Data Protection and the Works Council
September, 2018 - Regina Glaser, LL.M.
The General Data Protection Regulation (GDPR) also affects the working relationship between the employer and the works council. Among other things, it affects the use of works agreements as legal basis, the (possible) responsibility of the works council under data protection law, as well as the controlling authority of the company data protection officer over the works council.
WORKS AGREEMENT AS INFORMATION PURSUANT TO ART. 13, 14 GDPR?
Where employee data are processed on the basis of a works agreement, the controller, in this case the employer, still has the duties to inform the data subjects pursuant to Art. 13 or 14 GDPR. At the same time, the employer is required by Section 77 (2) Sentence 2 Works Council Constitution Act (BetrVG) to display the works agreement at a suitable place in the company. This must be done such that the employees can take note of it. In practice this usually means display on the bulletin board. The employer could now be tempted to assume that, on the basis of display on the bulletin board, it has already correctly fulfilled its duties to inform under the GDPR.
However, in order to comply with the duty to inform, the works agreement must first contain all information on data processing, prescribed under Art. 13 or Art. 14 GDPR, in the manner envisaged by the law. Even if this prerequisite is satisfied, the employer must nevertheless be advised to actively inform the workforce. Merely making the information available is not sufficient under data protection law. Rather, the employer must actively draw the attention of the employees to the works agreement. Displaying the works agreement is not sufficient. Various other means can be used to comply with the duties to inform under data protection law: distributing/sending a copy of the works agreement to the data subjects, inclusion of the works agreement in the Intranet and sending of a link by email. Whether this is practicable in the respective company must be checked on a case-by-case basis.
WORKS COUNCIL AS CONTROLLER?
Irrespective of whether or not a works agreement has been concluded with the works council for a specific data processing matter, the works council processes personal data within the scope of its work. This is the case for example when hearing employees before dismissals pursuant to Section 102 BetrVG. The works council must naturally be provided with the relevant employee data in order to enable a correct hearing. The works council therefore has both rights under data protection law, in particular controlling authority over the employer, as well as obligations. It is bound by the rules of the GDPR and the BDSG (German Federal Data Protection Act) in its work, and is also subject to control by the responsible supervisory authority. Under Art. 58 (1) lit. f) GDPR, Section 40 (5) BDSG, the supervisory authorities are also entitled to enter company premises in the performance of their duties, and to gain access to all data processing systems or devices. This also includes the offices of works councils. However, if supervisory authorities ascertain violations of data protection law during such controls, the question arises of who is liable or on whom the fine can be imposed. Is this the employer or must the works council be considered as own controller?
The supervisory authorities are considering treating works councils as own controllers within the meaning of the GDPR. One possible justification for this could be that the definition of the controller in Art. 4 No. 7 GDPR now also states "other bodies" as possible controllers. This would nevertheless necessitate the works council also being able to determine the means and purposes of the processing. However, the activities of the works council are already severely restricted by the definition of its duties in the law. The works council is permitted to use personal data solely for the fulfilment of these duties. The works councils are also dependent on the infrastructure - in particular IT - of the company. As a result they are already defacto subject to the majority of the employer's technical and organizational measures. From our perspective, the works council is not therefore an own controller.
CONTROL OF THE WORKS COUNCIL BY THE DATA PROTECTION OFFICER?
However, if the works council is part of the controller - the company -, the company data protection officer must be in a position to monitor the works council. In this respect, the data protection officer will not act as an extended arm of the employer, as feared by some. Rather, the law stipulates that the data protection officer must be independent and not bound by instructions. Although previous case law has denied the possibility of control, it remains to be seen whether this opinion is still tenable in view of the GDPR and the primacy of European law.
To avoid liability on their part, employers should issue guidelines on how to handle employee data in compliance with data protection law. In particular, employers should draw the attention of the works council to its obligations under data protection law when handing over personal data, e.g. during recruitment procedures. This includes the obligations to erase pursuant to Art. 17 GDPR if the data are no longer required. If this information is not heeded, a violation of data protection law by the works council will be based on arbitrary and unlawful actions. No fault can be attributed to the employer in this case.
The works council cannot currently be regarded as own controller. To date no ruling to the contrary has been issued by the supervisory authorities, nor has any such ruling been confirmed by the courts. As the works council therefore remains part of the controller, the employer must ensure that the works council receives comprehensive information and instruction concerning data protection law.