Introduction
Direct applicability of anti-terrorism regulations
Consequences of breaches
Data screening duty
Data synchronisation and data privacy law
No need for employee consent
Co-determination rights of Works Council
Comment
Introduction
EU Anti-Terrorism Regulations 2580/2001/EC and 881/2002/EC comprehensively prohibit business contact with individuals and organisations which are suspected of terrorist activities. They are directed not only at exporting undertakings, but at all undertakings that are active in the European Union. They prohibit the provision of financial means to individuals and organisations which fall within the scope of the anti-terrorism regulations. In the event of violations, undertakings and the individuals responsible face substantial consequences, including criminal proceedings. This update considers co-determination and data privacy protection law issues associated with the data screening that employers must carry out in order to fulfil their obligations under the anti-terrorism regulations.
Direct applicability of anti-terrorism regulations
Pursuant to Article 288(2) of the Treaty on the Functioning of the European Union, the anti-terrorism regulations are directly and mandatorily applicable in all EU member states in respect of all natural and legal persons, groups or entities. They prohibit the payment of money to individuals and organisations listed in its annexes. As a result, employers may not pay salaries to listed employees. This applies not only to basic salary, but also to variable elements of remuneration (eg, bonuses, special payments and stock options) and other non-cash benefits (eg, company cars).
Consequences of breaches
In Germany, the consequences of breaching the anti-terrorism regulations arise primarily under the Foreign Trade Act. Under the act, even in cases of negligent conduct, perpetrators face terms of imprisonment of up to three years for negligence and five years for intent. In addition, fines of up to €1 million can be imposed for violation of supervisory measures.
Data-screening duty
Against this background, the so-called 'provision bans' applicable under the anti-terrorism regulations correspond to a duty of the employer to subject its staff and any applicants to regular checks to determine whether its employees and prospective employees are on the EU 'terror list'.
Significance for authorised economic operators
Verification that the obligations under the anti-terrorism regulations have been observed is particularly relevant for undertakings which wish to apply for authorised economic operator status, which confers certain customs law benefits in trade. The award of the relevant certificate is linked to compliance with 'appropriate safety standards', including the obligation of the undertaking to scrutinise its employees regularly on the basis of the EU terror list.
Frequency of data screening
With regard to the frequency of data screening, individuals will be able to align themselves with the provisions of the Federal Ministry of Finance's "Admissible Traders: AEOs" regulation, under which AEO status may be retained, provided that the review takes place at least once a year. In security-relevant areas and in situations of increased risk, more frequent checks are necessary, taking into account the size, type and structure of the undertaking. To the extent that screening is carried out automatically through the use of software, continuous synchronisation is possible.
Data synchronisation and data privacy law
Data screening is permitted under the Federal Data Protection Act. Thus, it is irrelevant whether, as a permissive rule, parties resort to Section 32(1), Section 28(1) of the act (which is not suppressed through Section 32(1) of the act) or directly through Section 4(1) in conjunction with Regulations 2580/2001/EC and 881/2002/EC.
The reasoning is that since synchronisation of data pursuant to the anti-terrorism regulations is necessary in order to place an employee on the payroll, it is likely to be required for the implementation of the employment relationship as defined in Section 32(1) of the act. However, even if one refuses to accept this, Section 28(1)(2) of the act is relevant. Given that employers which fail to carry out data synchronisation may be punished, there is a legitimate interest in carrying out data screening. Protectable interests of the employee are not given in view of the clear requirements of the anti-terrorism regulations. In any event, they are likely to be superseded by the anti-terrorism regulations. Numerous factors suggest that the anti-terrorism regulations must already be deemed a regulation constituting admissibility as defined in Section 4(1) of the Data Protection Act.
There would be no change to the admissibility of data synchronisation if the draft law on the regulation of the employee's data protection rules were to come into force. According to the draft law, employee data may be collected if this is necessary to carry out or end the employment relationship. In such cases, although gaining AEO status does not relate to the purpose of the employment relationship, the obligation of the employer to undertake data screening must be observed. Pursuant to Section 32(c) and 32(d)(1) of the act, use is admissible, in particular, if knowledge is necessary for the employer to comply with its existing duties to furnish information and meet disclosure requirements. These provisions are also likely to include within their scope the obligation to comply with the anti-terrorism regulations.
Owing to the fact that employee data may be collected only with the employee's knowledge pursuant to Section 3(e) of the draft law, and that the employer may only then process and use such data for the purposes for which it was collected, employees must be given prior information about the new use of their data for synchronisation with the anti-terrorism regulations. The exception, according to which information can be omitted in the event of suspicion or for the purpose of clarifying a criminal offence at the establishment, does not apply; because no criminal offences were perpetrated at the company in question.
No need for employee consent
Since the permissive rule under the Data Protection Act already applies, consent on the part of the employer pursuant to Section 4(a) of the act is unnecessary. This would also suggest that the option of refusing consent would call into question the implementation of the anti-terrorism regulations, although EU member states are obliged effectively to implement EU law.
Co-determination rights of Works Council
Data synchronisation is not subject to co-determination.
Pursuant to Section 87(1)(1) of the Works Constitution Act, although the works council can exercise co-determination rights with regard to regulations on the issues of orderliness and conduct of employees at the establishment, when mere status data (ie, name and date and place of birth) is being scrutinised, the employee's conduct and orderliness at the establishment are not affected. Even if inferences of terrorist activity were possible as a result, this would not relate to the conduct of the employee at the establishment.
Neither does the co-determination right of the works council arise under Section 87(1)4 of the Works Constitution Act. Pursuant to this act, the works council has a right of co-determination in terms of time, place and disbursement of remuneration. Even if remuneration may not be paid where an employee's name matches a name on the terror list, this is only an indirect link. Moreover, Section 87(1)(4) of the act on its own constitutes a co-determination right concerning the circumstances of the payment which is not affected by the synchronisation of data and the decision regarding whether payment was made.
Finally, works council co-determination rights flow from Section 87(1)(6) of the act. According to the act, although the introduction and application of technical facilities is intended to monitor the conduct or performance of the employees, status data reflects the personal characteristics of the employee and does not affect the employee's conduct or performance. However, it must be noted that such data will then become the subject of co-determination rights if it is linked through employee development programmes in such a way that it can permit inferences about the performance or conduct of the employee. Furthermore, depending on the type of software used for data synchronisation, co-determination rights of the works council can arise in the course of introducing and implementing such technical equipment.
Comment
The anti-terrorism regulations prevent an employer from paying wages or salaries to employees who are listed in the annexes. They establish the duty of the employer to carry out regular checks as to whether its employees or potential employees are on the terror list. Pursuant to administrative practice, such synchronisation must also take place for the purpose of gaining AEO status. Data privacy protection regulations do not present an obstacle to this. Also, the federal government's draft law allows such data screening for the purpose of regulating employee data protection. Works councils have no co-determination rights in this regard, and data synchronisation does not require the consent of the employees affected.
For further information on this topic please contact Björn Otto, Andrea Bonanni, Bjoern Gaul or Bernd Roock at CMS Hasche Sigle by telephone (+49 221 7716 195), fax (+49 221 7716 252) or email ([email protected], [email protected], [email protected] or [email protected]).