Article 88 GDPR

← Article 88 - Processing in the context of employment →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 88 - Processing in the context of employment

1. Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

2. Those rules shall include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.

3. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Relevant Recital

Recital 8: National Implementation

Where this Regulation provides for specifications or restrictions of its rules by Member State law, Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of this Regulation into their national law.

Recital 155: Processing of Employees' Personal Data

Member State law or collective agreements, including ‘works agreements’, may provide for specific rules on the processing of employees' personal data in the employment context, in particular for the conditions under which personal data in the employment context may be processed on the basis of the consent of the employee, the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

Commentary

Article 88 GDPR allows Member States to further regulate the processing of personal data in the context of an employment relationship. The provision gives Member States the chance to regulate this specific area further without the member states being obliged to do so. If a Member state chooses to use this opening clause it has to consider the specific requirements set by Article 88(2) GDPR for such national data protection rules. This means that - given the wide disparities between Member States’ labour laws - the GDPR prescribes only a minimum harmonisation in the context of employment and the level of data protection can be further increased by each Member State.^[1] It should be noted that any processing activity governed by a specific rule under Article 88 GDPR is also subject to the requirements of other provisions of the GDPR (e.g. Article 5, 6 and 9 GDPR).^[2]

Article 88(1) GDPR acts as an opening clause, permitting Member States to provide further rules for the protection of personal data in the context of employment, while Article 88(2) GDPR sets conditions to the use of the opening clause, establishing a minimum threshold from which Member States cannot derogate from. In other words, if a Member State chooses to use the opening clause under Article 88(1) GDPR, any rules introduced must meet the criteria imposed by Article 88(2) GDPR.

Lastly, Article 88(3) GDPR imposes an obligation on Member States to notify the Commission of any laws which it adopts pursuant to Article 88(1) GDPR.

(1) Processing in the context of employment

Opening clause

The first paragraph of Article 88 GDPR provides that Member States may, by law or by collective agreements, provide for more specific rules regulating the processing of employees’ personal data in the employment context. In doing so, Article 88(1) GDPR provides an opening clause, widening the capacity for Member States to regulate the protection of personal data in the employment context. It further specifies the two regulatory instruments through which Member States may rely on in the adoption of rules under Article 88(1) GDPR, the first of which is national law, and the second is collective agreement.

The GDPR is a regulation and thus has direct effect.^[3] Therefore, notwithstanding a data subject’s employment status or of any measures adopted under domestic law, they enjoy all the rights and protections afforded by the GDPR regardless of whether their Member State adopts legislation under Article 88(1) GDPR. Rather, the purpose of Article 88 GDPR is to permit Member States to further regulate on data processing in the employment context in a manner that ‘would best suit the needs of their own particular legal system, while at the same time keeping in line with the rules set by the GDPR.’^[4] Therefore, Article 88 GDPR acts as a ‘reinforcement’ clause, as Member States are free to adopt more protective rules or maintain the minimum standards required by the GDPR.^[5]

"Article 88(1) and (2) of the GDPR must be interpreted as meaning that, even where Member States rely on that article in order to introduce, into their respective national legal systems, ‘more specific rules’, by law or by collective agreements, the requirements arising from the other provisions that are specifically referred to in the present question, namely Article 5, Article 6(1) and Article 9(1) and (2) of that regulation, must also be satisfied. That applies, in particular, to compliance with the criterion of the necessity of processing laid down in those provisions"

CJEU_-_C-65/23_-_MK_v_K_GmbH, margin number 43.

The existence of for this opening clause can be explained by the specific features of such processing, namely, the existence of a relationship of subordination between employees and their employer.^[6]

May provide for more specific rules

Article 88(1) GDPR’s use of the discretionary verb ‘may’ establishes that Member States are not obliged to further regulate the protection of employees' personal data in the employment context. The Article simply grants Member States regulatory leeway, which they can, but do not have to use.^[7]

Article 88(1) GDPR, provides a non-exhaustive list of matters which Member States may decide to provide more specific rules for. This list includes processing of individuals’ personal data for the purposes of

recruitment,
performance of employment contracts,
management, planning and organisation of work,
equality and diversity in the workplace,
health and safety at work,
protection of employer's or customer's property and
for the purposes of the exercise and enjoyment of social benefits in the course of employment or after the termination of the employment relationship.

Essentially, this list is suggestive and if Member States choose to further regulate the matter, they are not bound to the content outlined in Article 88(1) GDPR.

By law

Article 88(1) GDPR provides that Member States may establish more specific rules for the protection of employees’ personal data by law. The concept of ‘law’ encompasses all legal norms enacted by a Member State, including statutory instruments and legal provisions that rank below secondary legislation.^[8]

By collective agreement

The second means through which Member States may establish more specific rules for the protection of employees’ personal data is by collective agreement.^[9] The GDPR does not define these terms. Consequently, the meaning of collective agreement is to be interpreted autonomously from Union law, and not from Member States’ definition in national legislation.^[10]

Union law does not have a single definition of collective agreement. Nonetheless, on a basic level, collective agreements can be defined as ‘agreements concluded between single employers or their organisations, on the one hand, and organisations of workers such as trade unions, on the other. These agreements establish the content of individual contracts of employment and regulate relationships between the parties.’^[11]

According to Recital 155 the term collective agreements include works agreements.^[12]

Member States’ labour laws determine whether and on what level collective agreements on this matter may be concluded.^[13] It should be noted that a collective agreement itself - just as a regulation by national law - can only be a legal basis for a processing activity if it gives rise to a legal obligation within the meaning of Article 6(1)(c) GDPR.^[14] For example, non-binding collective agreements (such as those under English law) that do not give rise to a legal obligation, cannot be invoked as a legal basis by an employer.^[15]

More specific rules to ensure the protection of rights and freedoms

While Member States are afforded discretion of whether to provide for more specific rules in the context of employment, when they choose to do so, these rules are subject to certain requirements. Article 88(1) GDPR acts as an opening clause, creating space for Member States to further regulate the relationship between the GDPR and domestic labour laws.^[16] However, Article 88(2) GDPR determines the scope of that regulatory freedom and establishes conditions to its use. There is a significant overlap between the first and second paragraphs of Article 88 GDPR, therefore neither provision can be interpreted without reference to the other. The opening clause should be read as containing two different functions, a permissive function (Article 88(1) GDPR) and a conditional function (Article 88(2) GDPR).^[17]

While Article 88(2) GDPR establishes specific requirements for the utilisation of the opening clause, Article 88(1) GDPR establishes two objectives pursued by the opening clause. It provides that (i) rules must be more specific, and (ii) they must pursue the aim of ensuring the protection of the rights and freedoms of data subjects. Consequently, any interpretation of Article 88(2) GDPR must take into account these objectives.^[18]

(i) More specific

The first objective pursued by the opening clause under Article 88(1) GDPR, is to allow Member States to regulate for ‘more specific’ rules. Generally, this objective seeks to ensure that any rules introduced by Member States have a normative content related to data protection in the employment context, but are distinct from the general rules laid down by the GDPR. Therefore, any regulatory activity by a Member State under Article 88 GDPR should address the specialities of processing activities in the employment context, e.g. the relationship of authority between an employee and its employer.^[19]

For example: Italy has introduced Law 104/2022 (Decreto Transperanza),^[20] which imposes more obligations upon employers than those under the GDPR. For instance, Article 4 of Law 104/2022 obliges employers to undertake a data protection impact assessment where employees are subject to automated decision-making, surveillance and monitoring activities.

More targeted rules are necessary in the employment context, because data processed in the course of an employment relationship gives rise to power dynamics that are more unbalanced than in the traditional controller–data subject relationship.^[21] This disparity arises because the employment relationship is characterised by the subordination of the employee to the employer.

The objective of Article 88(1) GDPR of permitting Member States to introduce more specific rules must be read in line with Article 88(2) GDPR, which imposes conditions to the utilisation of Article 88(1) GDPR. Therefore, for a comprehensive interpretation of the term ‘more specific’, please also refer to the section on Article 88(2) GDPR below.

(ii) To ensure the protection of rights and freedoms

Article 88(1) GDPR establishes that Member States may introduce more specific rules ‘to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context’. The use of the word ‘to’ requires that any norms introduced by Member States must pursue the aim of protecting the rights and freedoms of data subjects in the employment context. Article 88(2) GDPR further clarifies that those norms ‘shall include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights’.

Therefore, when Article 88(2) GDPR is read in conjunction with the objectives laid down in Article 88(1) GDPR, it is evident that the aim of ensuring the protection of the rights and freedoms referred to under Article 88(1) GDPR must be done with a view specifically to safeguarding the data subject’s human dignity, legitimate interests and fundamental rights.

"[T]he rules adopted by a Member State on the basis of Article 88 must have the objective of protecting the rights and freedoms of employees with respect to the processing of their personal data."

CJEU - C-65/23 - MK v K GmbH, margin number 41.

Employees' personal data in the employment context

Article 88’s scope of application is determined by the meaning of 'employee' in this context, as the wording of the provision clearly establishes that Member States may provide for more specific rules ‘in respect of the processing of employees’ personal data in the employment context’. Nonetheless, the terms ‘employment’ or ‘employee’ are not defined in the GDPR. As a result, the term ‘employee’ should adopt an autonomous interpretation in accordance with principles of Union law and should not be defined from Member States’ national law.^[22]

Reference can be made to CJEU case law recognising the essential feature of an employment relationship in the fact that "for a certain period of time a person performs services for and under the direction of another person in return for which he or she receives remuneration".^[23] Consequently, the scope of Article 88 GDPR is relatively broad, and only appears to exclude self-employed workers. Employment relationships in the public sector are covered by Article 88 GDPR.^[24]

CJEU case law has followed this broad reading: In Hauptpersonalrat der Lehrerinnen und Lehrer, the Court acknowledged that as the GDPR does not define the terms ‘employees’ and ‘employment’, and does not delegate their interpretation to the law of Member States, the meaning and scope of both terms must take on an autonomous and uniform interpretation throughout the Union.^[25]

"The term ‘employee’ in its usual meaning refers to a person who performs his or her work in the context of a relationship of subordination with his or her employer and therefore under the latter’s control [...]

Likewise, the essential feature of an ‘employment relationship’ is that for a certain period of time a person performs services for and under the direction of another person in return for which he or she receives remuneration [...]"

CJEU - C-34/21 - Hauptpersonalrat der Lehrerinnen und Lehrer, margin number 42 et seq.

(2) Requirements for national provisions

Suitable and specific measures

The second paragraph of Article 88 GDPR provides conditionals for any national specific measure regulating the protection of data in the employment context. The provision places substantive limits on Member States’ regulatory powers by establishing material requirements that any national rules must follow if they are to be compatible with Article 88 GDPR.^[26]

These requirements provide that national rules must include ‘suitable and specific’ measures in order to safeguard data subject’s:

human dignity,
legitimate interests and
fundamental rights.

Particular, this regards:

the transparency of processing,
the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and
monitoring systems at the workplace.
Therefore, Article 88(2) GDPR sets out conditions that any rule adopted on the basis of the opening clause in Article 88(1) GDPR must meet and thus circumscribes the discretion of any Member State adopting any data protection regulation in the employment context.^[27]

"[T]hose rules cannot be limited to reiterating the provisions of that regulation and must seek to protect employees’ rights and freedoms in respect of the processing of their personal data in the employment context and include suitable and specific measures to protect the data subjects’ human dignity, legitimate interests and fundamental rights."

CJEU - C-34/21 - Hauptpersonalrat der Lehrerinnen und Lehrer, margin number 65.

In essence, these requirements mean that for Article 88(2) GDPR, any rules introduced by Member States under Article 88(1) GDPR must contextually relate to data protection in the employment context, but must be more specific than the general rules laid down by the GDPR. Also, any national provision (a 'more specific rule') must seek to protect employees’ rights and freedoms in respect of the processing of their personal data in the employment context and include suitable and specific measures to protect the data subjects’ human dignity, legitimate interests and fundamental rights. Particular regarding the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity, and monitoring systems at the work place.^[28]

It should be noted that - in addition to the requirement stipulated in Article 88(2) GDPR - also other provisions of the GDPR (e.g. Article 5, 6(1), 9(1) GDPR) must also be satisfied.^[29]

(3) Notification to the Commission

According to Article 88(3) GDPR, Member States must notify the Commission about any laws they adopt pursuant to this Article. For an overview of the current national implementation laws see the list provided by the European Commission.^[30]

According to the provision's wording, this requirement applies only to national laws and not to collective agreements.^[31]

Decisions

→ You can find all related decisions in Category:Article 88 GDPR

References

↑ During the GDPR’s Trilogue proceedings, European legislators were unable to reach a consensus on standards for the protection of employee personal data. As a result, Article 88 GDPR is a ‘compromise regulation’, which leaves any further regulation to the discretion of Member States. See Tiedemann, in Sydow,Marsch, DSGVO, Article 88 GDPR, margin number 3 (C.H. Beck 2022, 3rd Edition).
↑ CJEU, Case C‑65/23, MK v K GmbH, 19 December 2024, margin number 41 (available here).
↑ Article 288 Treaty on the Functioning of the European Union.
↑ Van Eecke and Šimkus, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 68 GDPR, p. 1234 (Oxford University Press 2020).
↑ Abraha, A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace, in International Data Privacy Law, 12 (2022), p. 290.
↑ CJEU, Case C‑65/23, MK v K GmbH, 19 December 2024, margin number 40 (available here) with further references.
↑ Maschmann, in Kühling, Buchner, DS-GVO BDSG, margin number 1 (H.C. Beck 2024, 4th Edition).
↑ Seifert, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 88 GDPR, margin number 32 (H.C. Beck 2025, 2nd Edition); see also Recital 41.
↑ The German GDPR uses the term ‘Kollektivvereinbarungen’, while the French version uses the term ‘au moyen de conventiones collectives’.
↑ CJEU, Case C‑65/23, MK v K GmbH, 19 December 2024, margin number 37 (available here).
↑ Definition of European Collective Agreements, in Eurofound, European Industrial Relations Dictionary (available here).
↑ CJEU, Case C‑65/23, MK v K GmbH, 19 December 2024, margin number 36 (available here).
↑ Manschmann, in Kühling, Buchner, DS-GVO BDSG, Article 88 GDPR, margin number 28 (H.C. Beck 2024, 4th Edition).
↑ For the meaning of ‘legal obligation’ under the GDPR, please refer to the commentary on Article 6(1)(c) GDPR.
↑ Compare Manschmann, in Kühling, Buchner, DS-GVO BDSG, Article 88 GDPR, margin number 26 (3^rd edn. 2020, Beck).
↑ Abraha, A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace, in International Data Privacy Law, 12 (2022), p. 282.
↑ Abraha, A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace, in International Data Privacy Law, 12 (2022), p. 282.
↑ CJEU, Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer, 30 March 2023, margin number 52 and 62 (available here).
↑ CJEU, Case C‑65/23, MK v K GmbH, 19 December 2024, margin number 40 (available here).
↑ Decreto Legislativo 27 June 2022, n. 104.
↑ Abraha, A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace, in International Data Privacy Law, 12 (2022), p. 278.
↑ Manschmann, in Kühling, Buchner, DS-GVO BDSG, Article 88, margin number 8 (H.C. Beck 2024, 4th Edition); Seifert, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 88, margin number 19 et seq (H.C. Beck 2025, 2nd Edition).
↑ CJEU, Case C-742/19, Republika Slovenija, 15 July 2021, margin number 49 (available here) with further reverences.
↑ CJEU, Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer, 30 March 2023, margin number 44 (available here).
↑ CJEU, Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer, 30 March 2023, margin number 40 et seqq. (available here).
↑ Maschmann, in Kühling, Buchner, DSGVO, Article 88 GDPR, margin number 41 (H.C. Beck 2024, 4th Edition).
↑ CJEU, Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer, 30 March 2023, margin number 65 (available here).
↑ CJEU, Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer, 30 March 2023, margin number 74 (available here).
↑ CJEU, Case C‑65/23, MK v K GmbH, 19 December 2024, margin number 43 (available here).
↑ European Commission, EU Member States notification to the European Commission under the GDPR (available here).
↑ Manschmann, in Kühling, Buchner, DS-GVO BDSG, Article 88, margin number 58 (H.C. Beck 2024, 4th Edition).

[1] During the GDPR’s Trilogue proceedings, European legislators were unable to reach a consensus on standards for the protection of employee personal data. As a result, Article 88 GDPR is a ‘compromise regulation’, which leaves any further regulation to the discretion of Member States. See Tiedemann, in Sydow,Marsch, DSGVO, Article 88 GDPR, margin number 3 (C.H. Beck 2022, 3rd Edition).

[2] CJEU, Case C‑65/23, MK v K GmbH, 19 December 2024, margin number 41 (available here).

[3] Article 288 Treaty on the Functioning of the European Union.

[4] Van Eecke and Šimkus, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 68 GDPR, p. 1234 (Oxford University Press 2020).

[5] Abraha, A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace, in International Data Privacy Law, 12 (2022), p. 290.

[6] CJEU, Case C‑65/23, MK v K GmbH, 19 December 2024, margin number 40 (available here) with further references.

[7] Maschmann, in Kühling, Buchner, DS-GVO BDSG, margin number 1 (H.C. Beck 2024, 4th Edition).

[8] Seifert, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 88 GDPR, margin number 32 (H.C. Beck 2025, 2nd Edition); see also Recital 41.

[9] The German GDPR uses the term ‘Kollektivvereinbarungen’, while the French version uses the term ‘au moyen de conventiones collectives’.

[10] CJEU, Case C‑65/23, MK v K GmbH, 19 December 2024, margin number 37 (available here).

[11] Definition of European Collective Agreements, in Eurofound, European Industrial Relations Dictionary (available here).

[12] CJEU, Case C‑65/23, MK v K GmbH, 19 December 2024, margin number 36 (available here).

[13] Manschmann, in Kühling, Buchner, DS-GVO BDSG, Article 88 GDPR, margin number 28 (H.C. Beck 2024, 4th Edition).

[14] For the meaning of ‘legal obligation’ under the GDPR, please refer to the commentary on Article 6(1)(c) GDPR.

[15] Compare Manschmann, in Kühling, Buchner, DS-GVO BDSG, Article 88 GDPR, margin number 26 (3^rd edn. 2020, Beck).

[16] Abraha, A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace, in International Data Privacy Law, 12 (2022), p. 282.

[17] Abraha, A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace, in International Data Privacy Law, 12 (2022), p. 282.

[18] CJEU, Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer, 30 March 2023, margin number 52 and 62 (available here).

[19] CJEU, Case C‑65/23, MK v K GmbH, 19 December 2024, margin number 40 (available here).

[20] Decreto Legislativo 27 June 2022, n. 104.

[21] Abraha, A pragmatic compromise? The role of Article 88 GDPR in upholding privacy in the workplace, in International Data Privacy Law, 12 (2022), p. 278.

[22] Manschmann, in Kühling, Buchner, DS-GVO BDSG, Article 88, margin number 8 (H.C. Beck 2024, 4th Edition); Seifert, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 88, margin number 19 et seq (H.C. Beck 2025, 2nd Edition).

[23] CJEU, Case C-742/19, Republika Slovenija, 15 July 2021, margin number 49 (available here) with further reverences.

[24] CJEU, Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer, 30 March 2023, margin number 44 (available here).

[25] CJEU, Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer, 30 March 2023, margin number 40 et seqq. (available here).

[26] Maschmann, in Kühling, Buchner, DSGVO, Article 88 GDPR, margin number 41 (H.C. Beck 2024, 4th Edition).

[27] CJEU, Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer, 30 March 2023, margin number 65 (available here).

[28] CJEU, Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer, 30 March 2023, margin number 74 (available here).

[29] CJEU, Case C‑65/23, MK v K GmbH, 19 December 2024, margin number 43 (available here).

[30] European Commission, EU Member States notification to the European Commission under the GDPR (available here).

[31] Manschmann, in Kühling, Buchner, DS-GVO BDSG, Article 88, margin number 58 (H.C. Beck 2024, 4th Edition).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]