Is there a power-sharing rights regarding data protection matters for the works council?
In a recent decision, the Labour Court of Hesse (LAG) has clarified the responsibilities regarding data protection in the workplace, emphasising the employer's sole responsibility as the data protection responsible party.
The case in question concerned the introduction of a new IT system for managing employee master data, hosted on servers in the USA. The works council invoked their co-determination right according to § 87 (1) No. 6 of the Works Constitution Act (BetrVG), arguing that it applies to data protection regulations. However, the court ruled that the works council's interpretation went too far.
Article 87 (1) (1) of the Works Constitution Act does not grant the works council a comprehensive co-determination right in enforcing data protection. The norm only concerns the orderly conduct of employees and not the employer's obligation to comply with data protection regulations.
The works council's co-determination right in this context is limited to its general monitoring task (according to § 80 (2) BetrVG) and its right to information (according to § 80 (2) BetrVG). The works council cannot enforce binding data protection regulations.
The responsibility for data protection lies solely with the employer as the data protection responsible party (according to Art. 4 No. 7 GDPR). The General Data Protection Regulation (GDPR) already provides a comprehensive legal framework that obliges the employer to comply with data protection regulations, such as the information obligation according to Art. 13 GDPR.
Interestingly, the works council also referred to their co-determination right according to § 88 (1) No. 1 BetrVG, claiming it has independent data protection significance. However, the court does not consider the works council's co-determination right to pertain to the guarantee of the personality rights of employees in the workplace or to ensure comprehensive compliance with all legal data protection regulations.
It's worth noting that the Works Constitution Act grants the works council the right to co-determine the introduction and application of technical equipment intended to monitor the behavior or performance of employees, only when there is no conflicting legal or collective agreement regulation (according to § 87 (1) No. 6 BetrVG).
Article 88 GDPR in conjunction with § 26 (4) BDSG allows the employer and the works council to agree on specific provisions for ensuring the protection of rights and freedoms regarding the processing of personal employee data in the employment context through a works agreement. However, this does not mean that the works council can enforce such a regulation.
Such an agreement can only be concluded on a voluntary basis by both parties jointly. The decision emphasises the sole responsibility of the employer and strengthens its position vis-à-vis the works council.
The works council expressed concerns about the transfer of personal data to the USA due to insufficient technical baseline requirements, ineffective separation of permissions, and lack of a sufficient legal basis. Despite these concerns, the court's ruling underscores the employer's responsibility to ensure compliance with data protection regulations.
In summary, the Labour Court of Hesse's ruling clarifies that the works council does not have comprehensive co-determination rights in enforcing data protection, and the responsibility for data protection lies solely with the employer. Employers must ensure compliance with data protection regulations to protect the rights and freedoms of their employees.
Read also:
- Understanding Hemorrhagic Gastroenteritis: Key Facts
- Trump's Policies: Tariffs, AI, Surveillance, and Possible Martial Law
- Expanded Community Health Involvement by CK Birla Hospitals, Jaipur, Maintained Through Consistent Outreach Programs Across Rajasthan
- Abdominal Fat Accumulation: Causes and Strategies for Reduction
