Article 88 GDPR

From GDPRhub
Article 88 - Processing in the context of employment
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text[edit | edit source]


Article 88 - Processing in the context of employment

1. Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

2. Those rules shall include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.

3. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Relevant Recital[edit | edit source]

Recital 155: Processing of Employees' Personal Data
Member State law or collective agreements, including ‘works agreements’, may provide for specific rules on the processing of employees' personal data in the employment context, in particular for the conditions under which personal data in the employment context may be processed on the basis of the consent of the employee, the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

Commentary[edit | edit source]

Article 88 GDPR offers Member States the possibility to regulate the processing of data in the context of employment beyond the general framework of the GDPR. Article 88 GDPR lists possible matters to be regulated (Article 88(1) GDPR), sets certain requirements regarding the standards enshrined in the GDPR (Article 88(2) GDPR) and imposes an obligation on Member States to notify the Commission of the provisions of national law regulating the processing of employees' data (Article 88(3) GDPR).

(1) List of Matters[edit | edit source]

Article 88(1) GDPR lists the matters that Member States may regulate in the context of the processing of employees' personal data. This list includes processing of individuals’ personal data for the purposes of recruitment, performance of employment contracts, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the purposes of the exercise and enjoyment of social benefits in the course of employment or after the termination of the employment relationship. This list is not exhaustive, and Member States therefore have the freedom to regulate additional matters. As noted under the section 'Notification to the Commission' below, several Member States have already regulated matters that were not expressly listed in Article 88 GDPR, such as video surveillance in the workplace.

(2) GDPR Equivalent[edit | edit source]

Article 88(2) GDPR obliges Member States, when they regulate matters related to employment data, to include in their provisions suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems in the work place. Article 88 GDPR therefore allows Member States to adopt national laws (or equivalent instruments) on the processing of employment data as long as they are in line with the GDPR. Although this is already a consequence deriving from the primacy of EU law over national law, the GDPR affirms a clear mandate that seeks to ensure the protection of employee data. Hence, the GDPR requirements represent a minimum standard for Member States, which do not preclude Member States from including stricter safeguards.

Meaning of Employment or Employees[edit | edit source]

The terms “employment” or “employee” are not defined in the GDPR. Although there is therefore no clear definition of what both terms include, the WP29 issued an Opinion according to which there must be a certain degree of dependence between the employer and employee,[1] which appears to exclude self-employed workers.[2] Since Article 88(1) GDPR specifically refers to the processing of personal data which may take place at the stage of recruitment or after an employment relationship has been terminated, it can be inferred that job applicants as well as ex-employees can also be protected by specific rules at the national level with respect to the processing of their personal data by a prospective or ex-employer.  Further, since Article 88 GDPR does not distinguish between public and private employment, it can be deduced that both private employees and public servants are concerned.

Specific Considerations[edit | edit source]

The WP29, made a specific reference to consent in the context of an employment relationship in its Opinion on the processing of personal data in the employment context.[3] According to Article 7 GDPR, consent must be freely given. However, an imbalance of power exists in an employment relationship, meaning that employer and employee are never on the same level. Consent should therefore not be regarded as an appropriate legal basis under Article 6 or Article 9 GDPR because of the nature of such a relationship, and in particular because the employee may fear the consequences of refusing to give consent. Thus, employers should rely on another legal basis for processing the personal data of their employees, such as the necessity to perform the employment contract, or the existence of a legal obligation to do so. The WP29 also established certain transparency requirements for the employer when processing employee data. Employees should be made fully aware of every processing activity regarding their data. The employer should in particular provide their employees with clear information when monitoring takes place, including the circumstances of such monitoring and possibilities to prevent their data being processed by monitoring technologies.[4] Regarding transfers of data within the same group of companies, Article 48 GDPR specifies that a controller may rely on a legitimate interest to transfer employment data to a different controller within the same group. However, in any case, legitimate interest shall be carefully assessed to ensure that the interests of the data subject are respected and do not override the interest of the controller.[5]

Case Law[edit | edit source]

The CJEU has to date dealt with several cases regarding the processing of personal data in the context of employment.[6] The Rundfank case concerned the public disclosure of information regarding the salaries of employees in the public sector, based on public interest. The CJEU ruled that an interference in these employees' data protection rights could be valid if they pursued a legitimate aim and were proportionate to the aim pursued.[7] The Worten case concerned the transfer of the working times of employees to a national authority responsible for monitoring working conditions. The CJEU stated that the working times of these employees fell within the definition of personal data, as they could be related to an identifiable person, and that in order to make them available to a third party, they must be necessary to perform the monitoring task imposed to the public authority.[8] At present, questions regarding distance learning and the data privacy implications, including the processing of personal data of employees for videoconferencing, have been referred to the CJEU for consultation by a German administrative court.[9]  

(3) Notification to the Commission[edit | edit source]

According to Article 88(3) GDPR, Member States must notify the Commission about any provisions in their national law pursuant to this Article. Currently, Austria, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Åland’s Finish province, France, Germany, Hungary, Ireland, Italy, Lithuania, Luxembourg, Poland, Romania, and Slovakia have issued notifications in this regard.[10] For example, Italy makes reference in its national law on remote and home-work, compelling the employer to respect the employee's personality and moral freedom.[11] Slovakian law contains a provision that allows the employer to publish the data of its employees when it is necessary for the fulfilment of the jobs, providing that respect, dignity and safety of the data subject are respected.[12] Irish national law additionally refers to the processing of special categories of personal data for purposes of employment and social welfare law.[13] France has included in its national law provisions regarding video surveillance in the work place, individual information about salaries, or pay slip processing.[14] Germany's Federal law regulates employee consent, special categories of data, video surveillance, the processing of employee data documentation, and the compensation of employees for data breaches.[15]

Decisions[edit | edit source]

→ You can find all related decisions in Category:Article 88 GDPR

References[edit | edit source]

  1. Article 29 Data Protection Working Party, Opinion 8/2001 on the processing of personal data in the employment context, 13 September 2001 (available here); Article 29 Data Protection Working Party, Opinion 2/2017 on data processing at work, 8 June 2017 (available here).
  2. Selk, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 88 GDPR, margin numbers 41-50 (C.H. Beck 2018, 2nd edition).
  3. Article 29 Data Protection Working Party, Opinion 8/2001 on the processing of personal data in the employment context, 13 September 2001, p. 23 (available here).
  4. Article 29 Data Protection Working Party, Opinion 2/2017 on data processing at work, 8 June 2017, p. 23 (available here).
  5. Selk, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 88 GDPR, margin numbers 175-177 (C.H. Beck 2018, 2nd edition).
  6. Van Eecke, Simkus, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 88 GDPR, pp. 1232-1233 (Oxford University Press 2020).
  7. CJEU, Joined Cases C-465/00, C-138/01 and C-139/01, Osterreichischer Rundfunk, 20 May 2003 (available here).
  8. CJEU, C-342-12, Worten, 30 May 2013 (available here).
  9. VG Wiesbaden, 23 K 1360/20.WI.PV, 21 December 2021 (available here).
  10. European Commission, EU Member States notification to the European Commission under the GDPR (available here).
  11. Italy notification GDPR articles 49(5), 51(4), 83(9), 84(2), 85(3), 88(3), 90(2) (available here) (accessed 30 April 2021).
  12. Slovakia notification GDPR articles 51(4), 85(3), 88(3) (available here) (accessed 30 April 2021).
  13. Ireland notification GDPR articles 51(4), 84(2), 85(3), 88(3), 90(2) (available here) (accessed 30 April 2021).
  14. France notification GDPR articles 49(5), 51(4), 84(2), 85(3), 88(3), 90(2) (available here) (accessed 30 April 2021).
  15. Germany notification GDPR articles 49(5), 51(4), 83(9), 84(2), 85(3), 88(3), 90(2) (available here) (accessed 30 April 2021).