Global Data and Cyber Handbook

Germany

Select a Topic
Start Comparison
Data Processing in the Employment Context
Jump to
Data Processing in the Employment Context Start Comparison
Is an identified legal basis required in order to collect or process personal data or sensitive personal data in the employment context?

Last review date: 17 December 2024

Yes.

The German Federal Data Protection Acts provides for legal bases for the processing of personal data based on Art. 88 para. 1 GDPR.

Even though there is no express provision in the German Federal Data Protection Act that an employer can also rely on the legal bases provided by the GDPR to justify processing of employee data, it is the prevailing view that the legal bases of the GDPR are not pre-empt.

The German Federal Data Protection Act provides for the following legal bases for the processing of employees' personal data:

  • for employment-related purposes where necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract or to exercise or satisfy rights and obligations of employees' representation laid down by law or by collective agreements or other agreements between the employer and staff council (please note court decision below)
  • to detect crimes only if there is a documented reason to believe the data subject has committed a crime while employed, the processing of such data is necessary to investigate the crime and is not outweighed by the data subject's legitimate interest in not processing the data, and in particular the type and extent are not disproportionate to the reason
  • on the basis of consent (see below for details)
  • if applicable, to exercise or satisfy rights and obligations stipulated in a collective agreement or in a works council agreement.

Employees' sensitive personal data may be processed under the German Federal Data Protection Act:

  • for employment-related purposes if it is necessary to exercise rights or comply with legal obligations derived from labor law, social security and social protection law, and there is no reason to believe that the data subject has an overriding legitimate interest in the data not being processed
  • on the basis of explicit consent (see below for details)
  • if applicable, to exercise or satisfy rights and obligations stipulated in a collective agreement or in a works council agreement.

In March 2023, the Court of Justice of the European Union ruled that national legislation concerning the processing of personal data of employees in the employment context must remain inapplicable, if it does not comply with the conditions and limits set out in Art. 88 para. 1 and 2 GDPR (C-34/21). Subject of the judgement is Section 23 of the Hessian Data Protection and Freedom of Information Act which has an almost identical wording as Sec. 26 para. 1 sentence 1 Federal Data Protection Act. The Court of Justice of the European Union stated that Sec. 23 para. 1 Hessian Data Protection and Freedom of Information Act merely appears to repeat the requirements for the processing of personal data under Art. 6 para. 1 lit. b GDPR without adding a more specific provision within the meaning of Article 88 para. 1 GDPR. Because of the almost identical wording, the decision will likely have an impact on Sec. 26 para. 1 sentence 1 Federal Data Protection Act. The Court has also posed questions regarding Sec. 26 IV BDSG

Can consent be validly obtained in the employment context?

Last review date: 17 December 2024

Yes, but this consent is typically more difficult to establish in an employment context (specify details below)

Pursuant to recital 43 GDPR, "consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller," which could be the case in the employment relationship.

Sec. 26 para. 2 of the German Federal Data Protection Act stipulates that if personal data of employees are processed on the basis of consent, then the employee's level of dependence in the employment relationship and the circumstances under which consent was given shall be taken into account in assessing whether such consent was freely given. Pursuant to Sec. 26 para. 2 German Federal Data Protection Act, consent may be freely given in particular if it is associated with a legal or economic advantage for the employee, or if the employer and employee are pursuing the same interests. As an example the German legislator mentions the permission to use company IT systems for private purposes. Consent must be given in written or electronic form, unless a different form is appropriate because of special circumstances.

Has the data privacy regulator issued guidance on use of artificial intelligence, automated decision making or profiling in an employment context – for example, relating to use in employee monitoring or hiring?

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

No

No guidance on this specific issue has been produced by the data protection authorities. However, the Data Protection Authority of Baden-Württemberg published a discussion paper on legal bases regarding the use of artificial intelligence (version 2.0 on 17 October 2024, available in German only https://www.baden-wuerttemberg.datenschutz.de/rechtsgrundlagen-datenschutz-ki/#rechtsgrundlagen_im_datenschutz_beim_einsatz_von_kuenstlicher_intelligenz), including a section on employee data protection.

See the separate section on artificial intelligence, automated decision making and profiling for general guidance.

{{ $store.state.loadingScreen.message }} ...