Germany: Upcoming Employment Data Act: Essential Insights for Companies

On 8 October 2024, the Federal Ministry of Labor and the Federal Ministry of the Interior unexpectedly presented the draft of a new Employee Data Protection Act (BeschDG-E). This law aims to provide more legal clarity in the area of employee data protection, following some fundamental court decisions that have led to significant uncertainty. However, an initial analysis shows that the draft creates new uncertainties in many areas rather than solving existing problems.

A central point of the draft is the extensive prohibition of surveillance measures. These are generally to be considered inadmissible, which means that technical facilities such as Outlook, mobile phones, or electronic time recording systems could be classified as surveillance devices. This could result in findings from such systems no longer being used for employment-related sanctions.

Another critical aspect is the prohibition of using data from unlawful surveillance measures for performance control. While behavioral control does not appear to be restricted, distinguishing between performance and behavior in individual cases remains difficult and could lead to significant legal uncertainty.

The draft also stipulates that collective agreements may not deviate from the General Data Protection Regulation (GDPR) to the detriment of employees. This should be possible through company agreements, but the scope of such agreements and possible deviations from the GDPR remain contentious.

A new instrument in the draft is the comprehensive prohibition on the use of information obtained in violation of data protection laws in court proceedings, particularly in cases of dismissals or warnings. This could further increase the already high hurdles for employers in dismissal protection proceedings and lead to more uncertainty. 

The draft also includes the obligation to create a "purpose directory" for data processing. Without a specific determination of the purpose, the prohibition on use applies, meaning that emails cannot be used as evidence for sanctions if this purpose was not already defined when the corresponding software was introduced.

Even if these legislative plans are unlikely to be implemented for the time being after the "end" of the traffic light coalition, the issue may be back on the table after a new election, depending on the political constellation, which is why we summarise the most relevant upcoming regulations in brief below:

1. Admissibility of Processing Employee Data:

• Sec. 4 EDAD requires a necessity test in which the employer's interest in processing must outweigh the interests of the employees concerned, with a catalogue of criteria provided to facilitate the weighing of interests. This weighing of interests must be carried out for any subsequent type of data processing.
• Consent to data processing must be given voluntarily and in writing or electronically in accordance with Sec. 5 EDAD.

2. Collective Agreements:

• Sec. 7 EDAD allows collective agreements to regulate employee data protection but not to the detriment of employees or to determine data processing permissibility

3. Rights of Data Subjects, Prohibition of Use, and Data Protection Officers:

• Employees have the right to information about the processing of their data, especially when AI systems are used (Sec. 10 EDAD).
• Data that has been processed in violation of data protection law may not be used in labour court proceedings (Sec. 11 EDAD).
• The works council has co-determination rights in the appointment and dismissal of data protection officers (Sec. 12 EDAD).

4. Data Processing Prior to the Establishment of the Employment Relationship:

• The processing of employee data prior to the commencement of an employment relationship is permissible if it is necessary to determine the suitability of the applicant for the position or to fulfil the employer's legal obligations (Sec. 13 EDAD). Certain personal data is only permissible if it is necessary for the aptitude test or if legal obligations exist (Sec. 14 EDAD).
• The voluntary disclosure of sensitive data (e.g., ethnicity, gender) is only permissible if it is necessary to avoid discrimination or promote equality, according to Sec. 15 EDAD.
• The processing of employee data in the context of health and aptitude tests is only permissible if it is necessary for the job or legal requirements. Psychological tests must meet scientifically recognised standards (Sec. 16 EDAD).
• Unless the data subject has given their consent for longer storage, employee data processed prior to recruitment must be deleted no later than three months after the decision not to enter into an employment relationship.

5. Monitoring of Employees:

• The processing of employee data through monitoring measures is only permissible if it is necessary for a specific purpose in connection with the employment relationship. Monitoring may only take place for a short period of time and for a specific reason or on a random basis (Sec. 18 EDAD).
• Processing of data concerning the core area of private life is not permitted. Surveillance measures that affect private life, such as private break rooms, are prohibited.
• Video surveillance may only be carried out for specific purposes in accordance with Sec. 21 EDAD. It must be recognisable, and the employees concerned must be informed about it in principle. Storage of the video material is permitted for up to 72 hours.

6. Profiling:

• The processing of employee data through profiling is only permitted in certain cases regulated by law (Sec. 24 EDAD).
• Companies must take appropriate safeguards to minimise errors in profiling and reduce the risk of incorrect processing. In particular, where decisions based on profiling could have legal implications for employees, human oversight of profiling must be ensured.
• Companies must inform the employees concerned before profiling begins. Employees also have a right to information (Sec. 25, 26 EDAD).

7. Processing of Biometric and Health Data:

• The conditions for the permissible processing of biometric data include the necessity of consent, the consideration of special protective measures, and the assurance of transparency of processing. Biometric data may only be processed if there is no equivalent alternative for identification, such as a password (Sec. 28 EDAD).
• The processing of health data in the context of occupational integration management is strictly regulated.

Looking to the Future

Although the draft clarifies some areas of employee data protection, the anticipated uncertainties outweigh the benefits. It is to be hoped that the draft of the EDAD will be significantly revised to create a law that protects employees' rights while offering practical solutions for employers.

According to initial press reports, the draft was originally expected to be adopted this year, but in view of current developments in the coalition government, this seems almost impossible.

If the EDAD is actually passed in a form similar to the current draft after the upcoming Bundestag elections, companies should carry out a comprehensive internal data protection review. In any case, it is worthwhile to continue monitoring legislative developments and to start dealing with the possible documentation and transparency obligations now.