/>iThe European Court of Justice (ECJ) recently delivered a decision that significantly impacts how employers and works councils across the European Union approach the processing of employee data. The ruling clarifies that works agreements cannot be used to weaken or sidestep the requirements of the EU General Data Protection Regulation (EU GDPR), even by collective workplace arrangements.
Quick Hits
- Data processing activities prohibited by GDPR cannot be legitimised by a works agreement.
- All data processing must be lawful, transparent, and fully compliant with European data protection law.
- A mutual agreement between an employer and a works council does not create a lawful basis for otherwise noncompliant processing.
A recent case brought before the ECJ clarified the application of GDPR in an employment context within the EU. An employee challenged the processing of personal data by their employer, specifically questioning the lawfulness of the employer deploying the use of a cloud-based management system and the transfer of information from a previous provider to the employer’s new software. The employer had approved a collective works agreement permitting the transfer and the temporary processing of the data for this purpose. However, the employee argued that the processing was not necessary for processing on an employment basis, nor was it necessary to be used for testing on the new system. The Court of Justice of the European Union (CJEU) held that no collective agreement could override GDPR standards and awarded damages to the employee for transferring data without an independent legal basis.
Works agreements are a common feature in many European workplaces, particularly in Germany. These agreements, negotiated between employers and works councils, often set out the terms for processing employee data, including employee monitoring, the use of new monitoring technologies, and other HR-related data activities. Historically, some employers and works councils have viewed these agreements as providing a lawful basis for data processing, sometimes assuming that the collective nature of the agreement could justify broader or more flexible data use.
The ECJ’s ruling makes it unequivocally clear that works agreements cannot be used to circumvent or dilute the requirements of GDPR. The ECJ highlighted several critical points:
- Works agreements do not provide a special status or exemption from GDPR obligations. All data processing activities must adhere strictly to GDPR’s core principles, including lawfulness, necessity, data minimisation, proportionality, protection of sensitive data, and adequate safeguards for international data transfers.
- Any legal basis for data processing established by a works agreement is subject to comprehensive judicial scrutiny. Employers and works councils cannot simply decide what is necessary for data processing; their decisions must withstand the high standards set by GDPR, including a valid legal basis for all data processing.
- The ruling also clarifies that data protection is not subject to the works council’s codetermination rights. This means that even if both parties agree to certain data processing activities, the parties cannot override GDPR’s requirements through negotiation.
Practical Implications
Organisations may want to review any existing works agreements to ensure full compliance with GDPR. It is worth noting that works council requirements can vary between EU member states, with some countries requiring works council consent before processing can begin. Organisations may want to consider these obligations alongside data privacy requirements, including, for example, the obligation to provide in-depth and transparent information about the purposes, scope, and categories of data processed. Organisations may also want to ensure that robust technical and organisational measures are implemented to protect employee data, particularly when dealing with sensitive information or when carrying out international transfers under an appropriate mechanism, even if the works council has signed off on the technical and organisational measures in place.
Failure to comply with GDPR, notwithstanding the blessing of a works council, can expose employers to significant risks, including employee claims for damages and substantial regulatory fines under GDPR of up to €20 million, or up to 4 percent of the annual worldwide turnover of the preceding financial year, whichever is greater.
The ECJ’s ruling serves as a strong reminder that GDPR compliance is non-negotiable. Works agreements, while valuable for regulating workplace matters, cannot be used to justify or legitimise data processing activities that fall short of GDPR’s requirements.
