You are here: Home » German Employment Lawyer » Employee Data Protection in Germany

Employee Data Protection in Germany

Advancement in technology and constantly evolving digitalisation impact employment relationships. Employers increasingly rely on the digital recording of relevant data, especially concerning the keeping of personnel files. The legislature has therefore felt compelled to resolve the conflict between the recording of (sometimes sensitive) personal data and the right to self-determination with regards to personal information guaranteed by fundamental rights (Article 2 (1) in conjunction with Article 1 (1) of the Grundgesetz (German Constitution)).

Employees generally want to be assured that their data protection rights are respected. Similarly, the data processing employer also wants to protect themselves from involvement in a data breach scandal. This is also understandable because of growing and stricter regulations. These regulations are in place to standardise fines and other sanctions for violations of data protection (Art. 83 GDPR). The intended protection of the employee, who is probably in a weaker position in this context, should therefore ensure that the employer only collects and processes the employee’s personal data to a limited and controlled extent.

Additional data protection regulations can be found in the Works Constitution Act (BetrVG), the Income Tax Act (EStG) and the Social Security Code IX (SGB IX).

Google Rating
Based on 403 reviews

If you need assistance with employment law issues, contact Schlun & Elseven

Our legal team will represent you in a wide range of employment law cases.

The Basic Rules on Data Protection in Germany

The central set of rules is the General Data Protection Regulation (GDPR), which applies equally in all EU countries. In addition, the Federal Data Protection Act (BDSG) also applies in Germany. GDPR, which has been in force since May 2018, partially replaces and supplements the provisions of the Federal Act. This regulation outlines what is allowed for when it comes to using a person’s personal data under the “data processing principles”. These data processing principles are listed under Art. 5 GDPR, and these principles are:

  • The legality of the processing: has the data been processed correctly? The data must be processed lawfully, fairly and in a transparent manner concerning the data subject.
  • Legality in the gathering: if the data gathered has been done so in a legal manner.
  • Transparency: is your employer open in the reason for gathering and processing your data?
  • Minimisation of data collection: has your employer gathered more data than is necessary? Why have they gathered what appears to be additional data? adequate, relevant and limited to what is necessary concerning the purposes for which they are processed
  • Accurate: is the data collected by your employer correct and current? The date must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data regarding the purposes for which they are processed are erased or rectified without delay.
  • Correct storage of data: the data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
  • Integrity and Confidentiality: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures

Definition of Terms

Art. 4 GDPR contains the relevant definitions in data protection law according to the regulation. This section must be viewed as the starting point for the application of data protection regulations and consequences. Under this section, the definitions for “data controller”, “data processor”, and “data recipient” are outlined.

Art. 4 GDPR also defines “personal data”. “Personal Data” under the regulation means any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’); an identifiable person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, a location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Examples of personal data include (a person’s):

  • Name, age, address
  • Date of birth
  • Contact details (telephone number, e-mail address)
  • Identity card number
  • Health data
  • Marital status
  • Religion
  • School Education
  • Work experience

“Processing” under Art. 4 GDPR means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”

Note: GDPR is based on the principle of prohibiting data processing subject to permission. This means that data processing is generally prohibited but is permitted under certain circumstances. Therefore, another person cannot use your data in the above-mentioned manners without getting your permission first to do so. Permission can be granted:

Tip: The former is on a shakier legal foundation due to its revocability. Therefore, an attempt should be made to base the lawfulness of data processing – at least additionally – on the general elements of authorisation under Art. 6 lit. b-f GDPR. These are:

  • fulfilment of (pre-)contractual obligations,
  • protection of legitimate interests
  • fulfilment of legal obligations,
  • protection of vital interests,
  • protection of public interests and exercise of official authority.

If you have any further questions on this matter relating to your situation, please make sure to contact our employment lawyers directly.

Practical Data Protection Problems

Companies are regularly engaged in reviewing themselves and the systems they use to check for correlation with the applicable legal situation. Working alongside a legal expert with experience in data protection will ensure that the appropriate systems are in place within the company. In addition, ensuring that the correct measures are in place within the company will prevent future legal problems from arising in this area.

Concerning the data protection rights of their own employees, it, therefore, begins with the data protection declaration of employees and applicants. It is advisable here to choose wording that, on the one hand, complies with all legal requirements and, on the other hand, is clear and understandable. Confusing or overly complex terminology can lead to future difficulties. Redrafting such declarations can also be time-consuming, so it is better to get it right the first time. Therefore, it is advisable to have a legal professional review the declarations with you to ensure that they are correct.

Due to their regular collection and processing, the following areas, therefore, require a meticulous approach to the handling of personal data:

  • Data of applicants,
  • Data for personnel file (see § 26 BDSG),
  • The transfer of employee data to third parties,
  • Health data of employees,
  • Company communication (especially telephone and e-mail),
  • Use of data on the internet (keyword: company homepage; career platforms)

For more specialised guidance, please contact our lawyers directly using the contact details below this page.

Our Services in Employee Data Protection

We would be pleased to advise you about implementing data protection regulations. The further development of data protection will not make your current IT infrastructure obsolete but only requires an analysis of whether there is a need for improvement. Our lawyers will analyse how this can be done quickly and efficiently. In addition, our lawyers will highlight the necessary precautions to be taken to avoid data leaks and ensure that data is handled in compliance with the law. This is especially important when collecting and storing employee data and using private devices for work purposes. An equally important issue is the control of employee data, as this is only permitted to a limited extent. Internet and telephone records, for example, may only be checked if there is a specific reason for this.

The assessment of our specialised lawyers can provide you with reliable information in this respect and thus create the legal framework for your measures. In this context, the IT technology used must also meet the legal standard. Furthermore, the special connection between data protection and relevant company, collective or service agreements can also be established with the help of our lawyers’ expertise in employment and labour law and thus be appropriately taken into account.

The attorneys at Schlun & Elseven can advise you in the area of employee data protection both out of court and in the courts. Contact us today using our contact details below to find out more.

Schlun & Elseven Logo

Practice Group: German Employment Law

Practice Group:
German Employment Law

Dr. Thomas Bichat

Certified Specialist Lawyer in Employment Law

Jens Schmidt

Certified Specialist Lawyer in Employment Law

Martin Halfmann, LL.M.



Contact a lawyer for German Employment Law

Please use the form on the right to inform us about your concerns in the field of employment law and employee data protection. After receiving your request, we will make a short preliminary assessment on the basis of the information provided and give you a cost estimation.