Germany: News from Luxembourg – developments to watch out for in Data Protection Law
The ECJ had to decide whether a German statutory provision that provides a legal basis for the processing of personal employee data is in conformity with European Law (C-34/21).
National regulations of member states of the EU are subsidiary to European Law. For the matter of data protection of employees, however, Art. 88 GDPR provides an opening clause that allows the member states to implement their own “specific rules”. In a case recently decided by the ECJ, the decisive question was if specific national rules in place in Germany (Sec. 23 Hessian Data Protection Act, which has the same wording as Sec. 26 Federal Data Protection Act, therefore both provisions were concerned) are meeting the requirements of this opening clause and therefore can provide a valid legal basis for the processing of personal employee data.
When it comes to the “specific rules” the opening clause in Art. 88(1) GDPR refers to, the ECJ found that a national regulation must meet the specifications set out by Art. 88(2) GDPR in order to fall under this category. A corresponding provision needs to be different from the GDPR regulations and provide “specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights” to be a specific rule in this sense.
A national regulation that solely repeats the GDPR regulations cannot meet the criteria, especially if it lacks specific measures that Art. 88(2) GDPR demands. As a result, the German provisions do likely not qualify as “specific rules” that would allow their application through the opening clause of Art. 88(1) GDPR. This still has to be confirmed by the national court that brought the case to the ECJ.
In another case before the ECJ, the imposition of GDPR fines after data protection violations is under review. The ECJ is concerned with the question (1) whether a fine can be imposed on a company without identifying an individual whose misconduct caused the violation and, if so, (2) if a culpable activity of the company must be established or if an objective breach of duty is sufficient.
The litigation in this case is still ongoing (C-807/21). If the ECJ follows the position of the advocate general, the outcome is going to be that (1) GDPR fines can directly be imposed on companies without the identification of a responsible individual, but (2) the violation must be a result of at least negligence, so there is no “strict liability”.
Practical Point
- It has to be expected that Sec. 23 Hessian Data Protection Act and Sec. 26 Federal Data Protection Act can no longer provide a valid legal basis for the processing of personal employee data in the future. Employers could still apply Art. 6(1)(b) GDPR as a legal basis, but should update the information provided according to Art. 13, 14 GDPR and should assess what other (national) legal provisions could be used to justify the data processing.
- It is not unlikely that the ECJ is going to adopt the position of the advocate general regarding the imposition of GDPR fines. Imposing these fines would then become easier which increases the risk for the responsible employer. Compliance with Data Protection Law thus becomes even more important.