The works council comes into contact with sensitive data of the employees. Therefore, it is crucial for the works council to also comply with data protection requirements. The controlling and monitoring responsibility lies with the employer who must ensure that the works council knows and complies with all data protection requirements. The employer is liable for any violation of data protection regulations by the works council.
The basis of any control and monitoring obligation on the part of the employer is to make the works council aware of the requirements for handling personal data in compliance with data protection regulations. These requirements could be presented in the form of guidelines. Binding requirements from the employer to the works council can also be part of a (general) works agreement.
Is the works council the controller pursuant to GDPR?
It has been disputed for some time whether the works council, within the scope of ist activities, qualifies as controller for the data processing or if it is considered to be part of the primarily responsible employer. Such question has been clarified. Pursuant to Art. 79a sentence 2 BetrVG (German Works Constitution Act), the employer qualifies as controller for the processing of personal data to the extent the works council processes data in performance of its tasks.
Therefore, the employer is liable for any violation of data protection regulations by the works council with the exception that the works council is outside the scope of ist duties under the employment contract or a collective bargaining agreement (“Mitarbeiterexzess” or “Kollektivexzess”).
Overview of a guideline’s possible content
In internal guidelines, the employer can inform the works council about the general principles and requirements of data protection provisions and establish specific rules of conduct in everyday work. The guideline should include, among others, the following points:
- Requirements for the admissibility of data processing by the works council – Overview of the General Data Protection Regulation’s (GDPR) principles
- Data minimization principle
- Storage limitation
- Purpose limitation
- Need-to-know principle
- Responsibility of the data protection officer (also) for the works council
- Consulting services for the works council
- Data protection officer’s access rights to all personal data and processing operations
- Obligation to report data breaches to the employer
- Overview of data protection-compliant handling of data in everyday life, in particular provision of technical and organizational measures in the form of a data protection concept, including:
- Correct use of IT infrastructure: passwords, sending documents by e-mail, etc.
- Filing of any paper files and other documents
- Third-party access to personal data (e.g., exchanges among employees, relatives, etc.)
- Disposal of paper files and other documents
- Special protective measures for sensitive data
- Providing information to the employer for the preparation of data protection impact assessments and for the completion of the register of processing activities the controller is obliged to maintain under the General Data Protection Regulation and the German Federal Data Protection Act
- Regulations regarding the works council’s equipment and regular training courses
The overview shows that the works council must observe a large number of data protection requirements in the course of its activities. The works council does not have a general right of co-determination on data protection issues that goes beyond the participation rights pursuant to Art. 80 BetrVG.