Employees’ personal data must be handled in compliance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). The current draft bill for the Employee Data Protection Act (BeschDG) introduces new provisions that are relevant for employers and employees. The aim is to improve data protection in employment relationships and to guarantee employees comprehensive protection in the digital world of work.
Summary of the changes introduced by the Employee Data Act (BeschDG):
- New risk management: It is mandatory to carry out detailed interest assessments to examine the relationship of dependency in labor law. This applies even more so to the use and implementation of technologies and AI. Here, the creation of comprehensible transparency as well as review by human oversight is necessary.
- Works council co-determination rights: Works councils have extended co-determination rights when it comes to the use of AI and new technologies, as well as the appointment and nomination of data protection officers.
- Strengthened necessity assessment: Stricter proportionality assessments are carried out for the admissibility of data processing required by Section 26 BDSG in the case of employee data. In doing so, greater consideration is given to the interests of employees that are worthy of protection.
- Increasing requirements for changes of purpose: Data may only be used for other purposes under stricter conditions. In particular, if the original purpose of data collection differs from the use or if it is to be used for performance evaluation, this may only take place under strict rules.
- Extended rights for employees when AI is used: Employees must be informed about the use of AI and profiling. They have the right to be informed about how AI systems work and the associated protective measures.
- Special provisions under Article 6 GDPR: The new provisions contain specific rules in accordance with Article 88(1) and (2) GDPR and specify the principles of processing under Article 6 GDPR. In the future, the possibility of referring to the general justification for processing based on legitimate interest in Art. 6(1)(f) GDPR in the employment context could be severely limited.
- New deletion periods for applicant data: The previous deletion period of approximately 6 months for applicants’ personal data is now to be reduced to 3 months. This means that the data must be deleted no later than 3 months after the decision not to hire the applicant, provided there are no ongoing legal disputes. The employer must obtain the consent of the data subject if the data is to be stored for longer.
- Strict surveillance regulations: Strict rules apply to compliance checks and surveillance measures such as GPS tracking and video surveillance. Covert surveillance is only permitted in cases of suspected criminal activity. Performance monitoring is generally prohibited.
- Prohibition of use: It is prohibited to use any data obtained in violation of the Data Protection Act in labor law proceedings. Prohibitions on use may also be stipulated in works agreements.
The new regulations strengthen employee protection, but require companies to make greater efforts, particularly in terms of the requirements for dealing with new technologies and monitoring measures. They are increasingly forced to review the necessity and proportionality of data processing and to prepare the corresponding documentation and explanations for those affected.
Conclusion:
The draft of the BeschDG goes significantly beyond what was planned in the 2023 position paper by the BMAS/BMI and the 2022 DSK recommendations. Although the need for an independent and practically implementable BeschDG is clear, the increasing density of regulations could restrict freedom of innovation. Companies could be restricted not only by increasing administrative costs, but also by the declining flexibility of data processing due to the comprehensive regulations.
In cases where specific provisions of the BeschDG apply, companies may no longer be able to argue on the basis of Article 6(1)(f) GDPR. This would also restrict the flexibility of using employee data. The prohibition on the use of unlawfully obtained data could prevent misuse through inadmissible surveillance measures. It is still unclear whether the strict provisions of Section 11 BeschDG will result in unnecessary restrictions on the interests of employers. This is particularly true in cases where minor violations of data protection law can lead to considerable disadvantages for companies. This increases the uncertainty in labor law proceedings.
The draft BeschDG regulates the use of AI in detail and refers to the AI Regulation (EU 2024/1689), which subjects companies to a double compliance obligation. Here, too, this could result in considerable additional expenditure in order to comply with the provisions of the BeschDG and meet the requirements of the AI Regulation. This could give rise to a potential conflict between the regulations: dogmatic and practical problems could arise, as well as new difficulties, due to the new regulation on the extended co-determination rights of the works council in the appointment and dismissal of data protection officers.
Ultimately, companies must comply with the stricter provisions of the BeschDG in their personnel data protection management, which could threaten many HR processes and practices that are already in place.
