The Court of Justice of the European union (CJEU) has ruled that general clauses in national data protection laws for the employment context do not constitute “more specific rules“ within the meaning of Art. 88 (1) GDPR (General Data Protection Regulation) and therefore violate the GDPR, which has precedence before any national laws. The question now arises as to the consequences of the judgment for § 26 of the German Federal Data Protection Act (BDSG) (judgment of 30 March 2023, ref.: C-34/21).
Background to the decision
The background to the CJEU decision is a case from Hesse, Germany. During the COVID-19 pandemic, live streaming lessons via a video conferencing system were introduced at schools in Hesse. The consent of the pupils or their legal guardians was obtained for the associated data processing.
The consent of the teachers who were also affected by the data processing was not obtained. The reason for this was § 23 (1) (1) of the Hessian Data Protection Act a regional data protection law, which is identical to § 26 (1) sentence 1 BDSG, the federal data protection law in Germany. According to the regional law, personal data of employees may be processed if it is relevant for the establishment, carrying out or termination of the employment contract.
The fact that consent of the teachers concerned was not provided for caused a regional representative body for teachers in Hesse to bring an action. The state of Hesse, on the other hand, took the view that the processing of personal data of teachers through live streaming lessons was provided for by national regulations.
However, the competent administrative court in Germany had doubts as to whether the national regulation constituted “more specific rules“ within the meaning of Art. 88 (1) GDPR , for the processing of employee data, and was compatible with the requirements of Art. 88 (2) GDPR. Therefore, the administrative court asked the CJEU for a preliminary ruling.
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
In its judgment, the CJEU ruled that national legislation cannot be considered a “specific rule” within the meaning of Art. 88 (1) of the GDPR if it does not comply with the requirements of Art. 88 (2) of the GDPR.
In this regard, the Court argues that Art. 88 (1) of the GDPR, with its wording “more specific rules”, already makes it clear that the national regulatory content must be different from the general provisions in the GDPR. The wording of Art. 88 (2) of the GDPR then provides for limits upon the discretion of the Member States with regard to the adoption of “more specific rules” under Art. 88 (1) of the GDPR. Accordingly, “more specific rules” must not be limited to a repetition of the provisions of the GDPR and must cover appropriate measures to safeguard the human dignity, legitimate interests and fundamental rights of the data subject.
In the second step, the Court explains why the national provisions concerned do not meet the requirements of Art. 88 (2) of the GDPR in order to qualify as a “more specific rules” under Art. 88 (1) of the GDPR.
General clauses such as § 26 (1) sentence 1 BDSG or § 23 (1) sentence 1 of the Hessian Data Protection Act only stipulate that personal data of employees may be processed for certain purposes if this is necessary for the performance of the employment contract. This is a repetition of the meaning of Art. 6 (1) (b) GDPR. This provision also makes data processing subject to the condition of necessity for the performance of the contract.
There is thus no specific concretisation regarding the employment context by the German legislator. The minimum requirements of Art. 88 (2) of the GDPR are not met, so that there is nothing to prevent a direct application of Art. 6 (1) (b) of the GDPR. The Court thus emphasises that in the absence of “more specific rules” and due to the primacy of European Union law, the processing of employee data in both the private and public sectors is governed by the provisions of the GDPR.
It is true that the CJEU´s ruling concerns the regional data protection law from Hesse. However, § 23 (1) sentence 1 of the Hessian Data Protection Act is identical to the wording § 26 (1) sentence 1 of the BDSG, so that the ruling affects the entire employee data protection law regime in Germany.
According to Recital 7 of the GDPR, the intention of the GDPR is to harmonise data protection within the European Union, which is why Member States may not adopt their own data protection laws. European Union law takes precedence in the event of a conflict with any national laws. In accordance with the applicable prohibition on the repetition of norms, a repetitive national provision is therefore invalid, as it causes confusion and counteracts transparency of data processing.
The existing opening clauses, such as Art. 88 of the GDPR, allow Member States to adopt their own regulations within data protection law, but they must comply with the conditions of the respective opening clause. Art. 88 (1) of the GDPR clearly states that Member States may only adopt “more specific rules” in respect of the processing of employees’ personal data in the employment context. The adoption of a completely independent data protection law in addition to the GDPR – in this case a legal basis – is not possible.
In practice, the impact on the processing of employees’ personal data in the employment context due to the suspension of § 26 (1) sentence 1 BDSG remains minor. In the future, employers will have to rely on Art. 6 (1) (b) and (f) of the GDPR when processing employee data in the employment context. However, this should not present companies with too many hurdles; the legal basis for processing data to fulfil a contract according to Art. 6 (1) (b) GDPR or to safeguard legitimate interest according to Art. 6 (1) (f) GDPR almost completely replace the regulatory content of § 26 (1) sentence 1 BDSG.
This can even be an advantage for larger corporate groups operating across Europe, as it can lead to a standardisation of employee data protection and eliminate the need to deal with inconsistent national legislation.
In its ruling, the CJEU submits that in case of doubts on the interpretation of Art. 6 (1) (b), (f) GDPR, the German BAG (Federal Labour Court) must refer the questions to the CJEU pursuant to Art. 267 of the Treaty on the Functioning of the European Union (TFEU). This significantly weakens the position of the BAG on the issue of employee data protection.
What effects the ruling has on the other paragraphs of § 26 BDSG remains open. However, on closer examination of the other provisions, it cannot be assumed that the ruling on § 26 (1) BDSG will also affect the other paragraphs. The other provisions of § 26 of the BDSG actually qualify as “more specific rules”, the regulatory content of which is not already reflected in the GDPR.
Consent pursuant to § 26 (2) BDSG, for example, represents a special provision to Art. 6 (1) (a) GDPR: Due to the existing relationship of dependence and the resulting lack of voluntariness of consent in the employment relationship, consent pursuant to § 26 (2) BDSG is considered a specific rule. In addition, § 26 (2) BDSG, in comparison to Art. 6 (1) (a) GDPR, specifies criteria for when it may be assumed that employees gave consent voluntarily. § 26 (3) BDSG can, for example, be based on the opening clause of Art. 9 (2) (b) GDPR.
Thus, it can be assumed that the remaining paragraphs fulfil the requirements of Art. 88 (2) GDPR and may be considered as more specific rules under Art. 88 (1) GDPR.
German legislators may feel their authority has been questioned by the ruling. Despite ongoing criticism, the BDSG failed to create legal certainty and appropriate regulations for the processing of personal data of employees in an employment context. Following the CJEU ruling, there is a seamless transition from § 26 of the BDSG to Art. 6 (1) (f) and (b) of the GDPR. It remains uncertain whether the German legislature will take this CJEU ruling as an opportunity to swiftly improve national regulations for the processing of personal data of employees in an employment context.
The present ruling will certainly have an impact on the future processing of personal data of employees in an employment context in the public and private sectors. Companies and public institutions should now review their existing privacy notices and records of processing activities in accordance with the requirements of the CJEU ruling and replace the information on § 26 BDSG with Art. 6 (b), (f) GDPR.