DAC Beachcroft in collaboration with Luther Rechtsanwaltsgesellschaft – Frankfurt am Main, Germany

What does this cover?

The German Federal Labour Court held that employees may consent to the processing of their data in a valid manner within the framework of their employment relationship. German data protection authorities, as well as many experts, have been of the opinion so far, that it is not possible for employees to consent to the processing of their data in a legally effective manner due to the arguably involuntary nature of the consent.

The Federal Labour Court made it clear, that neither the fact of a dependent employment nor the right of the employer to issue instructions would prevent consent being given voluntarily. An employer that discriminates against an employee only because of his refusal to give his consent would seriously violate the obligations of an employer which could lead to claims for damages on the part of the employee. The judgment was related to consent being granted under the German Act on Copyright for Works of Art (Kunsturhebergesetz) for which different requirements concerning the form of the consent and possibilities to revoke it apply.

However, the judgment expressly also creates legal certainty in order to legitimise the processing of employee data also outside the scope of the expressly provided legal basis within the Federal Data Protection Act (Bun-desdatenschutzgesetz (BDSG)). The legal basis in Section 32 BDSG is limited to narrowly defined cases, in particular to processing for hiring decisions or, after hiring, for carrying out or terminating the employment relationship. Furthermore, employees’ personal data may be collected, processed or used under this Section 32 BDSG to detect or investigate crimes. There is dispute about the question, to what extent the employer may justify the processing of data above and beyond the scope defined in Section 32 BDSG based on a balancing of interests.

Consents are frequently used as a legal basis for data processing, e.g. to legitimate and adequate control measures when allowing the use of professional e-mail and Internet systems also for private purposes.

What action could be taken to manage risks that may arise from this development?

The judgment creates legal certainty for companies using declarations of consent for processing employee data.

Companies should verify:

  1. whether declarations of consent may be used as a legal basis for the processing of their employee data also in other cases; and  
  2. whether the declarations of consent used to date comply with the applicable statutory requirements with regard to transparency, form and revocability. 'General consents' that are not sufficiently defined, are and remain, invalid.

Additional requirements need to be observed when consent shall be used to legitimize third country data transfers based on the common position of the German data protection authorities on the Safe Harbor European Court of justice judgment.

Submitted by Dr Stefanie Hellmich, Counsel in the IP/IT law department at Luther Rechtsanwaltsgesellschaft – Frankfurt am Main, Germany