Employee data protection in the digital age: challenges and solutions​

Employee data protection in the digital age: challenges and solutions

THE EMPLOYEE DATA ACT

In the modern world of work, which is increasingly characterised by digitalisation and data-driven processes, the protection of employee data is becoming more and more important. Despite its importance, there is still no separate law in Germany that comprehensively regulates this complex area. The Act to Strengthen Fair Handling of Employee Data and for More Legal Certainty for Employers and Employees in the Digital World (RefE-BeschDG) is intended to regulate data processing in the context of employment relationships in the future.

What do employers need to be aware of in the near future?

Background to the law

Employee data protection is essentially based on the general requirements of the General Data Protection Regulation (GDPR) and the specific provisions of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). In particular, Section 26 of the BDSG plays a central role as it regulates the processing of personal data of employees. The Employee Data Protection Act is currently still available as a draft bill. The European Court of Justice (ECJ C-34/21) has ruled that Section 26 of the Federal Data Protection Act (BDSG), which previously regulated data processing in employment relationships, does not comply with the principles of the GDPR because it only repeats the legal basis from the GDPR, in particular for the performance of a contract, and is therefore inapplicable.

Regulations issued by national legislators must take into account special measures to safeguard human dignity, legitimate interests and fundamental rights of the persons concerned, which is why a mere repetition of the wording of the GDPR is not sufficient. After this decision, it was clear that there had to be a more differentiated regulation to ensure transparency and legal certainty for both employers and employees.

Key points of employee data protection

The draft bill for the Data Protection Act is a comprehensive law that is supposed to regulate the protection of employees’ personal data. It applies to both private and public employers and covers a wide range of applications.

Central aims and content

The draft bill aims to strike a balance between the interests of the company and those of its employees. This is reflected in the fact that a balance of interests must be carried out in individual cases if consent has not been granted. On the employer’s side, there are then (legitimate) operational reasons and on the employee’s side, there is their right of privacy. When weighing up the interests, the employee’s relationship of dependency must always be taken into account.

If consent is given, it must be given voluntarily and in an informed manner. To this end, the employee must be informed at an early stage.

If the data processing is based on legitimate business interests, these interests must be adequately explained to the data subject.

In addition, the law also contains regulations regarding artificial intelligence in the employment relationship.

Furthermore, attention is paid to the monitoring of employees. Surveillance measures are subject to strict regulations. For example, audio recordings are prohibited, and video recordings are only permitted to fulfil the employer’s obligations under legislation or collective agreements or to protect important business interests. Even in such cases, a balance of interests must be carried out. Recordings may be made for a short period of time and for a specific purpose, or on a random basis, with a maximum storage period of 72 hours.

Special aspects

A special feature is the exclusion of evidence of data processed in violation of data protection law in legal proceedings concerning personnel measures. An exception should only be made if there is a disproportion between the infringement of the employee’s right of privacy and the employer’s constitutionally protected interests in the judicial utilisation. In its rulings, the Federal Labour Court has so far tended to favour a practice that is more conducive to utilisation. Now, even intentional conduct in breach of contract does not yet appear to speak in favour of exploitation, because this does not automatically justify an obvious imbalance.

The data processing by group companies is also covered. These may process employee data exclusively for a specific purpose necessary for the performance of the employment relationship, for the fulfilment of an obligation established by law or collective agreement, or for the protection of the legitimate interests of the employer or the group company. Furthermore, it is necessary that the interests of the employer prevail.

The processing of employee data relating to the core area of private life is not permitted.

Relationship to the GDPR

The two regulations complement each other. The GDPR provides the general framework, while the draft of the new law specifies and supplements the specific area of employee data protection. It will therefore not replace the GDPR, but build on it.

Outlook

It is not yet clear when the law is expected to come into force. Summer 2025 is being predicted. The bill still has to go through the parliamentary process. It remains to be seen what changes will arise in the course of the deliberations.

One thing is certain: a separate Employee Data Protection Act would significantly change the legal situation in Germany and could serve as a model for other European countries.

Need for action by companies

It already makes sense to critically review the processing of employee data in your company and to adapt it if necessary. Due to the existing case law of the ECJ, it is important not to wait until the new law comes into force, but to act proactively in order to already act in accordance with the law.

We will be happy to support you in taking stock, conducting a necessity check for the scope of data processing and advising you on the extent to which you need to inform your employees about the type and scope of data processing in your company.

NOCH FRAGEN?

Wir freuen uns auf Ihre Anfrage zu diesem und weiteren Themen!

Special protection against dismissal for data protection officers

special protection

In Germany, the ordinary termination of an internal data protection officer is not possible.

special protection

Special protection against dismissal for data protection officers

In Germany, data protection officers enjoy special protection against dismissal. Whilst this topic is not relevant for everyone who has to deal with GDPR compliance, it illustrates how national law makers have used opening clauses in the GDPR and that you need to monitor new developments on those as well at the national level as we do.

In Germany, data protection officers enjoy special protection against dismissal. Whilst this topic is not relevant for everyone who has to deal with GDPR compliance, it illustrates how national law makers have used opening clauses in the GDPR and that you need to monitor new developments on those as well at the national level as we do.

Introduction 

Data privacy officers have an exposed role with potential for conflict. Therefore, German law provides that internal data protection officers of public and non-public bodies may only be dismissed without notice for good cause (Sections 6(4), 38(2) BDSG). In the case of non-public bodies, termination is also possible at the request of the supervisory authority (cf. Section 40 (6) sentence 2 BDSG).

The regulation ensures that public authority and company data protection officers can perform their duties independently and free from fear of reprisals. However, the national regulation in the BDSG goes beyond the level of protection of the European GDPR. Article 38 (3) sentence 2 GDPR merely states that data protection officers may not be dismissed or penalised for performing his tasks. The termination with notice of a data protection officer for other reasons is thus not fundamentally excluded under the GDPR. 

The BAG had to deal with the question of the compatibility of both regulations and also reached out to the ECJ for clarification. In the underlying case, an employee who had been appointed as a data protection officer, among other things, had sued her employer because she was terminated with notice during the probation period in the first six months after the start of the employment relationship. 

No conflict with European law 

In the preliminary ruling proceedings brought by the BAG, the ECJ ruled that divergent national regulations on the protection of data protection officers against dismissal are compatible with the GDPR, as long as they do not impair the achievement of the objectives of the GDPR (ECJ, ruling of June 22, 2022 – C-534/20). This would be the case if the dismissal of a data protection officer by the controller not acting in accordance with the GDPR would be prevented or made unreasonably difficult.

Apart from that, the EU Member States are free to extend the protection against dismissal. After all, they have the legislative competence in the area of employment law. The purpose of the GDPR is precisely not to regulate the employment relationship, but to protect personal data. The BAG based its decision on this and consequently found the regulation in the BDSG to be permissible. 

No unjustified interference with the employer’s fundamental rights 

According to the court, the fundamental rights of employers would not be significantly affected by the special protection against dismissal standardized in the BDSG. So, the BAG saw an encroachment on the freedom of occupation (Art. 12 GG). However, the regulation would in fact be necessary to ensure that the data protection officer does not have to fear any disadvantages due to the independent exercise of his activity. The employer would also be free to decide whether to appoint an employee protected by the provision or an external person as data protection officer. As described below, external persons do not fall within the scope of protection of the discussed provision. 

What needs to be considered with regard to the dismissability of data protection officers? 

The special protection against dismissal for data protection officers of public and non-public bodies exists for those who are in an employment relationship with the controller/processor, i. e. internal employees.  

The special protection against termination exists… 

… whether the termination is related to the performance of the data protection duties or not. 

… even when the activity as a data protection officer is only one part of the employee’s job.  

… also immediately in the case of newly hired employees – not after the probation period for example. 

… continues for one year after the end of the activity as data protection officer (Section 6 (4) sentence 3 BDSG). 

The special protection against dismissal does not extend to external data protection officers. They are in a service relationship with the controller and therefore do not require the same level of protection. Regarding their dismissal, however, the European law Article 38 (3) sentence 2 DS-GVO continues to apply.

This means that even in their case, the ordinary or extraordinary termination may not take place solely because the data protection officer fulfils his/her duties pursuant to Article 39 (1) of the GDPR. Although the Member States are free to grant special protection against dismissal, which Germany has also made use of with regard to internal data protection officers, the level of protection of the GDPR for the dismissability of data protection officers may not be undercut in any case.    

If you have any more questions or concerns in connection with the appointment, dismissal or termination of data protection officers, we will be happy to assist you. 

NOCH FRAGEN?

Wir freuen uns auf Ihre Anfrage zu diesem und weiteren Themen!

Is Google Analytics illegal in companies?

Google Analytics

Google Analytics: This is the current assessment of international data protection authorities.

Google Analytics

Is the use of Google Analytics in my company illegal? 

Introduction 

Google Analytics is a well-known web analysis service and is used by many website operators. As part of the processing, user data is collected and analyzed by Google to gain insight into user behavior. From this data, changes for optimization processes of the website can be derived, developed and implemented. The frequent use of the analysis tool can also be attributed to the fact that most of the functions are free of charge. The advantages are therefore obvious. 

However, the use of Google Analytics has repeatedly been subject to criticism from data protection authorities, among other things due to the transfer of data to the USA since the second Schrems ruling of the European Court of Justice. In recent months, several European data protection authorities have been critical of the use of Google Analytics. But is the use actually illegal?

What is the problem with the use? 

First of all, without sufficiently transparent information, website users do not notice how much or which data is collected. This is because these processes run in the background. As part of the analysis, the collected data and the IP address can be clearly assigned to a user. According to Google, this data is pseudonymized. However, according to critics, this pseudonymization is not sufficient as a protective mechanism.  

Furthermore, the USA is considered a third country in the sense of the GDPR. A corresponding legal basis is required for data transfer to third countries. The Privacy Shield was originally used between Germany and the USA for this purpose. However, this legal basis ceased to apply with the ruling of the European Court of Justice in 2020 (“Schrems II”).

For some time now, the European Commission has been working on a new data protection agreement with the USA. An initial agreement was reached in March 2022. After President Joe Biden issued an “Executive Order” on October 7, 2022, to improve the data protection of Europeans against wiretapping activities of the U.S. intelligence services, the ball is now in the EU Commission’s court.

But it will probably be several weeks or even months before the Commission issues an adequacy decision in favor of the United States.  

What is the current assessment of international data protection authorities? 

Due to these problems, the Austrian data protection authority (ÖDSB) was the first authority to rule on the illegal use of Google Analytics in January 2022. The use of the tracking software violated Article 44 of the GDPR, as personal data was transferred to the USA without a legal basis.  

In the course of the year, other European data protection authorities (including CNIL, GPDP) followed this assessment and declared the use of Google Analytics to be unlawful. 

Other authorities are expected to follow this ruling. 

What do I as a website operator now have to consider when using it? 

According to the data protection authorities, there are not many options for website operators to use Google Analytics in a manner that complies with data protection laws.  

On the one hand, an explicit and voluntary consent of the users is essential for the processing as such, i.e. the analysis. Here, the legal basis lies in Art. 6 (1) sentence 1 lit. a, Art. 7 DS-GVO. In addition, with regard to the third country transfer, consent is advisable, which is then based on Art. 49 (1) a DS-GVO.

However, this approach is also largely viewed critically by data protection authorities, because the provision is an exception to Art. 44 of the GDPR. Consent should only be given for individual transfers. In the context of Google Analytics, however, a continuous third-country transfer takes place, so that it is no longer possible to speak of an exceptional case. 

In any case, the code should be adapted so that a complete transfer of the IP address is prevented, making it more difficult to identify the person.  

In addition, the use of Google Analytics and the extent to which this takes place should be stated in the privacy policy. 

Are there alternative tracking models to Google Analytics? 

Yes, there are and the market for them is growing. Website operators who do not want to take any risks should look into alternative tracking and analysis tools that process personal data exclusively in the EU, refrain from tracking across websites and ensure that personal data is anonymized at an early stage.  

Conclusion 

Now that a few data protection authorities have spoken out against the use of Google Analytics and there are already several data protection complaints in another 23 states in this context, using Google Analytics is risky. 

Therefore, it is advisable to inform yourself about the programs used in your company and to look for alternatives if necessary. Meanwhile, there are several alternatives on the market, which can be suitable for your own website depending on your needs.

We are happy to help you with the selection. If you want to be on the safe side, you can avoid using Google Analytics altogether. Ultimately, it is up to the discretion of the website operator. It should be noted that in the event of violations, not only Google but also the website operator may be responsible for data protection violations. 

We will continue to inform you here about the legal development of a legally compliant use of Google Analytics as well as similar programs. 

NOCH FRAGEN?

Wir freuen uns auf Ihre Anfrage zu diesem und weiteren Themen!

Cloud providers in the USA illegal?

cloud providers

Karlsruhe Higher Regional Court overturns controversial decision!

cloud providers

How much EU is there in data protection in the UK and CH?

Introduction

News on data transfer to the USA! After the Public Procurement Chamber of Baden-Württemberg found in a decision on July 13, 2022 that cloud providers in the USA, and among others also their EU subsidiaries, violate the General Data Protection Regulation (GDPR), the Higher Regional Court (OLG) of Karlsruhe has now overturned this highly controversial decision.

According to the decision of the Procurement Chamber, the use of these cloud providers is unlawful because they involve an unlawful transfer of data to a third country in which the data of EU citizens is not adequately protected. In 2020, the European Court of Justice (ECJ) overturned the Privacy Shield in the Schrems II decision, which had previously justified the data transfer. The main reason for this was the extensive surveillance laws and the access possibilities to the data on the part of the US authorities (please see the blog article we have already written on this).

How did the decision of the Procurement Chamber come about? And on what grounds did the Karlsruhe Higher Regional Court overturn the decision of the Public Procurement Chamber?

The problem is the US CLOUD Act

Although the case in question involved a dispute under procurement law, the conformity of a piece of software with the GDPR was also being examined at the same time. In addition to price and quality, data protection and IT security were also decisive factors in awarding the contract.

The company concerned is based in the EU and is the subsidiary of a US group. Due to the US CLOUD Act, US authorities may also be permitted to access data located on servers outside the USA, provided that this involves data from subsidiaries. Because of this access possibility to data of EU citizens, the Procurement Chamber has classified the cloud service as inadmissible. Whether and to what extent access takes place was irrelevant for the Procurement Chamber.

When would a data transfer to a third country be justified?

The transfer of data to a third country, i.e., a country outside the EU/EEA, may be justified under Artt. 44 et seq. of the GDPR. For this purpose, either an adequacy decision must have been issued for the respective country (this is not the case for the USA) or other means of justification such as standard contractual clauses must be used, although it must be verified in each individual case whether EU data protection law has been complied with.

However, in the opinion of the Procurement Chamber, the standard contractual clauses were not sufficient in the present case, because there was a “latent” risk of access by U.S. agencies due to the CLOUD Act and this therefore violated EU data protection law.

Criticism of the decision and grounds for reversal

The decision of the Procurement Chamber faced a lot of headwind from the beginning. In particular, the State Data Protection Commissioner for Baden-Württemberg voiced some criticism. This criticism was then echoed by the Karlsruhe Higher Regional Court, which reviewed the validity of the decision and ultimately overturned it on September 7, 2022. The decision of the OLG Karlsruhe is also legally binding.

But what was so questionable about the decision of the Procurement Chamber? Why did the OLG overturn the decision?

The State Data Protection Commissioner for Baden-Württemberg found the following points questionable:

  • The Procurement Chamber did not review the current EU standard contractual clauses, but older ones.
  • In addition, the Procurement Chamber equated a possible access risk on the part of the U.S. agencies with an actual transfer of data.

In addition, data protection experts criticized the fact that the Procurement Chamber completely disregarded the possibility of encrypting the data in its decision.

The OLG has now based its decision primarily on the latter point of criticism by the Baden-Württemberg data protection authority. As long as the provider makes a binding promise that no third-country transfer will take place when the online service is used, this can be relied on. Such contractual promises can be relied on until there are concrete indications that give cause for doubt.

In the present case, however, there were no such doubts. The mere fact that the U.S. parent company could access the data is not sufficient to cast doubt on the reliability of the contractual information. In principle, therefore, you can trust the information provided by software providers when it comes to data protection compliance.

Conclusion

The decision, if it had been upheld, would have had a considerable impact on private law issues in IT and data protection law! However, since it has now been overturned, providers with U.S. corporate parent companies are still to be considered in award procedures and the use of such cloud providers may also continue to be possible in individual cases.

It is also clear from the decision of the OLG Karlsruhe that, in principle, one can rely on the contractual information with regard to data protection conformity and only in the case of concrete indications must further information be obtained and the performance promise reviewed.

In addition, the EU Commission is currently working with the responsible bodies in the U.S. on a future solution for data transfers between the EU and the U.S.. However, such a follow-up agreement is not expected before the end of the year.

NOCH FRAGEN?

Wir freuen uns auf Ihre Anfrage zu diesem und weiteren Themen!