Now, what’s the impact of this judgment on employee data protection in Germany? Does this make Section 26 BDSG (and the corresponding provisions in state laws) completely obsolete in the future? And what does all this mean for the handling of employee data?

Good news first: The effects of the ECJ judgment will be minimal when it comes to the legitimacy of data processing operations itself. However, companies will have to update their privacy notices, and replace all references to (invalid parts of) Section 26 of the BDSG by the applicable provisions of the GDPR.

Before we start with the details, let’s check on the current legal framework for employee data protection in Germany and the proceedings at the ECJ: Before the GDPR became applicable on 25 May 2018, Germany had regulated the processing of employee data in a specific provision of its then current Federal Data Protection Act (BDSG). In late 2017 – just before the elections – the German legislator decided to basically copy and paste this provision into the new BDSG. It took the view that this approach was permissible because Art. 88 of the GDPR gives the EU member states the right to “provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context”. Art. 88 para. 2 of the GDPR further explains the intentions of the EU legislator: “Those rules shall include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.”

Germany, though, did not bother to check the previous provisions in this respect when reinstating them in the new BDSG. Hence, some parts of Section 26 BDSG more or less just repeat fractions of Art. 6 of the GDPR. In its judgment of 30 March 2023, the ECJ held that this is not permissible but that national rules pursuant to Art. 88 of the GDPR must indeed be “more specific” than the GDPR itself with regard to the aspects outlined in Art. 88 para. 2 of the GDPR.

Since the ECJ judgment did not deal with Section 26 BDSG itself (but with a similar provision in a German federal state’s law), it is worth checking the different provisions of Section 26 BDSG in the light of the ECJ judgment:

Section 26 para. 1 sentence 1 BDSG states: “Personal data of employees may be processed for purposes of the employment relationship if this is necessary for the decision on the establishment of an employment relationship or, after the establishment of the employment relationship, for its implementation or termination, or for the exercise or fulfillment of the rights and obligations of the employees‘ interest representation resulting from a law or a collective agreement, a works agreement or a service agreement (collective agreement).”

This is partly just a repetition of Art. 6 para. 1 lit. b of the GDPR and obviously not “more specific”. Inasmuch as it isn’t, e.g. because it does not rely on the data subject initiating pre-contractual communications, it clearly does not “include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights”. This part of Section 26 BDSG is no longer a suitable legal basis for the processing of personal data. However, headhunting will still be possible as long as it is in line with Art. 6 para. 1 lit. f of the GDPR.

Now, what’s the impact of this judgment on employee data protection in Germany? Does this make Section 26 BDSG (and the corresponding provisions in state laws) completely obsolete in the future? And what does all this mean for the handling of employee data?

Good news first: The effects of the ECJ judgment will be minimal when it comes to the legitimacy of data processing operations itself. However, companies will have to update their privacy notices, and replace all references to (invalid parts of) Section 26 of the BDSG by the applicable provisions of the GDPR.

Before we start with the details, let’s check on the current legal framework for employee data protection in Germany and the proceedings at the ECJ: Before the GDPR became applicable on 25 May 2018, Germany had regulated the processing of employee data in a specific provision of its then current Federal Data Protection Act (BDSG). In late 2017 – just before the elections – the German legislator decided to basically copy and paste this provision into the new BDSG. It took the view that this approach was permissible because Art. 88 of the GDPR gives the EU member states the right to “provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context”. Art. 88 para. 2 of the GDPR further explains the intentions of the EU legislator: “Those rules shall include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.”

Germany, though, did not bother to check the previous provisions in this respect when reinstating them in the new BDSG. Hence, some parts of Section 26 BDSG more or less just repeat fractions of Art. 6 of the GDPR. In its judgment of 30 March 2023, the ECJ held that this is not permissible but that national rules pursuant to Art. 88 of the GDPR must indeed be “more specific” than the GDPR itself with regard to the aspects outlined in Art. 88 para. 2 of the GDPR.

Since the ECJ judgment did not deal with Section 26 BDSG itself (but with a similar provision in a German federal state’s law), it is worth checking the different provisions of Section 26 BDSG in the light of the ECJ judgment:

Section 26 para. 1 sentence 1 BDSG states: “Personal data of employees may be processed for purposes of the employment relationship if this is necessary for the decision on the establishment of an employment relationship or, after the establishment of the employment relationship, for its implementation or termination, or for the exercise or fulfillment of the rights and obligations of the employees‘ interest representation resulting from a law or a collective agreement, a works agreement or a service agreement (collective agreement).”

This is partly just a repetition of Art. 6 para. 1 lit. b of the GDPR and obviously not “more specific”. Inasmuch as it isn’t, e.g. because it does not rely on the data subject initiating pre-contractual communications, it clearly does not “include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights”. This part of Section 26 BDSG is no longer a suitable legal basis for the processing of personal data. However, headhunting will still be possible as long as it is in line with Art. 6 para. 1 lit. f of the GDPR.

Section 26 para. 1 sentence 2 BDSG has a specific focus: “Personal data of employees may only be processed for the purpose of uncovering criminal offenses if factual indications to be documented give rise to the suspicion that the data subject has committed a criminal offense in the employment relationship, the processing is necessary for the purpose of uncovering the offense and the interest of the employee worthy of protection in the exclusion of the processing does not prevail, in particular the type and extent are not disproportionate with regard to the reason.”

This provision is likely to survive the ECJ judgment since it is both more specific than Art. 6 para. 1 lit. f of the GDPR and includes specific measures in order to safeguard the data subject’s human dignity, legitimate interests and fundamental rights.

Section 26 para. 2 BDSG contains specific prerequisites for consent given by employees: “If the processing of personal data of employees is based on consent, the assessment of the voluntary nature of the consent shall take into account in particular the dependency of the employee in the employment relationship and the circumstances under which the consent was given. Voluntariness may exist in particular if a legal or economic advantage is achieved for the employee or if the employer and the employee pursue similar interests.”

Also this provision may be considered more specific than Art. 6 para. 1 lit. a, 7 of the GDPR. Considering the additional criteria for the voluntary nature of consent, it is likely that also this provision can still be applied.

Section 26 para. 5 BDSG (“The controller must take appropriate measures to ensure that, in particular, the principles for the processing of personal data set out in Article 5 of Regulation (EU) 2016/679 are complied with.”) is obviously just a repetition of GDPR principles, and it did not make sense from the beginning to have it in the law.

Section 26 para. 7 BDSG augments the application of data protection laws in general: “Paragraphs 1 to 6 shall also apply if personal data, including special categories of personal data, are processed by employees without being stored or intended to be stored in a file system.”

This provision is very questionable because it does not define specifics for the processing of employee data but varies the definitions set forth in Art. 4 of the GDPR, and there is no opening clause for that in the GDPR. Hence, it is likely that this specific German rule will not stay, either.

As shown above, there are some parts in the German law that will remain unaffected by the ECJ judgment. It will remain on the courts in Germany (and maybe the ECJ again) to refine employee data protection law in Germany. Since there have been discussions on a specific German employee data protection regime for more than a decade, there is not much hope for a successful relaunch of this project in the near future.