Is the works council an independent data processing body within the meaning of the General Data Protection Regulation (GDPR)? So far, this question was answered with a simple “no”.
The wording of the old version of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) excluded committees (such as the works council) from this. The BAG had therefore consistently qualified the works council as part of the responsible body “employer”. However, an independent responsibility of the works council has so far been denied.
Scope of the works council’s right to information
In the case recently decided by the BAG, the judges held that the disclosure of pregnancy data is a processing of personal data within the scope of the GDPR and is only permissible if the works council has a claim to the information. Therefore, the works council must specify the concrete monitoring task on which its claim is based. A general reference to its right of monitoring is not sufficient.
The works council as independent responsible body within the meaning of the GDPR
In addition, however, the BAG did not answer the question if the works council must be qualified as an independent responsible body within the scope of the GDPR and the BDSG. The court’s remarks, however, suggest such an interpretation of the DSGVO.
In the event of such an interpretation, works councils had to manage the application of the GDPR themselves with regard to the data they process. The works council is responsible for ensuring specific and appropriate data protection for the employee data forwarded to it in its area of responsibility. Works councils are subject to all obligations of the GDPR and may therefore also be the addressees of a fine notice. Larger works council (10 or more members or more) must even appoint a separate data protection officer.
Even if the employer was proved right in the case decided by the BAG, the classification of the works council as an independent body also would have a negative (and financial) impact on employers:
The cost and material expenses arising out of the activities of the works council – including the obligations of the works council as an independent responsible body according to the GDPR – shall in principle be defrayed by the employer, see sec. 40 Works Constitution Act (Betriebsverfassungsgesetz – BetrVG). Furthermore, the employer is not able to control and influence the concrete data processing within the works council.
In order to avoid such undesirable cost consequences, a works agreement on employee data protection should therefore be concluded. Within the framework of such works agreement, the works council can be obliged to share existing data protection structures. In addition, the employer can independently counteract a data protection violation by the works council.
Katharina Mitterer, LL.M.
Lawyer / partner