In Brussels, the EU Commission, the Council and the Parliament are currently negotiating the final version of the General Data Protection Regulation (GDPR) in what is known as the trilogue discussions. Whilst there are still considerable differences between the three drafts in play one thing is sure: together with the individual fines, reputational implications for violations of data protection law will increase substantially.
The GDPR will replace the rather outdated European Data Protection Directive 95/46/EC that has been implemented into German law by the Federal Data Protection Act (Bundesdatenschutzgesetz). After a Commission draft in 2012 and a parliamentary draft in March 2014 the Council only recently issued an alternative draft GDPR. The further trilogue roadmap aims at concluding negotiations on a final version of the GDPR by the end of this year.
Data protection issues frequently arise in the employment context as employers collect and process personal data, including sensitive data, of their employees on a regular basis. Besides standard processing operations in HR management services, there are many data protection sensitive activities like monitoring and performance evaluation of employees as well as private use of company internet and e-mail services which require careful legal assessment. In these areas, in Germany, as well as in many other EU member states (eg France and Spain) the works council plays a key role and needs to be timely involved as the introduction of such schemes may require works council’s approval (=co-determination right). Further, where data is transferred abroad, even if within a group of companies, such transfers need to be justified under data protection law and require additional safeguards where data is transferred to countries outside the EU/EEA that do not provide for an adequate level of data protection (eg the US).
One key aspect of the GDPR is that data processors (eg service providers) will now be directly subject to the new regulation. In contrast to an EU Directive, the proposed Regulation also takes direct effect and aims at implementing a harmonized one-stop-shop approach. The proposed sanctions for data breaches can reach up to the higher of 2-5% of annual worldwide turnover or EUR 100 million (Art. 79 GDPR) and a breach notification to the respective national data protection authority is mandatory. In general, the GDPR provides for a higher level of data protection and introduces new concepts like the right to be forgotten (as previously recognized by the ECJ in the Google Spain case) and the right to data portability. It will be interesting to see how the latter and the newly introduced rights of access translate into the employment context and how the aspect of data processing for the purpose of fulfilling the employment contract (Art. 6 (1) (b)) as a limitation to data processing will be interpreted by national courts and the ECJ. Additionally, the Commission’s and the Parliament’s draft also provide for an obligatory data protection officer (DPO) who enjoys certain job security and can only be dismissed if he/she no longer fulfils the requirements for the performance of her duties.
While the goal of the institutions to have concluded the trilogue discussions by the end of the year may seem ambitious, we recommend reflecting about the new requirements in due course to stay ahead of the game. In this regard, employers should undertake a risk assessment, eg by identifying existing data flows and their legal basis, assessing the works council agreements and by ensuring that future-proof security measures are in place. Such audits should be carried out on a regular basis to ensure continuing compliance. If employee data is hosted outside the EU or “in the cloud”, in particular in the US, it is important to make sure that there is an adequate legal basis for authorizing the offshore transfer. Needless to say that this assessment also needs to include the (yet to come) consequences of the recent ground-breaking decision of the ECJ in which it declared the US Safe Harbor scheme to be invalid. This framework was established 15 years ago to provide a mechanism by which European businesses could validly transfer personal data from the EU to the US (see our DLA Piper Privacy Matters blog and our Be Aware UK blog for more information).
In this general context it seems fair to say that employee data protection is in fact an increasingly complex matter that deserves close attention.