The Basic Rules on Data Protection in Germany
The central set of rules is the General Data Protection Regulation (GDPR), which applies equally in all EU countries. In addition, the Federal Data Protection Act (BDSG) also applies in Germany. GDPR, which has been in force since May 2018, partially replaces and supplements the provisions of the Federal Act. This regulation outlines what is allowed for when it comes to using a person’s personal data under the “data processing principles”. These data processing principles are listed under Art. 5 GDPR, and these principles are:
- The legality of the processing: has the data been processed correctly? The data must be processed lawfully, fairly and in a transparent manner concerning the data subject.
- Legality in the gathering: if the data gathered has been done so in a legal manner.
- Transparency: is your employer open in the reason for gathering and processing your data?
- Minimisation of data collection: has your employer gathered more data than is necessary? Why have they gathered what appears to be additional data? adequate, relevant and limited to what is necessary concerning the purposes for which they are processed
- Accurate: is the data collected by your employer correct and current? The date must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data regarding the purposes for which they are processed are erased or rectified without delay.
- Correct storage of data: the data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
- Integrity and Confidentiality: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures
Definition of Terms
Art. 4 GDPR contains the relevant definitions in data protection law according to the regulation. This section must be viewed as the starting point for the application of data protection regulations and consequences. Under this section, the definitions for “data controller”, “data processor”, and “data recipient” are outlined.
Art. 4 GDPR also defines “personal data”. “Personal Data” under the regulation means any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’); an identifiable person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, a location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Examples of personal data include (a person’s):
- Name, age, address
- Date of birth
- Contact details (telephone number, e-mail address)
- Identity card number
- Health data
- Marital status
- School Education
- Work experience
“Processing” under Art. 4 GDPR means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
Note: GDPR is based on the principle of prohibiting data processing subject to permission. This means that data processing is generally prohibited but is permitted under certain circumstances. Therefore, another person cannot use your data in the above-mentioned manners without getting your permission first to do so. Permission can be granted:
Tip: The former is on a shakier legal foundation due to its revocability. Therefore, an attempt should be made to base the lawfulness of data processing – at least additionally – on the general elements of authorisation under Art. 6 lit. b-f GDPR. These are:
- fulfilment of (pre-)contractual obligations,
- protection of legitimate interests
- fulfilment of legal obligations,
- protection of vital interests,
- protection of public interests and exercise of official authority.
If you have any further questions on this matter relating to your situation, please make sure to contact our employment lawyers directly.
Practical Data Protection Problems
Companies are regularly engaged in reviewing themselves and the systems they use to check for correlation with the applicable legal situation. Working alongside a legal expert with experience in data protection will ensure that the appropriate systems are in place within the company. In addition, ensuring that the correct measures are in place within the company will prevent future legal problems from arising in this area.
Concerning the data protection rights of their own employees, it, therefore, begins with the data protection declaration of employees and applicants. It is advisable here to choose wording that, on the one hand, complies with all legal requirements and, on the other hand, is clear and understandable. Confusing or overly complex terminology can lead to future difficulties. Redrafting such declarations can also be time-consuming, so it is better to get it right the first time. Therefore, it is advisable to have a legal professional review the declarations with you to ensure that they are correct.
Due to their regular collection and processing, the following areas, therefore, require a meticulous approach to the handling of personal data:
- Data of applicants,
- Data for personnel file (see § 26 BDSG),
- The transfer of employee data to third parties,
- Health data of employees,
- Company communication (especially telephone and e-mail),
- Use of data on the internet (keyword: company homepage; career platforms)
For more specialised guidance, please contact our lawyers directly using the contact details below this page.
Our Services in Employee Data Protection
We would be pleased to advise you about implementing data protection regulations. The further development of data protection will not make your current IT infrastructure obsolete but only requires an analysis of whether there is a need for improvement. Our lawyers will analyse how this can be done quickly and efficiently. In addition, our lawyers will highlight the necessary precautions to be taken to avoid data leaks and ensure that data is handled in compliance with the law. This is especially important when collecting and storing employee data and using private devices for work purposes. An equally important issue is the control of employee data, as this is only permitted to a limited extent. Internet and telephone records, for example, may only be checked if there is a specific reason for this.
The assessment of our specialised lawyers can provide you with reliable information in this respect and thus create the legal framework for your measures. In this context, the IT technology used must also meet the legal standard. Furthermore, the special connection between data protection and relevant company, collective or service agreements can also be established with the help of our lawyers’ expertise in employment and labour law and thus be appropriately taken into account.
The attorneys at Schlun & Elseven can advise you in the area of employee data protection both out of court and in the courts. Contact us today using our contact details below to find out more.