On May 4, 2022, the German Datenschutzkonferenz (DSK) called on the German legislature to draft a new Employee Data Protection Act that more clearly identifies what types of employee data processing is lawful and the scope of employee monitoring. Currently, employee monitoring in Germany is regulated by the EU General Data Protection Regulation (GDPR) and the amended German Federal Protection Act (BDSG) which implements its provisions. In particular, Section 26 of the BDSG provides that an employer may process the personal data of employees for “employment-related purposes” during the hiring process and then to carry out or terminate the employment contract or satisfy the rights of employees. The passage of a new Employee Data Protection Act would be significant because currently no law regulates employee monitoring in Germany and because German law generally does not require an employee’s consent to monitoring, with a few exceptions under the German Telecommunications Act (TKG).
Specifically, the DSK recommends that the new law address the following:
- regulate the use of algorithmic systems in the employment context on basis of consent;
- set limits to performance control such that secret checks or permanent monitoring in the workplace and “home office” are prohibited, restrict access to e-mails and other technical data of employees, regulate video surveillance systems, and limit the use of GPS tracking;
- amend Section 26 of the BDSG to consider the imbalance of power in the employment context, as raised by the European Data Protection Board’s guidelines 05/2020 on consent;
- clarify whether and to which extent collective agreements can authorize greater legal bases for data processing;
- clear up an inconsistency in Section 22 and Section 26 of the BDSG regarding processing special categories of personal data;
- standardize a ban on the use of evidence for illegally processed employee data; and
- promulgate regulations for data processing during the application phase on topics including the employer’s right to ask questions, request background checks, medical examinations, and other tests, and collect data from third-party sources.
The Federal Ministry of Labor and Social Affairs is expected to prepare a draft Employee Data Protection Act over the coming months. In light of the evolving landscape, particularly around employee data, companies operating in and outside of Germany are well served by assessing the full extent of their employee and job applicant data collection, processing, and monitoring activities. Organizations should conduct an inventory of the types of employee-related data they collect, the purpose for its collection, how it is stored and maintained, and how it is shared within and outside of the organization. This data mapping activity will create a deeper understanding of the organization’s use of, and need for, the data, as well as facilitate quick adaptation to new regulations as the organization builds a scalable and sustainable data security and privacy infrastructure.
The Octillo Global Data Privacy Team continues to actively monitor updates to the privacy landscape as well as the impacts that the new German Employee Data Protection Act regulations will have on businesses. To learn more about the impact this law may have on your business, email Octillo Compliance and Advisory Services Team Leads Kara L. Hilburger, Esq., at email@example.com or Jordan L. Fischer, Esq., at firstname.lastname@example.org or call 716.898.2102 for assistance in analyzing this and other regulatory and legislative matters in the Data Privacy landscape.
*Attorney Advertising: Prior results do not guarantee future outcomes.