1. Too much information
The right to information pursuant to Article 15 (1) of the GDPR enjoyed massive rise in popularity among employees in 2021. In particular, wrongful dismissal lawsuits were and are readily accompanied by requests for information in accordance with the General Data Protection Regulation (GDPR). In response to this, a Federal Labor Court ruling simplifies the situation for many HR departments, as we have already reported: According to this ruling, the plaintiffs now have to clearly and specifically justify such requests for information. Otherwise, their lawsuit is considered inadmissible and the company is entitled to refuse to provide the information.
As such, the second senate maintained its position: The highest labor court judges in Erfurt had already issued a ruling regarding copying data pursuant to Article 15 (3) of the GDPR, stating that a copy of all e-mail correspondence cannot simply be demanded. In particular, not in addition to all e-mails in which the applicant is mentioned personally. (Decision dated April 27, 2021 – Ref.: 2 AZR 342/20). The judges justified their decision by explaining that a ruling in accordance with the application is not enforceableand it lacks an adequately specific claim pursuant to Section 253 (2) No. 2 of the Code of Civil Procedure. Rather, plaintiffs are required to specifically state which e-mails they wish to receive a copy of.
Action by stages required
In the current case, the Federal Labor Court ruled that employees willing to file a lawsuit could seek to pursue their claim through action by stages pursuant to Section 254 of the Code of Civil Procedure. The first stage consists of obtaining information regarding which e-mails belonging to the category concerned the defendant processes. The second stage consists of action whereby an affirmation in lieu of oath confirms that the information is accurate and complete. In the third stage, the plaintiff may then request copies of the relevant e-mails defined in the course of this information request. In terms of human resources, this means that employers may reject blanket and imprecise requests for information submitted on the basis of to Article 15(1) of the GDPR.
But when is the scope of the request too broad and when is it not? The deciding factor is whether the specific data about which the plaintiff would like seek information can be defined without further inquiry. According to the Federal Labor Court, abstractly stating the (data) categories of the e-mails is not sufficient.
Requesting information to prove overtime represents an abuse of these rights
According to the Saxony State Labor Court, employees do not have a right to information pursuant to Article 15 (1) of the GDPR if they intend to use the information to provide the employer with proof of overtime (decision dated February 17, 2021, Ref.: 2 Sa 63/20). The labor court judges in Chemnitz ruled that this represents an abuse of the rights, and does not reflect the purpose of the GDPR. Employees must provide their own proof of when and to what extent they worked overtime at the behest of their employer.
A successful defense in advance
How can companies defend against unjustified demands for information? In the case of blanket requests, HR need to prepare a standard letter stating that the information cannot be provided as the request is not specific enough. To gain a clearer picture of the employee’s motivation, this letter should also request that the employees state their request for information more precisely. With a view towards possible claims for damages, HR managers need to develop a proactive strategy and implement standardized processes: Which employees are responsible for information claims? How can they identify an impermissible request for information? Is the corresponding documentation ensured? How is it possible to ensure that the one-month period pursuant to Article 12 (3) sentences 1-3 of the GDPR is complied with?
2. Not expedient: The DGB draft law on employee data protection
According to the coalition agreement, legal clarity and the effective protection of privacy rights are declared goals of the German government with regard to employee data protection. In the wake of repeated unsuccessful attempts to pass a law on employee data protection, the independent interdisciplinary advisory board on employee data protection presented a series of ideas and recommendations to the Federal Minister of Labor, Hubertus Heil, in mid-January. At the beginning of February the DGB and its member trade unions submitted a draft with binding regulations governing employee data protection. This has become necessary in response to employers’ increasing use of digital methods to monitor or collect personal data about employees.
Risk of prison sentences at worst
Both employers and employees could benefit from greater legal clarity. However, the laws suggested by the unions’ proposal were failed to fulfill the government’s goals. The proposed regulations are impractical and would require excessive administrative work. In addition, the entrepreneurial risk would become impossible to calculate. To name but one of many examples: According to Section 12 (5) of the proposal, companies are not permitted to process biometric data during the application phase. On the one hand, this extends the employee data protection to cover applicant data protection. Yet, in addition, the data controllers could face up to two years in prison pursuant to Section 39 if they process, forward, or store a biometric portrait image from a resume. In reality, this can easily happen because applicants frequently use photos taken when they renewed their ID cards. However, the large number of applications makes it almost impossible for human resources staff to easily and clearly determine without any doubt whether each individual image is biometric or not.
3. Employee survey on climate protection: Beware of the pitfalls!
As we have already reported, the lawmakers’ requirements regarding non-financial sustainability reporting continue to grow on both the EU and national levels. These requirements include the criteria concerning environmental protection (Environment), social standards (Social) and value-oriented corporate governance (Governance). Together, these standards are referred to as ESG. At the same time, banks, investors and customers are increasingly examining how companies are positioned with regard to sustainability and climate protection.
In view of this, many companies are currently working to gather reliable data to present their positioning. This data includes the environmental footprint created by their employees’ commute to work. To do so, companies need to record their movement data. Given that this is personal data, employee data protection applies. Therefore, employers need to restrict the data collection to a minimum and at least pseudonymize this data wherever possible. Article 6 (1) f) of the GDPR can be cited to justify the data processing, given that collecting the data represents a legitimate interest of the company. However, depending on the specific case, the employer may also need to obtain consent pursuant to Section 26 of the German Federal Data Protection Act as the data collected is not essential to fulfill the employment relationship. It is important to bear in mind that, under certain circumstances, the works council has a right of co-determination in accordance with Section 87 (1) no. 6 of the Works Constitution Act if the data is collected digitally. Furthermore, Section 94 (1) of the Works Constitution Act also stipulates that the employee representatives must approve employee surveys.
The specific purpose is what counts!
If employers intend to analyze data that they have already collected with regard to ESG issues, they need to take particular care to observe the principle of limitation to a specific purpose pursuant to Article 5 of the GDPR: If data has been collected for a specific purpose, it cannot simply be utilized for other purposes.
4. Large companies face higher fines
The European Data Protection Board’s current plans make greater awareness of the risks of employee data protection even more important. The EDPB has published guidelines for harmonization with the aim of standardizing the calculation of fines throughout Europe. Up until now, the GDPR has applied Europe-wide. However, the national data protection authorities each punished the violations in accordance with their own standards. A five-step calculation methodology will serve to implement more transparent approach to fines. Data protection violations could become more expensive, especially for larger companies.
Conversely, these new guidelines offer companies the advantage of being able to better assess the risk of fines. Although EDSA will continue to seek feedback regarding the new guidelines until June 27, 2022, experience has shown that significant changes are not to be expected. Therefore, companies can already use the guidelines to examine the opportunities and risks of any data privacy litigation. This also includes employment termination litigation, alongside defending against fines. Recent court decisions have demonstrated that taking legal action against measures implemented by the data protection supervisory authority can prove worthwhile.
- The right to information pursuant to Article 15 of the GDPR will continue to remain an issue for companies. As such, the effort and cost involved in setting up standardized processes can be worthwhile to ensure that companies are prepared for information requests. When handling labor court settlements, employers need to remember to include the right to information.
- One can only hope that the current German government will refrain from using the DGB draft as a foundation for a law on employee data protection. Otherwise, the law would create a risk of rampant bureaucracy and unforeseeable entrepreneurial risks instead of greater legal clarity. We have already reported that employee data protection also holds pitfalls for works councils.
- More and more companies are carrying out employee surveys regarding ESG and sustainability. It is essential to carefully examine the data protection pitfalls beforehand.
- All the more so, as the EDSA plans to release new guidelines for calculating fines as per the GDPR. Violating data protection laws may become even more expensive in certain cases.