German Update: The employer as the person responsible for data protection

Background

According to Art. 4 No. 7 GDPR, “controller” is the natural or legal person, public authority, agency or other body that alone or jointly with others decides on the purposes and means of the processing of personal data. The determination of the data protection controller in a process in which several bodies are involved is first of all the decisive starting point for any data protection advice.

The controller has a variety of rights and obligations: the fulfillment of information obligations (Art. 13, 14 GDPR), the fulfillment of the rights of data subjects (Art. 15 et seq. GDPR), the documentation of processing activities (Art. 30 GDPR), the provision of appropriate technical and organizational measures (Art. 32 GDPR) or the reporting of violations of the protection of personal data (Art. 33 GDPR).

Since the validity of the GDPR, it has been controversial whether the works council is also responsible under data protection law for the processing of personal data that is made available to it in addition to the employer. The Federal Labour Court has expressly left this legal question open in two decisions from 2019 (BAG, decision of 7.5.2019 – 1 ABR 53/17 and BAG, decision of 9.4.2019 – 1 ABR 51/17). Occasionally, regional labour courts had previously assumed the works council’s own responsibility (LAG Mecklenburg-Vorpommern, decision of 15.5.2019 – 3 TaBV 10/18; LAG Sachsen-Anhalt, Beschl. v. 18.12.2018 – 4 TaBV 19/17).

With the Works Council Modernisation Act, which came into force on 16 June 2021, the federal legislature has now apparently answered this question. According to § 79a S. 2 BetrVG, the employer is responsible insofar as the works council processes personal data for the fulfilment of the tasks within its competence.

Classification

According to § 79a S.1 BetrVG, the works council must comply with data protection when processing personal data. The BAG (decision of 7.5.2019 – 1 ABR 53/17) has already stated this and emphasized that regardless of data protection responsibility, the works council must comply with the GDPR and the BDSG when processing data. The explanatory memorandum to § 79a BetrVG states that the works council within its area of responsibility must ensure the implementation of technical and organizational measures to ensure data security within the meaning of Articles 24 and 32 of the General Data Protection Regulation.

According to § 79a S.2 BetrVG, the employer is now responsible for the processing of personal data insofar as the works council processes them for the fulfilment of the tasks within its competence. The federal legislature has therefore assigned the employer the basic responsibility for the processing of personal data. However, he has expressly made this responsibility subject to a reservation: responsibility only exists to the extent that the works council processes personal data within the scope of its tasks, in particular in accordance with the BetrVG. The standard can be interpreted in such a way that the employer is not responsible under data protection law if the works council processes personal data for purposes that do not serve the fulfilment of the tasks within its competence. The works council could then be regarded as independently responsible for such processing. With the consequence of having to stand up for data protection violations.

According to § 79a S.3 BetrVG, the employer and the works council must support each other in complying with data protection regulations. The explanatory memorandum to §79a BetrVG states in this regard that the works council is not subject to any obligation to keep its own register of processing activities (Art. 30 GDPR), but the employer’s processing register must also contain the processing activities of the works council. For this purpose, the employer is necessarily dependent on the support of the works council.

In sentences 4 and 5, § 79a BetrVG also contains provisions regarding the data protection officer. This is now also subject to a statutory duty of confidentiality vis-à-vis the employer with regard to the works council. From this it can be concluded that the data protection officer should also fulfil his legally stipulated obligations, especially vis-à-vis the works council.

Assessment

On closer inspection, § 79a BetrVG does not have the clarification function that would have been desirable, in particular with regard to the case-law already issued.

As a first measure, we recommend supplementing the processing list with the processing carried out by the works council, if this has not already been done. The works council has a duty to cooperate here. As a further measure, the conclusion of a works agreement can be considered, which delimits the rights and obligations between employer and works council and, in particular, clearly defines the position of the data protection officer vis-à-vis the works council. The involvement of the data protection officer can minimize liability risks by allowing him to be consulted by the works council at an early stage. We will keep an eye on the further development of §79a and inform you accordingly.

By Johannes Fischer, MELCHERS, Germany, a Transatlantic Law International Affiliated Firm. 

For further information or for any assistance please contact germanylabor@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.