Legally introducing central data processing systems within international corporate groups requires paying particular attention to the timing in Germany, due to co-determination rights under works constitution law as well as the conclusion of a works agreement that is also practical for an IT center being operated abroad – often a complex but not impossible task.
In the course of increasing globalization, international corporate groups are not only steadily becoming larger but are usually becoming more complex in terms of administration as well. This not only involves matrix structures in corporate management, which extend across multiple countries and time zones, but also managers working in multinational jurisdictions. In order to ensure global uniformity, international corporations rely on the implementation of central HR, finance or project management systems for companies belonging to the corporate group, especially in light of efficiency and cost considerations. Due to its high data protection standards, Germany has become an important location for legal advice in this sector. If it works in Germany, it works nearly everywhere.
Establishing the legal basis for introducing these measures in many different companies is often a mammoth undertaking but does not necessarily have to end in lengthy and costly negotiations. The key to legally introducing central data systems smoothly lies in the link between IT law, data protection and employment law.
Co-determination Rights Versus Corporate Interests
The use of local employee data in global personnel systems is subject to many legal restrictions. This is largely because the transnational exchange of personal data within an international corporate group is equivalent to a data transfer to third parties due to the legal autonomy of the companies from a German perspective. This type of use is therefore generally prohibited or severely restricted. Data protection contracts and restrictions on use can remove a number of barriers, however, one daunting obstacle remains: the co- determination rights of the works council in Germany.
The works council plays a key role in corporate strategies, due to its mandatory co-determination right under Section 87 (1) no. 6 German Works Constitution Act (BetrVG) in the case of the introduction and application of technical facilities, which are capable of monitoring the conduct or performance of employees.
In principle, the competency of the works council ends at the German border. However, because such a clear border often cannot be drawn when implementing international data systems, companies must also rely on the cooperation of the works council. These types of systems represent a program for monitoring employees and therefore pose a risk, which can have adverse consequences under employment law – particularly where performance, project management and personnel systems of international corporate groups are equipped with comprehensive tools, which allow for the monitoring of the performance and conduct of German employees through automated data processing.
The Nightmare of Cloud-based Systems
Due to cloud-based storage options, it is often either difficult to answer the question of where the data will actually be stored or such options may difficult to understand – not only for the members of a works council. A number of unresolved legal issues also arise because cloud providers tend to work with numerous service and maintenance companies that have not signed any data protection contracts under German law or for which a current list of any engaged subcontractors often cannot be provided.
Although access rights to personal data are restricted to a manageable number of employees, in practice, the larger a corporate group is, the more national and international employees have granted access. This increases the risk of misuse. German works councils are also concerned about the differences in international data protection standards as well as why a parent company or subsidiary requires access to German employee data. This uncertainty has further increased due to recent data espionage cases and the public debate on the apparent non-existing level of data security.
Understanding the Group and the System
The successful legal introduction of such systems requires an understanding of the international corporate structure and an overcoming of the barriers in terms of technical terminology and national languages with a global foresight for data protection law. In Germany, suitable and system-compatible works agreements need to be developed, which take future changes and updates into consideration and offer long-term security for both parties. This requires uniting different interests arising from various areas of law.
Software needs to be understood by all parties involved, and interfaces, risks and problems need to be identified and analyzed. The supervision of the legal introduction by external legal advisers can provide mediation, if necessary, between the group management, German management and the works council. Often, US and Asian corporate groups, in particular, first need to be made aware of particularities existing in Germany with regards to co-determination and the distinctive German data protection regulations.
German managers and in-house counsel quickly and unintentionally fall into the role of the ‘showstopper’ because negotiations with the works council often take months. Such a delay – if it has not been calculated into the group-wide roll-out plans through relevant prior knowledge of the particularities in Germany – is not due to the reluctance of the parties to reach an agreement but results from legal constraints. External legal advisers, who are able to confirm from time to time that German co-determination law simply does not have any mechanisms for forcing a works council to schedule meetings, review documents or grant its final consent, can also be helpful in this respect.
Well-Prepared for Negotiations
The introduction of central IT systems can initially run into a wide range of problems. These are primarily not legal problems for the most part. Works councils have a right to receive comprehensive information. However, local managers on site in Germany, who want to introduce certain software on a certain date, are frequently confronted with questions to which they may not have received any answers from the corporate group.
Often, comprehensive PowerPoint presentations are available which have only been prepared in English and describe in impressive ‘sales speak’ how the system to be introduced will offer all parties new opportunities in personnel management. Even if one makes the effort to prepare a good German translation, the issues of importance for the works council – and for assessing the question of how compliance with German data protection law can be ensured – are usually not addressed. Works councils then confront the local contact persons with – justified – requests for information such as:
- Who will store the personal data of the employees?
- In which country will the data be stored?
- What measures have been taken by the group in order to ensure data privacy in insecure third countries?
- Will any subcontractors be involved?
- Which software modules will be used for the German employees?
- What categories of data will be collected and how will they be used?
- Who will have access to the data?
- What options for analyzing personal data does the software have?
- Who should receive which analyses and for what purpose will they be used?
- What additional assessments of the conduct and performance of the employees are possible with the software?
- Will the actions of IT administrators and operative users be logged?
- Is there an interface for importing and exporting the personal data of employees?
- How will the works council be involved in upcoming system changes?
- How can the works council monitor the compliance with the provisions of the works agreement?
- How long will the personal data of the employees be stored? Who will monitor the deletion?
- Who can a German employee contact if, for example, he would like to have any corrections made to his data?
- Will the system be available in German?
- Will training be offered in German?
The local individuals responsible for the introduction are well advised to already obtain the answers to the above questions before initially consulting the works council. All too often the local individuals responsible convey the feeling during negotiations that they are an uninformed person charged with executing remote central objectives, which they do not understand themselves. This is understandable for good reasons, but is not always conducive for negotiating works agreements.
In many cases it is helpful to have an IT manager from the corporate group’s headquarters who is jointly responsible for the global introduction of the system attend a meeting with the works council. It is usually recommended to offer the works council the advance opportunity to hire an interpreter, if necessary. Not every member of the works council has a sufficient knowledge of English to be able to understand the technical details of what is being explained or raise any questions that arise. A lack of understanding leads to an unsuccessful outcome of the discussions because the feeling of being uninformed remains.
Clarify in Advance: Are New Reporting Structures Planned?
In addition to the questions typically asked by the works council outlined above, two central issues should be clarified, if possible, prior to the first meeting with the works council:
- Should a different, extended use of employee data be introduced through the new system?
- Will there be any new or extended reporting structures?
Being well prepared for negotiations with the works council requires time. It is, however, essential to at least obtain the answers in principle to the anticipated questions of the works council before beginning the initial discussions. If the negotiation phase with the works council stalls, it is also possible that the works council may prematurely declare the negotiations a failure and consult the arbitration committee. Negotiating the introduction of a central data system before the arbitration committee is associated with further problems, also of a practical nature. Not every experienced arbitration committee chairperson is willing to take on the chairmanship when EDP topics are concerned. Finding a suitable chairperson can sometimes be difficult and lead to further delays. During negotiations before the arbitration committee at the latest, the works council will insist on the involvement of a lawyer. The costs for each meeting increase tremendously right away for the employer.
The Persons Responsible for the System Must Help Develop the Works Agreement
If a works agreement is negotiated, it is advisable to regularly consult the person responsible for the system within the group and assess the demands of the works council in terms of their practical feasibility. If concessions are made to the works council, it must be possible to fulfil them, otherwise one runs the risk that the works council will put a stop to the centralized data processing.
Caution in the Case of Demands for Involving the Works Council in System Changes
Works councils often demand very comprehensive rights in the case of changes to the data processing. Strictly speaking, changing a technical service provider with potential access to personal data can also be considered a “change to the data processing.” In practice, it is hardly possible to implement the approval rights of the works council demanded in this respect. It is therefore always necessary to assess the limits of the works council’s co-determination rights.
If information rights are demanded, these do not prevent the operation of the system with German personal data. However, the person responsible for the system must be aware of these rights. This often turns out to be difficult in practice. In this respect, it is helpful if the IT managers also sat at the negotiating table during the preparation of the works agreement or were involved through regular telephone conferences.
The legal introduction of central data systems is a complex topic, which is, however, not unsolvable for committees consisting of competent individuals at the intersections of the law in cooperation with informed HR managers and experienced IT employees.