Employer care vs. data protection - when well-intentioned is not good enough.


The first of May is a public holiday in Germany, among other countries, and is known as Labour Day. To this day, the "Day of the Labour Movement" emphasizes the commitment to family-friendly working hours, fair pay, but also a healthy working environment and the care of the employer. But sometimes, however, the employer is too caring, at least according to the Thuringian State Commissioner for Data Protection and Freedom of Information (Thüringer Landesbeauftragten für den Datenschutz und die Informationsfreiheit - TLfDI), if there is "only" a collective agreement as a basis for data processing.

The labor market is tight; there is a shortage of skilled workers in every area. Employers are trying to attract the skilled workers that are available with benefits. But existing employees should also receive such benefits.

So why not take out supplementary company health insurance for all employees as part of company health management? The employees pay nothing extra, receive better care in the healthcare system and can also be reinstated more quickly. Win-Win for all parties, right?

Not exactly, according to the Thuringian State Commissioner for Data Protection and Freedom of Information (TLfDI) as stated in its 3rd activity report on data protection from 2020.

The supervisory authority for the federal state of Thuringia is of the opinion that if an employer intends to offer supplementary company health insurance to its employees as part of company health management, it should obtain the employees' consent to this data transfer before forwarding the employees' personal data to a private health insurance company. The fact that the employer had previously concluded a works agreement with the works council on the offer of such supplementary insurance does not change this.

Art. 88 para. 1 GDPR expressly provides thata collective agreements itself may also constitute lawful processing in the employment context, provided that the member state makes use of this opening clause. It may provide for the processing of employees' personal data in the employment context, in particular for the purposes of the health. The German legislator has also made use of this in Section 26 para. 4 of the Federal Data Protection Act, which states in subpara. 1 that the processing of personal data, including special categories of personal data of employees for the purposes of the employment relationship, is permitted on the basis of collective agreements and in subpara. 2 that the negotiating partners (i.e. employer and works council) must comply with Article 88 para. 2 GDPR.

The TlfDL is of the opinion that the negotiating partners are not exempt from the strict requirements of the GDPR, but that they themselves must take all measures to comply with the data protection level of the GDPR in accordance with Art. 88 para. 2 GDPR. The transfer of data to the insurance company must also be based on an independent lawful basis.

The fact that this view is not entirely controversial and that the regulation can also be interpreted differently is shown by the request for a preliminary ruling from the German Federal Labor Court (Bundesarbeitsgerich) of 22.09.2022, 8 AZR 209/21 (A) to the ECJ, there under the case C-65/23. The ECJ may decide this year on the question of interpretation as to whether the processing of personal data of employees for the purposes of the employment relationship on the basis of collective agreements must always comply with the other requirements of the GDPR - such as Art. 5, 6 para. 1 GDPR. This is because the provision can also be understood to mean that, apart from the requirements in Art. 88 para. 2 GDPR, no other requirements of the GDPR must be observed. In such a case, data processing in the employment relationship, which would actually be unlawful because it does not comply with the requirements of necessity of Section 26 para. 1 BDSG, Art. 5, 6 para, 1 GDPR and for which there is also no consent of the data subject, could be permissible or justified solely due to the fact that it is regulated in a collective agreement.

As long as there is still no legal clarity in the absence of a ruling by the ECJ, employers can only be advised, in a nutshell, to only do something good for employees if they have given their prior consent. True to the motto: "Better to ask for permission than to ask for forgiveness."


Article provided by INPLP members: Juri Knaub and Jens Eckhardt (Derra, Meyer & Partner, Germany)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.