Article 88 GDPR: Difference between revisions

From GDPRhub
mNo edit summary
 
(12 intermediate revisions by 5 users not shown)
Line 185: Line 185:


== Legal Text ==
== Legal Text ==
<br /><center>'''Article 88 - Processing in the context of employment'''</center><br />
<br /><center>'''Article 88 - Processing in the context of employment'''</center>


<span id="1">1.  Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.</span>
<span id="1">1.  Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.</span>
Line 194: Line 194:


== Relevant Recital==
== Relevant Recital==
{{Recital/155 GDPR}}
{{Recital/8 GDPR}}{{Recital/155 GDPR}}


== Commentary ==
== Commentary ==
Article 88 GDPR offers the Member States the possibility of regulating processing of data in the context of employment at a national level. For this, Article 88 lists a list of possible matters and sets certain requirements regarding adequacy to the GDPR and notification to the Commission.
Article 88 GDPR allows Member States to further regulate for the processing of personal data in the context of an employment relationship. Given the wide disparities between Member States’ labour laws, Article 88 GDPR prescribes minimum harmonisation, in an attempt to confront a melting pot of legal principles, which are near impossible to fully reconcile.<ref>During the GDPR’s Trilogue proceedings, European legislators were unable to reach a consensus on standards for the protection of employee personal data. As a result, Article 88 GDPR is a ‘compromise regulation’, which leaves any further regulation to the discretion of Member States. Consequently, Article 88’s scope is undetermined in Union law but rather is defined by each Member State.


=== (1) List of Matters  ===
See ''Tiedemann'', in Sydow,Marsch, DSGVO, Article 88 GDPR, margin number 3 (3<sup>rd</sup> edn. 2022, Beck).</ref>
Article 88(1) offers a list of matters that the Member States may regulate. Such list is not an exhaustive list, and therefore Member States have freedom to regulate additional matters. As it is mentioned under section “Notification to the Commission”, several Member States have already regulated matters that were not expressly listed in Article 88, such as video surveillance in the work place regulation.


=== (2) Adequacy to the GDPR  ===
Article 88(1) GDPR acts as an opening clause, permitting states to further regulate for data protection in the context of employment, while Article 88(2) GDPR sets conditions to the use of the opening clause, establishing a minimum threshold from which Member States cannot derogate from. In other words, if a Member State chooses to use the opening clause under Article 88(1) GDPR, any rules introduced must meet the criteria imposed by Article 88(2) GDPR. Lastly, Article 88(3) GDPR imposes an obligation on Member States to notify the Commission of any laws which it adopts pursuant to Article 88(1) GDPR.  
Article 88(2) obliges Member States, when they regulate matters related to employment data, to include in their provisions suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.


Therefore, Article 88 allows Member States to pass national laws as long as they are in line with the GDPR. Although this is already a consequence deriving from the primacy of EU Regulations over national law, the GDPR opts for a clear mandate that seeks to ensure the protection of employee data. Hence, GDPR requirements are a minimum standard for Member States, but there is no impediment for a Member State to include stricter safeguards.
=== (1) May, by law or by collective agreements  ===
The first paragraph of Article 88 GDPR provides that Member States may, by law or by collective agreements, provide for more specific rules regulating the processing of employees’ personal data in the employment context. In doing so, Article 88(1) GDPR provides an opening clause, widening the capacity for Member States to further regulate for the protection of personal data in the employment context. It further specifies the two regulatory instruments through which Member States may rely on in the adoption of rules under Article 88(1) GDPR, the first of which is national law, and the second is collective agreement.  


==== Meaning of employment context ====
The GDPR is a regulation and thus has direct effect.<ref>Article 288 Treaty on the Functioning of the European Union.</ref> Therefore, notwithstanding a data subject’s employment status or of any measures adopted under domestic law, they enjoy all the rights and protections afforded by the GDPR regardless of whether their Member State adopts legislation under Article 88(1) GDPR. Rather, the purpose of Article 88 GDPR is to permit Member States to further regulate on data processing in the employment context in a manner that ‘''would best suit the needs of their own particular legal system, while at the same time keeping in line with the rules set by the GDPR.’''<ref>''Van Eecke'' and ''Šimkus'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 68 GDPR, p. 1234 (Oxford University Press 2020).</ref> Therefore, Article 88 GDPR acts as a ‘''reinforcement''’ clause, as Member States are free to adopt more protective rules or maintain the minimum standards required by the GDPR.<ref>''Abraha,'' A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace, in ''International Data Privacy Law'', 12 (2022), p. 290.  </ref>  
The terms “employment” or “employee” are not defined in this Article or in the GDPR. Although there is hence no clear definition of what both terms include, following the Opinions issued by the Article 29 Working Party,<ref>Referenced in the section below</ref> there shall be a certain degree of dependence on the employer from the employee side, which would exclude self-employed workers.<ref>See also ''Selk'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 88 GDPR, margin numbers 41-50 (Beck 2018, 2nd ed.) (accessed 30.04.2021)</ref>  


Secondly, as the Article does not difference between public and private employment, it can therefore be considered that public servants are included in this concept.
==== May ====
Article 88(1) GDPR’s use of the discretionary verb ‘''may''’ establishes that Member States are not obliged to further regulate for employee data protection. The Article simply grants Member States regulatory leeway, which they can, but do not have to use.<ref>''Manschmann'', in Kühling, Buchner, DS-GVO BDSG, margin number 1 (3<sup>rd</sup> edn. 2020, Beck).</ref> Nonetheless, Article 88(1) GDPR, provides a non-exhaustive list of matters which Member States may decide to provide more specific rules for. This list includes processing of individuals’ personal data for the purposes of recruitment, performance of employment contracts, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the purposes of the exercise and enjoyment of social benefits in the course of employment or after the termination of the employment relationship. Essentially, this list is suggestive and if Member States choose to further regulate the matter, they are not bound to the content outlined in Article 88(1) GDPR.


==== Specific considerations ====
==== By law ====
The Article 29 Working Party, in its Opinion on the processing of personal data in the employment context<ref>Article 29 Data Protection Working Party, Opinion 8/2001 on the processing of personal data in the employment context, 13 September 2001. Available at: <nowiki>https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2001/wp48_en.pdf</nowiki></ref> makes a particular reference to consent in the context of an employment relationship. Consent, according to Article 7 GDPR, must be freely given. However, in an employment relationship exists an imbalance of power, so that employer and employee are never on the same level. Therefore, consent may not be freely given, but coerced because of the nature of such relationship, or because the employee may fear the consequences if refusing to give consent. Employees shall not rely on consent but on a legitimate interest or other legal basis.
Article 88(1) GDPR provides that Member States may establish more specific rules for the protection of employees’ personal data by law. The concept of ‘law’ encompasses all legal norms enacted by a Member State, including statutory instruments and legal provisions that rank below secondary legislation.<ref>''Achim Seifert'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 88 GDPR, margin number 25 (1<sup>st</sup> edn. 2019, Beck).</ref>


On the other hand, the A29WP also establishes certain transparency requirements for the employer when processing employee data.<ref>Article 29 Data Protection Working Party, Opinion 2/2017 on data processing at work, 8 June 2017</ref> Employees shall be fully aware of every processing activity regarding their data. The employer shall provide their employees clear information when monitoring takes place, including the circumstances of such monitoring and possibilities to prevent so.
==== By collective agreement ====
The second means through which Member States may establish more specific rules for the protection of employees’ personal data is by collective agreement.<ref>The German GDPR uses the term ‘''Kollektivvereinbarungen''’, while the French version uses the term ‘''au moyen de conventiones collectives''’.</ref> The GDPR does not define these terms. Consequently, the meaning of collective agreement is to be interpreted autonomously from Union law, and not from Member States’ definition in national legislation.


Regarding transfers of data within the same group of companies, Article 48 specifies that a controller may rely on legitimate interest to transfer data for processing by a different controller within the same group. However, in any case, legitimate interest shall be carefully assessed to ensure that the interests and the data subject are respected and do not override the interest of the controller.<ref>See also ''Selk'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 88 GDPR, margin numbers 175-177 (Beck 2018, 2nd ed.) (accessed 30.04.2021)</ref>
Union law does not have a single definition of collective agreement. Nonetheless, on a basic level, collective agreements can be defined as ‘''agreements concluded between single employers or their organisations, on the one hand, and organisations of workers such as trade unions, on the other. These agreements establish the content of individual contracts of employment and regulate relationships between the parties''.<ref>''Eurofound,'' European Industrial Relations Dictionary, ''[https://www.eurofound.europa.eu/en/european-industrial-relations-dictionary/european-collective-agreements European collective agreements].'' </ref>


=== (3) Notification to the Commission ===
Member States’ labour laws determine whether and on what level collective agreements on this matter may be concluded.<ref>''Manschmann'', in Kühling, Buchner, DS-GVO BDSG, Article 88 GDPR, margin number 28 (3<sup>rd</sup> edn. 2020, Beck).</ref> For a collective agreement to fall within Article 88’s scope, it must give rise to a legal obligation within the meaning of [[Article 6 GDPR|Article 6(1)(c) GDPR]].<ref>For the meaning of ‘''legal obligation''’ under the GDPR, please refer to the commentary on [[Article 6 GDPR|Article 6(1)(c) GDPR]].</ref> For example, non-binding collective agreements (such as those under English law) that do not give rise to a legal obligation, are invalid for the purposes of Article 88 GDPR.<ref>''Manschmann'', in Kühling, Buchner, DS-GVO BDSG, Article 88 GDPR, margin number 26 (3<sup>rd</sup> edn. 2020, Beck).</ref>
According to Article 88(3), Member States shall notify the Commission about any provisions in their national law pursuant to this Article. Currently, Austria, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Åland’s Finish province, France, Germany, Hungary, Ireland, Italy, Lithuania, Luxembourg, Poland, Romania, and Slovakia have issued notifications in this regard.<ref>Available at: https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu/eu-countries-gdpr-specific-notifications_en. Last accessed 30/04/20219</ref>
 
==== Provide for more specific rules to ensure the protection of rights and freedoms ====
While Member States are afforded discretion of whether to provide for more specific rules, when they choose to do so, these rules are subject to certain requirement. Article 88(1) GDPR acts as an opening clause, creating space for Member States to further regulate the relationship between the GDPR and domestic labour laws.<ref>''Abraha,'' A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace, in ''International Data Privacy Law'', 12 (2022), p. 282.  </ref> However, Article 88(2) GDPR determines the scope of that regulatory freedom and establishes conditions to its use. There is a significant overlap between the first and second paragraphs of Article 88 GDPR, therefore neither provision can be interpreted without reference to the other. The opening clause should be read as containing two different functions, a ''permissive'' function (Article 88(1) GDPR) and a ''conditional'' function (Article 88(2) GDPR).<ref>''Abraha,'' A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace, in ''International Data Privacy Law'', 12 (2022), p. 282.  </ref>
 
While Article 88(2) GDPR determines the scope of the opening clause, Article 88(1) GDPR establishes two objectives pursued by the opening clause. It provides that (i) rules must be more specific, and (ii) they must pursue the aim of ensuring the protection of the rights and freedoms of data subjects. Consequently, any interpretation of Article 88(2) GDPR must take into account these objectives.<ref>[https://curia.europa.eu/juris/liste.jsf?num=C-34/21 Case C-34/21], ''Hauptpersonalrat der Lehrerinnen und Lehrer'', paras 52 and 62.</ref>
 
===== ''(i) More specific'' =====
The first objective pursued by the opening clause under Article 88(1) GDPR, is to allow Member States to regulate for ‘''more specific''’ rules. Generally, this objective seeks to ensure that any rules introduced by Member States have a normative content related to data protection in the employment context, but which are distinct from the general rules laid down by the GDPR. Essentially, this objective aims that the opening clause will allow Member States to establish rules targeted to data protection in the employment context.
 
For example, Italy has introduced Law 104/2022 ([https://www.normattiva.it/atto/caricaDettaglioAtto?atto.dataPubblicazioneGazzetta=2022-07-29&atto.codiceRedazionale=22G00113&atto.articolo.numero=0&atto.articolo.sottoArticolo=1&atto.articolo.sottoArticolo1=10&qId=602471bb-12fb-4b55-9e43-c3253a0b67dc&tabID=0.2904989883535549&title=lbl.dettaglioAtto Decreto Transperanza]),<ref>Decreto Legislativo 27 June 2022, n. 104.</ref> which imposes more obligations upon employers than those under the GDPR. For instance, Article 4 of Law 104/2022 obliges employers to undertake a data protection impact assessment where employees are subject to automated decision-making, surveillance and monitoring activities.


For example, Italy makes reference in its national law to remote and home-work, compelling the employer to respect the employees’ personality and moral freedom.<ref>Available at: <nowiki>https://ec.europa.eu/info/sites/default/files/it_notification_art_49_51_83_84_85_88_90.pdf</nowiki>. Last accessed 30/04/20219</ref>
More targeted rules are necessary in the employment context, because data processed in the course of an employment relationship gives rise to power dynamics that are more unbalanced than in the traditional controller–data subject relationship.<ref>''Abraha,'' A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace, in ''International Data Privacy Law'', 12 (2022), p. 278.  </ref> This disparity arises because the employment relationship is characterised by the subordination of the employee to the employer.  


Slovakian law contains a provision that allows the employer to publish the data of its employees when it is necessary for the fulfillment of the jobs, providing that respect, dignity and safety of the data subject are respected.<ref>Available at: <nowiki>https://ec.europa.eu/info/sites/default/files/sk_notification_51.4_85.3_88.3_publish_0.pdf</nowiki>. Last accessed 30/04/20219</ref>  
The objective of Article 88(1) GDPR of permitting Member States to introduce more specific rules must be read in line with Article 88(2) GDPR, which imposes conditions to the use of Article 88(1) GDPR. Therefore, for a comprehensive overview of the term ‘''more specific’'', please refer to '''<u>section 2.1 below.</u>'''


Irish national law additionally refers to the processing of special categories of personal data for purposes of employment and social welfare law.<ref>Available at: <nowiki>http://www.irishstatutebook.ie/eli/2018/act/7/enacted/en/pdf</nowiki>. Last accessed 30/04/20219</ref>
===== (ii) To ensure the protection of rights and freedoms =====
Article 88(1) GDPR establishes that Member States may introduce more specific rules ‘''to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context''’. The use of the word ‘''to’'' requires that any norms introduced by Member States must pursue the aim of protecting the rights and freedoms of data subjects in the employment context. Article 88(2) GDPR further clarifies that those norms ‘''shall include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights’''.


France has included in its national law provisions regarding video surveillance in the work place, individual information about salaries, or pay slip processing.<ref>Available at: <nowiki>https://ec.europa.eu/info/sites/default/files/fr_notification_gdpr_articles_49_51_84_85_88_90_publish.pdf</nowiki>. Last accessed 30/04/20219</ref>
Therefore, when Article 88(2) GDPR is read in conjunction with the objectives laid down in Article 88(1) GDPR, it is evident that the aim of ensuring the protection of the rights and freedoms referred to under Article 88(1) GDPR must be done with a view specifically to safeguarding the data subject’s human dignity, legitimate interests and fundamental rights.


Germany has included in its Federal law regulation for consent, special categories of data, video surveillance, the processing of employee data documentation, or for compensating employees for data breaches.<ref>Available at: <nowiki>https://ec.europa.eu/info/sites/default/files/de_notification_articles_49.5_51.4_83.9_84.2_85.3_88.3_90.2_publish.pdf</nowiki>. Last accessed 30/04/20219</ref>
==== Employees' personal data in the employment context ====
Article 88’s scope of application is determined by the meaning of employee in this context, as the wording of the provision clearly establishes that Member States may provide for more specific rules ‘''in respect of the processing of employees’ personal data in the employment context''’. Nonetheless, [t]he terms ‘''employment''’ or ‘''employee''’ are not defined in the GDPR. As a result, the term ‘''employee''’ should adopt an autonomous interpretation in accordance with principles of Union law and should not be defined from Member States’ national law.<ref>''Tiedemann'', in Sydow, Marsch, DSGVO, Article 88 GDPR, margin number 4 (3<sup>rd</sup> edn. 2022, Beck); ''Manschmann'', in Kühling, Buchner, DS-GVO BDSG, Article 88, margin number 8 (3<sup>rd</sup> edn. 2020, Beck);


==== Case law ====
''Selk'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 88, margin number 35 (2<sup>nd</sup> edn. 2018, Beck); ''Achim Seifert'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 88, margin number 16 (1<sup>st</sup> edn. 2019, Beck).</ref>
The Court of Justice of the European Union has to this date dealt with several cases regarding the processing of personal data in the context of employment.<ref>''Van Eecke/Simkus'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 88 GDPR, pp. 1232-1233 (Oxford University Press, Oxford, 2020)</ref>


In the Rundfonk case,<ref>CJEU, Joined Cases G-465/00, C-138/01 and C-139/01, Osterreichischer Rundfank, 20 May 2003</ref> the CJEU regarded a case of publicly making available information about salaries of employees from the public sector, based on public interest. The Court ruled that inferences in their data protection right could be legitimate if they pursued a legitimate aim and were proportional.
The term here should be taken to encompass ‘''dependent work in the broader sense’''.<ref>''Tiedemann'', in Sydow, Marsch, DSGVO, Article 88 GDPR, margin number 4 (3<sup>rd</sup> edn. 2022, Beck).</ref> This reading is supported by the Article 29 Working Party (‘''WP29''’), which has stated that ‘''where the word “employee” is used in this Opinion, WP29 does not intend to restrict the scope of this term merely to persons with an employment contract recognised as such under applicable labour laws […] This Opinion is intended to cover all situations where there is an employment relationship''’.<ref>Article 29 Working Party, WP 136 - Opinion 4 on the Concept of Personal Data, 20 June 2007, page 4.</ref> Consequently, the scope of Article 88 GDPR is relatively broad, and only appears to exclude self-employed workers. CJEU case law has followed this broad reading.<blockquote><u>Case law:</u> In ''Hauptpersonalrat der Lehrerinnen und Lehrer'', the Court acknowledged that as the GDPR does not define the terms ‘''employees''’ and ‘''employment''’, and does not delegate their interpretation to the law of Member States, the meaning and scope of both terms must take on an autonomous and uniform interpretation throughout the Union.<ref>Case C-34/21, ''Hauptpersonalrat der Lehrerinnen und Lehrer'', para 40.</ref> Resultantly, the Court defined the term ‘''employee’'' in the context of the GDPR as ‘''a person who performs his or her work in the context of a relationship of subordination with his or her employer and therefore under the latter’s control''’.<ref>Case C-34/21, ''Hauptpersonalrat der Lehrerinnen und Lehrer'', para 42.</ref> In the following paragraph of the judgment, the Court clarifies that the essential feature of an ‘''employment relationship''’ is the performance of a service ''‘for and under the direction of another person in return for which he or she receives remuneration.’''<ref>Case C-34/21, ''Hauptpersonalrat der Lehrerinnen und Lehrer'', para 43.</ref></blockquote>


In the Worten case,<ref>CJEU, Case C-342-12, Worten, 30 May 2013</ref> the Court dealt with a case regarding the transfer of the working times of the employee to a national authority responsible of monitoring working conditions. The Court stated that the working times were considered personal data, as they can be related to an identifiable person, and that in order to make them available to a third party, they must be necessary to perform the monitoring task imposed to the public authority.
=== (2) Suitable and specific measures ===
The second paragraph of Article 88 GDPR acts as its conditional limb. The Article places substantive limits on Member States’ regulatory powers by establishing material requirements that any national rules must follow if they are to be compatible with Article 88 GDPR.<ref>''Tiedemann'', in Sydow, Marsch, DSGVO, Article 88 GDPR, margin number 18 (3<sup>rd</sup> edn. 2022, Beck)</ref> These requirements provide that measures must be ‘''suitable and specific''’ in order to safeguard data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the workplace. The key criterion of Article 88(2) GDPR which determines whether national legislation meets its requirements is the meaning of ‘''suitable and specific’''.  <blockquote><u>Case law:</u> In ''Hauptpersonalrat der Lehrerinnen und Lehrer'', the CJEU relied on the inclusion of the phrase ‘''more specific''’ in Article 88(1) GDPR, to determine the conditions and restrictions upon any further regulation made by Member States under Article 88(2) GDPR.<ref>Case C-34/21, ''Hauptpersonalrat der Lehrerinnen und Lehrer'', paras 61-65.</ref> The Court clarified that for national legislation to meet these requirements it '''‘''must'' ''have a normative content specific to the areas regulated, which is distinct from the general rules of that regulation [Article 88 GDPR]’'''''.<ref>Case C-34/21, ''Hauptpersonalrat der Lehrerinnen und Lehrer'', para 61.</ref> Nonetheless, any further regulation must still follow the objective of the provision which allows for national regulatory autonomy, which in the case of Article 88 GDPR, is the objective of protecting employees’ rights and freedoms in respect of the processing of personal data in the employment context.<ref>Case C-34/21, ''Hauptpersonalrat der Lehrerinnen und Lehrer'', para 62.</ref> </blockquote>In essence, these requirements mean that for Article 88(2) GDPR, any rules introduced by Member States under Article 88(1) GDPR must contextually relate to data protection in the employment context, but must be more specific than the general rules laid down by the GDPR.  


Currently, questions regarding distance learning and the data privacy implications, including processing of personal data from employees for videoconferencing, have been referred to the CJEU for consultation by a German administrative court.<ref>Available at: https://www.pinsentmasons.com/out-law/analysis/cjeu-to-rule-on-processing-of-personal-data-from-employees-for-videoconferencing. Last accessed: 30/04/2021</ref>
=== (3) Notification to the Commission ===
According to Article 88(3) GDPR, Member States must notify the Commission about any laws they adopt pursuant to this Article. Currently Austria, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Åland’s Finish province, France, Germany, Hungary, Ireland, Italy, Lithuania, Luxembourg, Poland, Romania, and Slovakia have issued notifications in this regard.<ref>European Commission, EU Member States notification to the European Commission under the GDPR (available [https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu/eu-member-states-notifications-european-commission-under-gdpr_en here]).</ref> For example, Italy makes reference in its national law on remote and home-work, compelling the employer to respect the employee's personality and moral freedom.<ref>Italy notification GDPR articles 49(5), 51(4), 83(9), 84(2), 85(3), 88(3), 90(2) (available [https://ec.europa.eu/info/sites/default/files/it_notification_art_49_51_83_84_85_88_90.pdf here]) (accessed 30 April 2021).</ref> Slovakian law contains a provision that allows the employer to publish the data of its employees when it is necessary for the fulfilment of the jobs, providing that respect, dignity and safety of the data subject are respected.<ref>Slovakia notification GDPR articles 51(4), 85(3), 88(3) (available [https://ec.europa.eu/info/sites/default/files/sk_notification_51.4_85.3_88.3_publish_0.pdf. here]) (accessed 30 April 2021).</ref> Irish national law additionally refers to the processing of special categories of personal data for purposes of employment and social welfare law.<ref>Ireland notification GDPR articles 51(4), 84(2), 85(3), 88(3), 90(2) (available [http://www.irishstatutebook.ie/eli/2018/act/7/enacted/en/pdf here]) (accessed 30 April 2021).</ref> France has included in its national law provisions regarding video surveillance in the work place, individual information about salaries, or pay slip processing.<ref>France notification GDPR articles 49(5), 51(4), 84(2), 85(3), 88(3), 90(2) (available [https://ec.europa.eu/info/sites/default/files/fr_notification_gdpr_articles_49_51_84_85_88_90_publish.pdf. here]) (accessed 30 April 2021).</ref> Germany's Federal law regulates employee consent, special categories of data, video surveillance, the processing of employee data documentation, and the compensation of employees for data breaches.<ref>Germany notification GDPR articles 49(5), 51(4), 83(9), 84(2), 85(3), 88(3), 90(2) (available [https://ec.europa.eu/info/sites/default/files/de_notification_articles_49.5_51.4_83.9_84.2_85.3_88.3_90.2_publish.pdf here]) (accessed 30 April 2021).</ref>


== Decisions ==
== Decisions ==
Line 247: Line 259:
<references />
<references />


[[Category:Article 88 GDPR]] [[Category:GDPR]]
[[Category:Article 88 GDPR]] [[Category:GDPR Articles]]

Latest revision as of 13:32, 30 November 2023

Article 88 - Processing in the context of employment
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 88 - Processing in the context of employment

1. Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

2. Those rules shall include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.

3. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Relevant Recital

Recital 8: National Implementation
Where this Regulation provides for specifications or restrictions of its rules by Member State law, Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of this Regulation into their national law.

Recital 155: Processing of Employees' Personal Data
Member State law or collective agreements, including ‘works agreements’, may provide for specific rules on the processing of employees' personal data in the employment context, in particular for the conditions under which personal data in the employment context may be processed on the basis of the consent of the employee, the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

Commentary

Article 88 GDPR allows Member States to further regulate for the processing of personal data in the context of an employment relationship. Given the wide disparities between Member States’ labour laws, Article 88 GDPR prescribes minimum harmonisation, in an attempt to confront a melting pot of legal principles, which are near impossible to fully reconcile.[1]

Article 88(1) GDPR acts as an opening clause, permitting states to further regulate for data protection in the context of employment, while Article 88(2) GDPR sets conditions to the use of the opening clause, establishing a minimum threshold from which Member States cannot derogate from. In other words, if a Member State chooses to use the opening clause under Article 88(1) GDPR, any rules introduced must meet the criteria imposed by Article 88(2) GDPR. Lastly, Article 88(3) GDPR imposes an obligation on Member States to notify the Commission of any laws which it adopts pursuant to Article 88(1) GDPR.

(1) May, by law or by collective agreements

The first paragraph of Article 88 GDPR provides that Member States may, by law or by collective agreements, provide for more specific rules regulating the processing of employees’ personal data in the employment context. In doing so, Article 88(1) GDPR provides an opening clause, widening the capacity for Member States to further regulate for the protection of personal data in the employment context. It further specifies the two regulatory instruments through which Member States may rely on in the adoption of rules under Article 88(1) GDPR, the first of which is national law, and the second is collective agreement.

The GDPR is a regulation and thus has direct effect.[2] Therefore, notwithstanding a data subject’s employment status or of any measures adopted under domestic law, they enjoy all the rights and protections afforded by the GDPR regardless of whether their Member State adopts legislation under Article 88(1) GDPR. Rather, the purpose of Article 88 GDPR is to permit Member States to further regulate on data processing in the employment context in a manner that ‘would best suit the needs of their own particular legal system, while at the same time keeping in line with the rules set by the GDPR.’[3] Therefore, Article 88 GDPR acts as a ‘reinforcement’ clause, as Member States are free to adopt more protective rules or maintain the minimum standards required by the GDPR.[4]

May

Article 88(1) GDPR’s use of the discretionary verb ‘may’ establishes that Member States are not obliged to further regulate for employee data protection. The Article simply grants Member States regulatory leeway, which they can, but do not have to use.[5] Nonetheless, Article 88(1) GDPR, provides a non-exhaustive list of matters which Member States may decide to provide more specific rules for. This list includes processing of individuals’ personal data for the purposes of recruitment, performance of employment contracts, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the purposes of the exercise and enjoyment of social benefits in the course of employment or after the termination of the employment relationship. Essentially, this list is suggestive and if Member States choose to further regulate the matter, they are not bound to the content outlined in Article 88(1) GDPR.

By law

Article 88(1) GDPR provides that Member States may establish more specific rules for the protection of employees’ personal data by law. The concept of ‘law’ encompasses all legal norms enacted by a Member State, including statutory instruments and legal provisions that rank below secondary legislation.[6]

By collective agreement

The second means through which Member States may establish more specific rules for the protection of employees’ personal data is by collective agreement.[7] The GDPR does not define these terms. Consequently, the meaning of collective agreement is to be interpreted autonomously from Union law, and not from Member States’ definition in national legislation.

Union law does not have a single definition of collective agreement. Nonetheless, on a basic level, collective agreements can be defined as ‘agreements concluded between single employers or their organisations, on the one hand, and organisations of workers such as trade unions, on the other. These agreements establish the content of individual contracts of employment and regulate relationships between the parties.’[8]

Member States’ labour laws determine whether and on what level collective agreements on this matter may be concluded.[9] For a collective agreement to fall within Article 88’s scope, it must give rise to a legal obligation within the meaning of Article 6(1)(c) GDPR.[10] For example, non-binding collective agreements (such as those under English law) that do not give rise to a legal obligation, are invalid for the purposes of Article 88 GDPR.[11]

Provide for more specific rules to ensure the protection of rights and freedoms

While Member States are afforded discretion of whether to provide for more specific rules, when they choose to do so, these rules are subject to certain requirement. Article 88(1) GDPR acts as an opening clause, creating space for Member States to further regulate the relationship between the GDPR and domestic labour laws.[12] However, Article 88(2) GDPR determines the scope of that regulatory freedom and establishes conditions to its use. There is a significant overlap between the first and second paragraphs of Article 88 GDPR, therefore neither provision can be interpreted without reference to the other. The opening clause should be read as containing two different functions, a permissive function (Article 88(1) GDPR) and a conditional function (Article 88(2) GDPR).[13]

While Article 88(2) GDPR determines the scope of the opening clause, Article 88(1) GDPR establishes two objectives pursued by the opening clause. It provides that (i) rules must be more specific, and (ii) they must pursue the aim of ensuring the protection of the rights and freedoms of data subjects. Consequently, any interpretation of Article 88(2) GDPR must take into account these objectives.[14]

(i) More specific

The first objective pursued by the opening clause under Article 88(1) GDPR, is to allow Member States to regulate for ‘more specific’ rules. Generally, this objective seeks to ensure that any rules introduced by Member States have a normative content related to data protection in the employment context, but which are distinct from the general rules laid down by the GDPR. Essentially, this objective aims that the opening clause will allow Member States to establish rules targeted to data protection in the employment context.

For example, Italy has introduced Law 104/2022 (Decreto Transperanza),[15] which imposes more obligations upon employers than those under the GDPR. For instance, Article 4 of Law 104/2022 obliges employers to undertake a data protection impact assessment where employees are subject to automated decision-making, surveillance and monitoring activities.

More targeted rules are necessary in the employment context, because data processed in the course of an employment relationship gives rise to power dynamics that are more unbalanced than in the traditional controller–data subject relationship.[16] This disparity arises because the employment relationship is characterised by the subordination of the employee to the employer.

The objective of Article 88(1) GDPR of permitting Member States to introduce more specific rules must be read in line with Article 88(2) GDPR, which imposes conditions to the use of Article 88(1) GDPR. Therefore, for a comprehensive overview of the term ‘more specific’, please refer to section 2.1 below.

(ii) To ensure the protection of rights and freedoms

Article 88(1) GDPR establishes that Member States may introduce more specific rules ‘to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context’. The use of the word ‘to’ requires that any norms introduced by Member States must pursue the aim of protecting the rights and freedoms of data subjects in the employment context. Article 88(2) GDPR further clarifies that those norms ‘shall include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights’.

Therefore, when Article 88(2) GDPR is read in conjunction with the objectives laid down in Article 88(1) GDPR, it is evident that the aim of ensuring the protection of the rights and freedoms referred to under Article 88(1) GDPR must be done with a view specifically to safeguarding the data subject’s human dignity, legitimate interests and fundamental rights.

Employees' personal data in the employment context

Article 88’s scope of application is determined by the meaning of employee in this context, as the wording of the provision clearly establishes that Member States may provide for more specific rules ‘in respect of the processing of employees’ personal data in the employment context’. Nonetheless, [t]he terms ‘employment’ or ‘employee’ are not defined in the GDPR. As a result, the term ‘employee’ should adopt an autonomous interpretation in accordance with principles of Union law and should not be defined from Member States’ national law.[17]

The term here should be taken to encompass ‘dependent work in the broader sense’.[18] This reading is supported by the Article 29 Working Party (‘WP29’), which has stated that ‘where the word “employee” is used in this Opinion, WP29 does not intend to restrict the scope of this term merely to persons with an employment contract recognised as such under applicable labour laws […] This Opinion is intended to cover all situations where there is an employment relationship’.[19] Consequently, the scope of Article 88 GDPR is relatively broad, and only appears to exclude self-employed workers. CJEU case law has followed this broad reading.

Case law: In Hauptpersonalrat der Lehrerinnen und Lehrer, the Court acknowledged that as the GDPR does not define the terms ‘employees’ and ‘employment’, and does not delegate their interpretation to the law of Member States, the meaning and scope of both terms must take on an autonomous and uniform interpretation throughout the Union.[20] Resultantly, the Court defined the term ‘employee’ in the context of the GDPR as ‘a person who performs his or her work in the context of a relationship of subordination with his or her employer and therefore under the latter’s control’.[21] In the following paragraph of the judgment, the Court clarifies that the essential feature of an ‘employment relationship’ is the performance of a service ‘for and under the direction of another person in return for which he or she receives remuneration.’[22]

(2) Suitable and specific measures

The second paragraph of Article 88 GDPR acts as its conditional limb. The Article places substantive limits on Member States’ regulatory powers by establishing material requirements that any national rules must follow if they are to be compatible with Article 88 GDPR.[23] These requirements provide that measures must be ‘suitable and specific’ in order to safeguard data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the workplace. The key criterion of Article 88(2) GDPR which determines whether national legislation meets its requirements is the meaning of ‘suitable and specific’.

Case law: In Hauptpersonalrat der Lehrerinnen und Lehrer, the CJEU relied on the inclusion of the phrase ‘more specific’ in Article 88(1) GDPR, to determine the conditions and restrictions upon any further regulation made by Member States under Article 88(2) GDPR.[24] The Court clarified that for national legislation to meet these requirements it must have a normative content specific to the areas regulated, which is distinct from the general rules of that regulation [Article 88 GDPR]’.[25] Nonetheless, any further regulation must still follow the objective of the provision which allows for national regulatory autonomy, which in the case of Article 88 GDPR, is the objective of protecting employees’ rights and freedoms in respect of the processing of personal data in the employment context.[26]

In essence, these requirements mean that for Article 88(2) GDPR, any rules introduced by Member States under Article 88(1) GDPR must contextually relate to data protection in the employment context, but must be more specific than the general rules laid down by the GDPR.

(3) Notification to the Commission

According to Article 88(3) GDPR, Member States must notify the Commission about any laws they adopt pursuant to this Article. Currently Austria, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Åland’s Finish province, France, Germany, Hungary, Ireland, Italy, Lithuania, Luxembourg, Poland, Romania, and Slovakia have issued notifications in this regard.[27] For example, Italy makes reference in its national law on remote and home-work, compelling the employer to respect the employee's personality and moral freedom.[28] Slovakian law contains a provision that allows the employer to publish the data of its employees when it is necessary for the fulfilment of the jobs, providing that respect, dignity and safety of the data subject are respected.[29] Irish national law additionally refers to the processing of special categories of personal data for purposes of employment and social welfare law.[30] France has included in its national law provisions regarding video surveillance in the work place, individual information about salaries, or pay slip processing.[31] Germany's Federal law regulates employee consent, special categories of data, video surveillance, the processing of employee data documentation, and the compensation of employees for data breaches.[32]

Decisions

→ You can find all related decisions in Category:Article 88 GDPR

References

  1. During the GDPR’s Trilogue proceedings, European legislators were unable to reach a consensus on standards for the protection of employee personal data. As a result, Article 88 GDPR is a ‘compromise regulation’, which leaves any further regulation to the discretion of Member States. Consequently, Article 88’s scope is undetermined in Union law but rather is defined by each Member State. See Tiedemann, in Sydow,Marsch, DSGVO, Article 88 GDPR, margin number 3 (3rd edn. 2022, Beck).
  2. Article 288 Treaty on the Functioning of the European Union.
  3. Van Eecke and Šimkus, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 68 GDPR, p. 1234 (Oxford University Press 2020).
  4. Abraha, A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace, in International Data Privacy Law, 12 (2022), p. 290.  
  5. Manschmann, in Kühling, Buchner, DS-GVO BDSG, margin number 1 (3rd edn. 2020, Beck).
  6. Achim Seifert, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 88 GDPR, margin number 25 (1st edn. 2019, Beck).
  7. The German GDPR uses the term ‘Kollektivvereinbarungen’, while the French version uses the term ‘au moyen de conventiones collectives’.
  8. Eurofound, European Industrial Relations Dictionary, European collective agreements.
  9. Manschmann, in Kühling, Buchner, DS-GVO BDSG, Article 88 GDPR, margin number 28 (3rd edn. 2020, Beck).
  10. For the meaning of ‘legal obligation’ under the GDPR, please refer to the commentary on Article 6(1)(c) GDPR.
  11. Manschmann, in Kühling, Buchner, DS-GVO BDSG, Article 88 GDPR, margin number 26 (3rd edn. 2020, Beck).
  12. Abraha, A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace, in International Data Privacy Law, 12 (2022), p. 282.  
  13. Abraha, A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace, in International Data Privacy Law, 12 (2022), p. 282.  
  14. Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer, paras 52 and 62.
  15. Decreto Legislativo 27 June 2022, n. 104.
  16. Abraha, A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace, in International Data Privacy Law, 12 (2022), p. 278.  
  17. Tiedemann, in Sydow, Marsch, DSGVO, Article 88 GDPR, margin number 4 (3rd edn. 2022, Beck); Manschmann, in Kühling, Buchner, DS-GVO BDSG, Article 88, margin number 8 (3rd edn. 2020, Beck); Selk, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 88, margin number 35 (2nd edn. 2018, Beck); Achim Seifert, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 88, margin number 16 (1st edn. 2019, Beck).
  18. Tiedemann, in Sydow, Marsch, DSGVO, Article 88 GDPR, margin number 4 (3rd edn. 2022, Beck).
  19. Article 29 Working Party, WP 136 - Opinion 4 on the Concept of Personal Data, 20 June 2007, page 4.
  20. Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer, para 40.
  21. Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer, para 42.
  22. Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer, para 43.
  23. Tiedemann, in Sydow, Marsch, DSGVO, Article 88 GDPR, margin number 18 (3rd edn. 2022, Beck)
  24. Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer, paras 61-65.
  25. Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer, para 61.
  26. Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer, para 62.
  27. European Commission, EU Member States notification to the European Commission under the GDPR (available here).
  28. Italy notification GDPR articles 49(5), 51(4), 83(9), 84(2), 85(3), 88(3), 90(2) (available here) (accessed 30 April 2021).
  29. Slovakia notification GDPR articles 51(4), 85(3), 88(3) (available here) (accessed 30 April 2021).
  30. Ireland notification GDPR articles 51(4), 84(2), 85(3), 88(3), 90(2) (available here) (accessed 30 April 2021).
  31. France notification GDPR articles 49(5), 51(4), 84(2), 85(3), 88(3), 90(2) (available here) (accessed 30 April 2021).
  32. Germany notification GDPR articles 49(5), 51(4), 83(9), 84(2), 85(3), 88(3), 90(2) (available here) (accessed 30 April 2021).