Data protectioni Requirements for registration
Under the Federal Data Protection Act, the employer is permitted to collect and process an employee's personal data if he or she has given consent, or if a statutory provision or other legal provision (in particular, a works agreement) allows for such data processing. It is generally permissible to process data to the extent that it is necessary for the purposes of the employment relationship. Beyond that, data processing is only permissible to a very limited extent, accompanied by a careful weighing of the legitimate interests of the employer and the employee.ii Cross-border data transfers
Transfers of personal data to countries inside the EU and EEA are allowed under the same conditions as data transfers within Germany. They are not subject to the approval of the supervisory authorities.
Data transfers to countries outside the EU and EEA (third countries) are permitted only if the recipient of the data can ensure an adequate level of protection of the data.
The European Commission has determined with regard to a number of countries that they have an adequate level of protection. In other countries, an adequate level of protection can be ensured by individual agreements with the data recipient or permits issued by supervisory authorities. Data transfers to the United States have been particularly problematic. After the Court of Justice of the European Union declared the Safe Harbour Decision of the European Commission invalid on 6 October 2015 (Case No. C-362/14, Schrems), data transfers to the United States were only permissible on the basis of standard contractual clauses or individual permits. On 12 July 2016, the European Commission adopted the EU–US Privacy Shield, which now governs data transfers to the United States.iii Sensitive data
Information on a person's racial or ethnic origin, political opinions, religious or philosophical convictions, union membership, health or sex life is considered to be sensitive data. Sensitive data may only be processed by the employer in rare cases where this is explicitly permitted or required by statutory provisions (e.g., notification duties toward the statutory healthcare fund, accident insurance and pension insurance).iv Background checks
Background checks by the employer are allowed but must be limited to issues that are significant for the specific position. With regard to checks of criminal records, only prior convictions may be requested that relate to the work of the employee or applicant. When performing background checks, the employer may not access information from social networks such as Facebook. On the other hand, it may evaluate information on the employee or applicant from professional networks such as Xing or LinkedIn.