the legal situation in Germany and could serve as a model for other European countries.

Need for action by companies

It already makes sense to critically review the processing of employee data in your company and to adapt it if necessary. Due to the existing case law of the ECJ, it is important not to wait until the new law comes into force, but to act proactively in order to already act in accordance with the law.

We will be happy to support you in taking stock, conducting a necessity check for the scope of data processing and advising you on the extent to which you need to inform your employees about the type and scope of data processing in your company.