Background

At the beginning of October 2024, the German Federal Ministry of Labour and Social Affairs together with the Federal Ministry of the Interior and Community submitted a new draft for an Employee Data Act (hereinafter the “Draft Bill”) intended to strengthen fair handling of employee data and to increase legal certainty for employers and employees in a digital work environment. For instance, as a national-specific law under Art. 88 GDPR, the Draft Bill addresses issues such as the extent to which employers may use artificial intelligence (AI), the employer's right to ask questions in the application process, or in which cases the digital monitoring of employees is permitted. The Draft Bill also addresses some practical questions relating to CCTV surveillance and the exchange of data between group companies, e.g. in matrix organizations.

History repeating itself or third time’s a charm?

The idea of establishing an employee data protection act goes back a long way in Germany - as far back as the 1980s when the German government approved a first draft law for the regulation of employee data protection. However, that law never came into force. Another attempt of adopting such a law was made in 2010, but the law was rejected due to resistance from employers’ associations and trade unions. Since then, several government coalitions started several attempts to codify a German employee data protection Act, however without making any significant progress. Therefore, the processing of personal data in the employment context still is governed by a single provision (Section 26) in the German Data Protection Act (Bundesdatenschutzgesetz, “BDSG”), and various case law of the German labor courts instead.

Since the processing activities of employers in modern business have become more and more complex and diverse, many voices have been calling for a separate data protection law for the processing of employee data to come to a more holistic regulation. For instance, more recently, the conference of the independent data protection supervisory authorities of the Federation and the States (Datenschutzkonferenz; “DSK”, see the paper here) urged for such a law in 2022. The DSK believed that further regulations were necessary and overdue and requested the German legislator to create legal regulations in the context of an independent employee data protection law, at least for the most relevant use cases.

New attempt, new luck? The time might seem right for such a project. This is because the initiative fits into a couple of other strategic, data-centric legislative projects which have recently been established on national and European level and will be established in the near future at a European level as well as on the national level in Germany. Moreover, recent court judgements have made the already patchy nature of German employee data protection law even more uncertain.

The GDPR allows national legislators to adopt national laws that specify data protection requirements in the employment context in accordance with Art. 88 (1) GDPR. Currently, employee data protection in Germany is essentially regulated by the general provision Sec. 26 BDSG and shaped by case-law of Germany courts, which are then applied to other cases as precedents Examples are issues relating to an employer's right to ask questions in the recruitment process, regarding the deployment of applications and tools to monitor or investigate the employees’ company devices and information technology, or the processing of employee data as evidence in litigation.

In March 2023, however, the European Court of Justice (ECJ) specified the conditions mentioned in Art. 88 (2) GDPR (C-34/21) in relation to a German State law provision which is essentially similar to Sec. 26 (1) sentence 1 BDSG. As a consequence, the Federal Labor Court (Bundesarbeitsgericht, “BAG”) found that Sec. 26 (1) sentence 1 BDSG is not in line with the GDPR, since the requirements of the GDPR which the ECJ had formulated in its judgement are not met (1 ABR 14/22). Other parts of Sec. 26 BDSG on the other hand, such as Sec. 26 (3) BDSG regarding the processing of special categories of personal data, were explicitly upheld by the BAG as being in line with the GDPR. This created an uncertainty as to the overall applicability of Germany’s central employee data protection provision. As a consequence, the DSK renewed its call for an employee data protection act (see here).

Finally, the call for dedicated employee data protection act became louder, since it has been shown that the transfer of single data protection requirements into sector-specific laws can lead to more transparency for those applying the law (see, e.g., the German Act on Data Protection and Privacy in Telecommunication and Digital Services). Hence, the introduction of an employee data protection act could be beneficial for the clarity of processing personal data in the employment context for employers and employees as well as legal practitioners. However, there is also the risk that such a law imposes even more bureaucracy on companies.

Overview of the content of the Draft Bill

The content of the Draft Bill is structured by distinguishing between more general provisions and requirements for specific processing scenarios:

• Part 1: General Provisions

  • Chapter 1: Scope and definitions (esp. employees and employers, which include both, public bodies and private companies)

  • Chapter 2: Principles for the processing of employee data (including rules on the necessity test and consent as legal bases, secondary use of data, technical and organizational measures, including in the context of AI)

  • Chapter 3: Specific provisions on data subject rights, works council rights regarding DPO appointment and dismissal

• Part 2: Specific Provisions

  • Chapter 1: Specific rules on the processing of employee data prior to the establishment of the employment relationship (including for qualification and background checks, examinations and tests)

  • Chapter 2: Specific rules on surveillance of employees for the protection of the health and safety of employees as well as the prevention and detection of criminal offenses and breaches of duty (including ongoing monitoring, CCTV, location tracking, and performance monitoring)

  • Chapter 3: Specific rules on profiling (including lawfulness of profiling, and specific requirements for transparency and data access rights)

  • Chapter 4: Special processing scenarios (esp. for authorization and authentication purposes, data processing in larger corporations)

Overview on key issues covered by the Draft Bill

The Draft Bill contains several regulations regarding the processing of employee data. In particular, the Draft Bill covers the following key issues (non-exhaustive):

• Consent: The Draft Bill provides for examples on scenarios when consent in an employment context can be freely given, for example when publishing photos on the intranet, for private use of company IT systems, or for the use of biometric data to facilitate identification; where there is an equivalent alternative that does not require the use of biometric data (Sec. 5 Draft Bill).

• Collective agreements: The Draft Bill provides further clarity regarding the requirements for employee data protection provisions in collective agreements, such as works council agreements. In particular, these must not deviate from the GDPR or the Draft Bill to the detriment of employee protection. Furthermore, collective agreements cannot impose the lawfulness of the processing of employee data (Sec. 7 Draft Bill).

• Transparency obligations when using AI: Specific data subject rights shall be codified for the use of AI systems by employers, in particular a right to information about the functioning of the system (Sec. 10 (3) Draft Bill).

• Works council co-determination right: The works council is granted a right of co-determination in the appointment and dismissal of (internal and external) data protection officers (Sec. 12 Draft Bill). This provision is likely to cause additional administrative burden for employers (and potential blocking statues for works councils).

• Data processing during the application phase: The Draft Bill codifies the established case law on the employer's right to ask questions during the application phase and regulates the request for information on sensitive characteristics based on Sec. 8 of the German General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz) (Sec. 13 et seq. Draft Bill). Questions during the application process about certain sensitive data may only be asked under strict conditions and if the interests of the employer outweigh the interests of the applicant (Sec. 14 (1) Draft Bill). Questions regarding severe disabilities are completely prohibited in the application process (Sec. 14 (2) Draft Bill). In the event of an infringement of these conditions, the processing of the data may not be even based on the applicant's consent. This regulation may have a particular impact on companies in the context of Diversity, Equity & Inclusion (DEI) initiatives if employers want to ask questions to strengthen corporate diversity (Sec. 14 (4) sentence 2 Draft Bill).

• Surveillance measures: The Draft Bill provides more clarity by defining specific rules for different types of surveillance measures. The Draft Bill contains separate provisions for particularly intrusive forms of surveillance, such as long-term or covert measures, as well as for the very common practice of video surveillance or tracking of employees. It regulates, for example, in which limited cases covert surveillance is permissible (e.g. to uncover criminal acts) (Sec. 20 Draft Bill) and stipulates that data collected in the context of employee surveillance must not be processed for performance review purposes (Sec. 23 Draft Bill). The Draft Bill specifies that such surveillance measures can be implemented especially for the purposes of the protection of the health and safety of employees, the prevention of criminal offenses and breaches of duty as well as their detection.

• Data processing in a group of undertakings: With regard to the processing of data in a group of companies, the Draft Bill clarifies that, under certain conditions, such as the employer's legitimate business interests, the exchange of data with other group companies is lawful (Sec. 30 Draft Bill). For example, the Draft Bill now specifically classifies the exchange of personal employee data in matrix organizations or the transmission of such data to a group-internal service company which provides centralized administrative tasks and group-wide services (like the provision of information technology) as legitimate interests.

Timeline for the legislative procedure

The current draft is still at the very beginning of the legislative procedure, as a Draft Bill by the competent ministry (Referentenentwurf) is only the first step in the legislative process.

According to press information, the ministries at issue will request the German government to pass the final Draft Bill already by the end of this year. The conclusion of the parliamentary process is planned for the first half of next year (Q1/Q2 2025), so that the law could come into force in August or September 2025, and still before the next federal elections. Although the new law thus could theoretically be passed next year, this seems more than uncertain given the early stage of the legislative process, the amount of disputed content and legal issues, and the upcoming federal elections next year.

Outlook

It remains to be seen whether the Draft Bill will actually become reality as envisaged by the German government, and if so, whether and how its contents will be amended during the legislation process.

Companies should monitor the legislative procedure in Germany closely in order to ensure that they can comply with the new obligations once they are finalized. If the Draft Bill was finally passed in the current version, it could result in some necessary adjustments for employers, for example with regard to DEI initiatives in the application process or surveillance measures.

Authored by Dr. Christian Tinnefeld, Dr. Henrik Hanßen, Theresa Mengler, Dr. Michael Thiesen, and Anna Theresa Vogel.