In the wake of recent amendments to the German Federal Data Protection Act, the German Federal Ministry of the Interior (the Bundesinnenministerium des Innern) is working on a draft law on special rules for employee data protection. The draft law is intended to provide clarification on some issues that were not addressed fully in the amendments that entered into force on September 1, 2009. The Ministry’s overarching considerations are set forth in a key issues paper that was published April 1, 2010.
In the original coalition agreement, the parties agreed that there should be a separate chapter on employee data protection to complement the Federal Data Protection Act. According to the Ministry, drafting of the law for this new chapter is now in its final phases. After consultation with other federal ministries, the bill will be submitted to the German Parliament before its summer break.
The draft law is based primarily on case law from labor courts. It aims to ensure legal certainty and to close existing gaps in the current law, goals which the key issues paper indicates are guided by the principles of transparency and necessity. With this in mind, the key issues paper covers the following topics in a general manner:
- Data collection in the recruitment process. Employers may request only essential personal data from applicants.
- Health checks. Medical assessments are permitted only with consent and only if they are necessary to determine whether an employee can perform a specific activity.
- Corruption/enforcement of compliance requirements. Generally, employers should be allowed to use existing employee data in a proportionate manner, as necessary for compliance purposes. Only in specific cases of concrete suspicion should employers be allowed to collect additional data on employees.
- Video surveillance. Video surveillance is permitted where it is necessary and proportionate to protect important business interests. Secret surveillance is allowed only pursuant to concrete suspicion.
- Tracking. Monitoring should be allowed only during working hours or when the employee is on call, to ensure employee safety or for coordination purposes.
- Biometrics. Biometric data may be collected and used only to the extent necessary for operational reasons, as required for authorization and authentication purposes.
- Use of telephone, Internet and email. Reviewing employee communications may be permitted for certain purposes (e.g., billing, fraud prevention), subject to protected employee interests.
- Collective bargaining agreements. As is already the case, works council agreements or collective bargaining agreements may include separate rules relating to data collection and use in the employee relationship.
- Participation rights of interest groups (e.g., works councils). Existing participation rights with respect to proceedings concerning conduct and performance monitoring should be maintained.
- Consent. The lawfulness of an employee’s consent to the collection, processing or use of his or her personal data should be limited to certain explicitly regulated cases.
- Termination of the employment relationship. Employee data also may be processed and used to the extent that the information is necessary to finalize the employment relationship, after which the data must be deleted.