Quick Hits
- Two German federal ministries have drafted legislation that would provide more legal certainty for employers regarding how to handle employee data.
- The legislature also wants to allow the use of AI applications, but within certain limits.
- The draft legislation would provide a detailed regulation on the basics of employee data processing.
The aim of the legislation is to provide more legal certainty for employers. They inevitably collect and process large amounts of (sometimes sensitive) data on the people they employ. The new regulation is intended to create legal certainty for typical processing situations. At the same time, the legislature also wants to allow the use of artificial intelligence (AI) applications within certain limits.
In general, the criticized Section 26 of the Federal Data Protection Act (BDSG), which was conceived as an authorization basis for any data processing in the employment context, would be replaced by a detailed regulation on the basics of data processing and its necessity in Section 3 BeschDG-E et seq. The highly controversial issue of consent to data processing in the employment context is also addressed in Section 5 BeschDG-E, stating when and for what purposes consent can be given in the employment context. Another key new regulation for employers would be the creation of a codetermination requirement for the appointment and dismissal of (internal and external) data protection officers in accordance with Section 12 BeschDG-E. In the future, if the legislation is approved as drafted, the works council will have a say in this—if no agreement is reached, a conciliation body will decide.
The following provides highlights of some of the regulations planned in the special part of the draft bill.
Right to Question During Recruitment and Obligation to Delete Applicant Data
The right to question during the application process will be set out in a more specific regulation in Section 14 BeschDG-E. Where necessary to determine suitability, the bill would permit employers to collect and process employee data from various areas. What is new here is that employers would be prohibited from requesting information about a severe disability before an employment relationship is established. The draft legislation also would prohibit deriving such information from profiling.
The deletion obligations for applicant data would also be clearly regulated. According to Section 17 BeschDG-E, employers would have to delete this data no later than three months after the end of the application process, provided that no legal dispute is pending or likely. A provision is also to be introduced according to which the data of applicants who withdraw their candidacy must be deleted immediately.
Monitoring
The draft bill distinguishes between short-term monitoring measures (Section 18 BeschDG-E) and “not only short-term monitoring measures” in accordance with Section 19 BeschDG-E. Short-term surveillance measures would be permitted if necessary to protect the health and safety of employees or to prevent and detect criminal offenses. Parameters are defined as to how the specific surveillance measure can be designed in terms of type and scope as well as the expected consequences. Occasion-related measures to uncover criminal offenses would have to be weighed against the strength of the suspicion, the severity of the identified or suspected violation of legal interests, and the extent of the damage incurred.
In the case of “monitoring measures that are not merely short-term” (Section 19 BeschDG-E), the draft bill stipulates that such measures should be permissible for a specific purpose to protect the life and limb of employees or third parties. The protection of particularly important official or operational interests should also be able to justify a longer-term measure. Processing the collected data for performance monitoring purposes would be explicitly excluded.
GPS Tracking
Section 22 BeschDG-E will now also set out the requirements for tracking. Among other things, tracking should be permitted by law for the purpose of coordinating the changing deployment of employees at different locations. The draft bill would allow the tracking function to be switched off, for example, if the tracking device is installed in a company car that is also available to employees for private use.
Profiling / AI
The processing of employee data based on profiling is now to be dealt with in Section 24 et seq. BeschDG-E. Under that section, the use of profiling should relate in particular to the use of company systems for further training and development opportunities. The draft bill would require employers to carry out a balancing of interests, which would require taking into account a catalog of legally prescribed aspects. The draft bill would require employers to exclude the analysis or prediction of employees’ emotions and the analysis of social relationships between employees from communication processes.
Employers that use profiling would have to comply with special information obligations under Section 25 BeschDG-E. In particular, they must provide information about the categories of input data and whether AI systems are used. Employers would also be required to make transparent the logic behind the profiling, the central evaluation criteria, and their weighting, as well as the decision-making processes that may be influenced by profiling.
Authorization / Authentication
Section 28 BeschDG-E would regulate the processing of biometric employee data. This would only be permitted for authorization and authentication in particularly security-relevant areas.
Data Processing Within the Group
Disclosure/forwarding of employee data in group structures would also be newly regulated (Section 30 BeschDG-E). For this purpose, the draft legislation proposes creating a framework in which disclosure/forwarding would be permitted after weighing up interests, in particular for the cross-company deployment of employees, for administrative tasks performed centrally by a group company (such as a joint HR department) or administrative processes to be designed uniformly throughout the group.
Key Takeaways
The draft bill that has now been published was hardly expected at this stage. Even though the legislative process is still at a very early stage, implementation is likely to be as swift as possible. The planned law appears suitable for ensuring greater clarity and legal certainty for all employers in Germany. The current, rudimentary regulations on employee data protection are, in view of the user risk borne solely by the employers, only suitable to a limited extent and create unnecessary and avoidable risks. The draft law can ensure greater user certainty, which is urgently needed, particularly when using AI systems, but also in the extremely important area of monitoring.
Ogletree Deakins’ Berlin and Munich offices and Cybersecurity and Privacy Practice Group will continue to monitor developments and will provide updates on the Cross-Border and Cybersecurity and Privacy blogs as additional information becomes available.
Follow and Subscribe