Employee Data Protection in Germany

Due to developments in the field of data protection, the German legislature has felt compelled to resolve the conflict between the recording of (sometimes sensitive) personal data and the right to self-determination concerning personal information guaranteed by fundamental rights (Article 2 (1) in conjunction with Article 1 (1) of the Grundgesetz (German Constitution)).

Strict regulations are set to standardise fines and other sanctions for data protection violations (Art. 83 GDPR). The intended protection of the employee, who is probably in a weaker position in this context, should therefore ensure that the employer only collects and processes the employee’s personal data to a limited and controlled extent.

We would be pleased to advise you about implementing data protection regulations. The further development of data protection will not make your current IT infrastructure obsolete but only requires an analysis of whether there is a need for improvement. Our lawyers will analyse how this can be done quickly and efficiently.

In addition, our lawyers will highlight the necessary precautions to avoid data leaks and ensure that data is handled in compliance with the law. This service is essential when collecting and storing employee data and using private devices for work purposes.

An equally vital issue is the control of employee data, as this is only permitted to a limited extent. Internet and telephone records, for example, may only be checked if there is a specific reason for this.

The assessment of our specialised lawyers can provide reliable information in this respect and thus create the legal framework for your measures. In this context, IT technology must also meet legal standards. Furthermore, the special connection between data protection and relevant company, collective or service agreements can also be established with the help of our lawyers’ expertise in employment and labour law and thus be appropriately considered.

The central set of rules is the General Data Protection Regulation (GDPR), which applies equally in all EU countries.

In addition, the Federal Data Protection Act (BDSG) also applies in Germany. GDPR, which has been in force since May 2018, partially replaces and supplements the provisions of the Federal Act. This regulation outlines what is allowed when using a person’s personal data under the “data processing principles”.

These data processing principles are listed under Art. 5 GDPR:

• The legality of the processing: has the data been processed correctly? The data must be processed lawfully, fairly and in a transparent manner concerning the data subject.
• Legality in the gathering: if the data gathered has been done so in a legal manner.
• Transparency: is your employer transparent regarding the reason for gathering and processing your data?
• Minimisation of data collection: has your employer gathered more data than is necessary? Why have they gathered what appears to be additional data? Adequate, relevant and limited to what is required concerning the purposes for which they are processed
• Accurate: is the data collected by your employer correct and current? The date must be accurate and, where necessary, kept up to date; employers must take every reasonable step to ensure that inaccurate personal data regarding the purposes they are processed are erased or rectified without delay.
• Correct storage of data: the data must be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
• Integrity and Confidentiality: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.

Our lawyers advise on all these matters and more.

By carefully analysis the GDPR and the Federal Data Protection Act (BDSG), our lawyers ensure that our clients are fully aware of what is expected of them under German data protection law.

Art. 4 GDPR contains the relevant definitions in data protection law according to the regulation. This section must be viewed as the starting point for the application of data protection regulations and consequences. Under this section, the definitions for “data controller”, “data processor”, and “data recipient” are outlined.

Art. 4 GDPR also defines “personal data”. “Personal Data” under the regulation means any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’).

An “identifiable person” can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, a location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Examples of personal data include (a person’s):

• Name, age, address
• Date of birth
• Contact details (telephone number, e-mail address)
• Identity card number
• Health data
• Marital status
• Religion
• School Education
• Work experience

“Processing” under Art. 4 GDPR means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”

Note: GDPR is based on the principle of prohibiting data processing subject to permission. This means that data processing is generally prohibited but is permitted under certain circumstances. Therefore, another person cannot use your data in the above-mentioned manners without getting your permission first to do so. Permission can be granted:

• by consent of the person concerned (Art. 6 para. 1 lit. a GDPR) or
• be granted general authorisation (Art. 6 para. 1 lit. b, c, d, e, f GDPR)

Tip: The former is on a shakier legal foundation due to its revocability. Therefore, an attempt should be made to base the lawfulness of data processing – at least additionally – on the general elements of authorisation under Art. 6 lit. b-f GDPR. These are:

• fulfilment of (pre-)contractual obligations,
• protection of legitimate interests
• fulfilment of legal obligations,
• protection of vital interests,
• protection of public interests and exercise of official authority.

If you have any further questions on this matter relating to your situation, please make sure to contact our employment lawyers directly.

Companies regularly review themselves and the systems they use to check for correlation with the applicable legal situation.

Working alongside a legal expert with experience in data protection will ensure that the appropriate systems are in place within the company. In addition, ensuring that the correct measures are in place within the company will prevent future legal problems from arising in this area.

Concerning the data protection rights of their employees, it begins with the data protection declaration of employees and applicants.

It is advisable here to choose wording that, on the one hand, complies with all legal requirements and, on the other hand, is clear and understandable. Confusing or overly complex terminology can lead to future difficulties. Redrafting such declarations can also be time-consuming, so getting it right the first time is better. Therefore, it is advisable to have a professional legal review of the declarations with you to ensure they are correct.

Due to their regular collection and processing, the following areas, therefore, require a meticulous approach to the handling of personal data:

• Data of applicants,
• Data for personnel file (see § 26 BDSG),
• The transfer of employee data to third parties,
• Health data of employees,
• Company communication (especially telephone and e-mail),
• Use of data on the internet (keyword: company homepage; career platforms)

Please don’t hesitate to contact our lawyers directly using the contact details below this page for more specialised guidance.