BAG - 9 AZR 383/19
From GDPRhub
| - 9 AZR 383/19 | |
|---|---|
 | |
| Court: | BAG (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 38(3) GDPR Article 38(6) GDPR § 38(2) BDSG § 4f(2) BDSG (a.F.) § 4f(3) BDSG (a.F.) § 6(4) BDSG § 626 BGB |
| Decided: | 06.06.2023 |
| Published: | 09.06.2023 |
| Parties: | |
| National Case Number/Name: | 9 AZR 383/19 |
| European Case Law Identifier: | ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 |
| Appeal from: | |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | BAG (in German) |
| Initial Contributor: | Sara Horvat |
The German Federal Labour Court implemented CJEU's decision C-453/21, holding that the chairman of the Works Council of a subsidiary was rightfully dismissed as the DPO of the group of undertakings for a conflict of interests between the two functions.
English Summary
Facts
The Works Council Chairman of a subsidiary was appointed as the DPO of the mother company and its German subsidiaries in 2015. With the parallel appointment of the same person as the DPO for the whole group of undertakings, the mother company, the controller, aimed to synchronize the privacy standards in the group.
In 2017, the controller asked the DPA of Thüringen whether such an appointment was lawful, due to concerns of conflict of interests and lack of reliability as under § 4f(2) of the German Federal Privacy Law (Bundesdatenschutzgesetz - BDSG)in its old version (a.F.). The DPA communicated in writing on 24 November 2017 that the requirements for a DPO appointment were not fulfilled at that time since the DPO was also the Works Council Chairman, therefore the appointment was null for incompatibility. Hence, the DPA declared that the controller did not have a DPO from 2015 on and that it should appoint a new DPO by 8 January 2018 or it would risk a fine of €50,000.
As a consequence, the controller informed the DPO that it would revoke his appointment of 2015 with immediate effect. Upon entry into force of the GDPR, the controller also sent him a separate revocation letter referring to the operational reasons under Article 38(3) GDPR, second sentence.
The DPO therefore filed a lawsuit in front of the Labour Court to challenge his revocation. In its submissions, the controller requested that the appeal be dismissed since the incompatibility of offices constitutes an important reason within the meaning of § 4f(3) BDSG (a.F.) and § 38(2) BDSG, § 6(4) BDSG in conjunction with § 626 of the German Civil Code (Bürgerliches Gesetzbuch -BGB).
In the first instance, the Labor Court of Dresden upheld the claim of the DPO and the Regional Labor Court of Saxony also dismissed the controller's appeal in its judgment of 19 August 2019. The controller, however, continuted to pursue its motion to dismiss the DPO's claim before the German Federal Labour Court (Bundesarbeitsgericht - BAG).
Holding
In 2021, the BAG suspended proceedings as it referred four questions to the CJEU asking whether German national law was compatible with Article 38(3) GDPR, second sentence. In its judgment C-453/21 X-Fab Dresden GmbH & Co. KG, the CJEU held that Member states may lay down more specific rules on dismissals and that a conflict of interests can be given if the DPO carries out other functions within the company that determine the scope of processing on behalf of the controller.
The BAG held that this assessment made by the CJEU regarding a conflict of interest pursuant to Article 38(2) GDPR has not only applied since the amendment of the BDSG after entry into force of the GDPR, but already corresponded to the legal situation within the scope of the BDSG (a.F.).
On 6 June 2023, the BAG issued its final judgment on the case.
First of all, it held that the initial appointment of the employee as DPO itself was lawful, due to the fact that reliability is not a reason for an appointment to be invalid and null, but lack thereof can be a reason for revoking the appointment of a DPO under § 38(5) BDSG (a.F.).
Secondly, the BAG held that the revocation of the appointment of the employee as DPO was justified for good cause in accordance with § 4f(3) BDSG (a.F.) in conjunction with § 626(1) BGB. Such reasons exists if DPO's funciton is made impossible or are at risk as for instance if he does not (or no longer) have the necessary expertise or reliability within the meaning of § 4f(2) BDSG (a.F.). Reliability of the DPO could be called into question if there was a risk of conflicts of interest. The BAG held, making reference to the CJEU's preliminary ruling on Article 38(6) GDPR, that such a conflict of interests can be given if the DPO holds a position within the controller's undertaking that would allow him to determine the purposes and means of processing of personal data. In the BAG's view, if the works council chairman also acted as DPO, a concrete risk of a conflict of interest was given which put the independence of the DPO's functions at risk. As a matter of fact, the works council chairman requests access to specific personal data of employees and decides which protective measures to adopt in that regard. At the same time, the DPO is called upon to assess in a neutral and independent way whether the actions taken by the works council are in line with data protection provisions. Due to these structural limitations, the DPO may struggle to ensure both neutrality and independence from the works council's resolutions, as he is the chairsperson thereof.
For all these reasons, the BAG held that this conflict compromises the functional independence of the DPO, potentially undermining data protection provisions and as a result, the employer is justified to revoke the appointment of the employee in question as DPO.
Comment
The preliminary ruling of the CJEU in case C-453/21 is also available on GDPRhub.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Federal Labor Court judgment of June 6, 2023
Ninth Senate - 9 AZR 383/19 -
ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
I. Dresden Labor Court judgment of June 27, 2018
- 10 Ca 234/18 -
II. Saxon State Labor Court judgment of August 19, 2019
- 9 Sat 268/18 -
Keyword for decision:
Chairman of the works council as data protection officer
Guiding principle:
The duties of a data protection officer are the same as those of an employee.
Chairman of the works council cannot be agreed. The one with simultaneous truth
Conflict of interest existing in the performance of both functions justifies
the appointment of the works council chairman as data protection officer
to revoke.
Note from the Senate:
See the conformity with Union law of Section 6 Paragraph 4 Sentence 1 BDSG BAG June 6th
2023 - 9 AZR 621/19 - FEDERAL LABOR COURT
9 AZR 383/19
9 Sat 268/18
Saxon
State Labor Court
In the name of the people!
Announced on
June 6, 2023
VERDICT
Kleinert, clerk
the office
In matters
Defendant, appellant and appellant,
pp.
Plaintiff, respondent and defendant on appeal,
the Ninth Senate of the Federal Labor Court based on the oral arguments
act of June 6, 2023 by the presiding judge at the Federal Labor Court
court Prof. Dr. Kiel, the judges at the Federal Labor Court Zimmermann and
Dr. Suckow and the honorary judges Dr. Leitner and Stang for law
detected:
ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 - 2 - - 2 - 9 AZR 383/19
1. The judgment of the defendant is based on the appeal
Saxon State Labor Court dated August 19th
2019 - 9 Sa 268/18 - repealed.
2. On the defendant's appeal, the judgment of the Ar-
Beitsgericht Dresden from June 27, 2018 - 10 approx
234/18 - amended and the lawsuit dismissed.
3. The plaintiff must bear the costs of the legal dispute.
By law!
Facts of the case
The parties dispute the validity of the plaintiff's appeal on January 1
the defendant's data protection officer and the revocation of the contract.
position and the dismissal of the plaintiff.
The defendant, based in D, belongs to the X group. She is a 2
100% subsidiary of X GmbH, which was converted from an AG with its registered office
in E. The plaintiff is entitled to take into account periods of previous employment with the company.
has been in an employment relationship with the defendant since November 1, 1993.
He is chairman of the works council formed by this and is responsible for exercising responsibility
due to his duties as chairman, he was partially released from work.
The plaintiff was terminated by the defendant with effect from June 1, 2015
parent company and its other subsidiaries based in Germany
companies X F GmbH and X I GmbH each have separate data protection regulations.
ordered ordered. With the parallel appointment of the plaintiff, the companies pursued
companies aim to establish a uniform data protection standard across the group.
ren.
In a letter dated September 4, 2017 to the parent company of Be-4
complained, the then X AG, said the Thuringian state commissioner for data
protection and freedom of information with reference to Section 4f Paragraph 2 BDSG in the
The version valid until May 24, 2018 (BDSG aF) concerns that the plaintiff
ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
- 3 - - 3 - 9 AZR 383/19
necessary to fulfill his duties as a company data protection officer.
have the required reliability. Because of his position as works council chairman
conflicts of interest could arise. In their statement dated
On September 27, 2017, X GmbH responded with reference to the decision
of the Federal Labor Court of March 23, 2011 (- 10 AZR 562/09 -), both radio
tions are compatible with each other.
The Thuringian State Commissioner for Data Protection and Freedom of Information 5
In a letter dated November 24, 2017, heit stated that the plaintiff did not have the right
about the information required for the appointment as a company data protection officer.
technical reliability. Due to the incompatibility with the Office of the Operating
Chairman of the Council, the plaintiff is already not effective for operational data
protection officer has been appointed. The company has therefore had since then
June 1, 2015 no company data protection officer. The mother
The defendant's company was given the opportunity to comment until the 3rd January.
nuary 2018 with the note that a company data protection policy will be required after the deadline has expired.
a representative is appointed ex officio and the breach of duty, a
to appoint a data protection officer, with a fine of up to
50,000.00 euros could be punished.
The defendant and the other group companies based in Germany- 6
The takers then informed the plaintiff in separate letters dated December 1st
December 2017 announced that an effective appointment as a company data protection officer
The commissioner had not done so and now to avoid a fine
a suitable data protection officer is appointed. In the alternative, they each revoked
because in a letter dated December 1, 2017, the plaintiff was appointed as
protection officer with immediate effect. As a precaution, they called the plaintiff
ger after the General Data Protection Regulation comes into force with separate writing
ben of May 25, 2018 in accordance with Art. 38 Para. 3 Sentence 2 GDPR with reference to
operational reasons as data protection officer.
ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
- 4 - - 4 - 9 AZR 383/19
The plaintiff was of the opinion that the defendant had him on the 7th
June 16, 2015 effective data protection officer for their operations in Germany.
provides. His dismissal by letters dated December 1, 2017 and dated
May 25, 2018 is not effective.
The plaintiff requested 8
1. determine that his legal status as a supervisor
The defendant is not responsible for data protection
The defendant's revocation of December 1, 2017 ended
has been det;
2. determine that his legal status as a supervisor
nor does it have any bearing on the defendant’s data protection
by the defendant's revocation of May 25, 2018
has been ended.
The defendant has requested dismissal of the action. She has lost her view- 9
due to an incompatibility with the office of works council chairman
The plaintiff is therefore not effectively the company's data protection officer
been ordered. In any case, the order is effective from December 1, 2017,
alternatively terminated on May 25, 2018. The office incompatibility represents a
an important reason within the meaning of Section 4f Paragraph 3 Sentence 4 BDSG old version or Section 38 Paragraph 2,
Section 6 Paragraph 4 Sentence 1 BDSG in conjunction with. § 626 BGB.
The Labour Court has upheld the complaint. The State Labor Court 10
rejected the defendant's appeal. The revision pursues this
Defendant continued her motion to dismiss. The Senate has the legal dispute
suspended by order of April 27, 2021 and referred to the Court of Justice of the European Union
European Union requests a preliminary ruling as to whether the regulation in Section 6 Paragraph 4
Sentence 1 BDSG, according to which the dismissal of a data protection officer
There is an important reason in the sense of. § 626 BGB requires, with Art. 38
Paragraph 3 Sentence 2 GDPR is in accordance and whether there is a conflict of interest within the meaning of. Article 38
Paragraph 6 Sentence 2 GDPR applies if the data protection officer also does so
Office of the chairman of the works council formed in the responsible office
(BAG April 27, 2021 - 9 AZR 383/19 (A) - BAGE 174, 358). With judgment dated
On February 9, 2023, the Court ruled on the request for a preliminary ruling
(ECJ February 9, 2023 - C-453/21 - [X-FAB Dresden]).
ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
- 5 - - 5 - 9 AZR 383/19
Reasons for the decision
The revision is justified. The State Labor Court has appealed 11
of the defendant against the judgment in favor of the action was wrongly rejected.
The plaintiff was effectively appointed as the defendant's data protection officer.
provides. However, the defendant received the order in a letter dated December 1st
Effectively revoked in 2017. The application to be interpreted as a false auxiliary application
The Senate therefore did not have to decide on 2.
I. Contrary to the opinion of the appeal, the defendant has the plaintiff at 12
Letter dated June 16, 2015 in the form required by Section 4f Paragraph 1 Sentence 1 BDSG old version
Form (see BAG July 27, 2017 - 2 AZR 812/16 - Rn. 19, BAGE 160, 1) for the commissioning
ordered for data protection. For the effectiveness of the plaintiff’s appointment
gers, it is irrelevant whether the office of the data protection officer is the same as the office of
works council chairperson is compatible. Therefore, this question that the country
desarbeitsgericht with reference to the judgment of the Federal Labor Court of
March 23, 2011 (- 10 AZR 562/09 -) has denied, remain open at this point.
1. The reliability of a data protection officer can be determined in 13
Questions arise when there is a risk of conflicts of interest. An overlap of inter-
food spheres, the reliability required by Section 4f Paragraph 2 Sentence 1 BDSG old version can
impair safety (BAG December 5, 2019 - 2 AZR 223/19 - Rn. 25 mwN,
BAGE 169, 59). Due to the lack of reliability of a representative for
person appointed for data protection in the sense of. However, Section 4f Paragraph 2 Sentence 1 BDSG old version follows
According to the old version of the BDSG, this does not mean that the order is invalid. This legal consequence is in
The law is not provided for and would also contradict its system because other
Otherwise, the revocation of the order provided for in Section 4f Paragraph 3 Sentence 4 BDSG old
as well as the right of the supervisory authority to request dismissal due to lack of confidence
To demand negligence (Section 38 Para. 5 Sentence 3 BDSG old version) is essentially in vain
(BAG December 5, 2019 - 2 AZR 223/19 - Rn. 26 with further references, ibid).
ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
- 6 - - 6 - 9 AZR 383/19
2. Whether something different can apply in exceptional cases if the order is a 14
nes data protection officer in a particularly serious situation
and obvious errors (see BAG December 5, 2019 - 2 AZR 223/19 -
Rn. 27, BAGE 169, 59), no decision is required at this point. Such a
This is not the case here.
II. The revocation of the plaintiff's appointment as representative for the Da-15
The defendant's protection from December 1, 2017 is effective because this is the case
important reason iSv. § 4f Para. 3 Sentence 4 BDSG old version in conjunction with. § 626 Paragraph 1 BGB
ben is. Contrary to the opinion of the State Labor Court, there is an unresolved
Resolvable conflict of interest if the data protection officer is also the company manager
is the chairman of the council of the responsible body. This makes it possible for the defendant to
It is reasonable to continue to employ the plaintiff as the company's data protection officer.
add.
1. The revocation of the appointment as data protection officer after 16
§ 4f Para. 3 Sentence 4 BDSG old version in conjunction with. § 626 Paragraph 1 BGB requires the existence of offenses
things that allow the person responsible to do so, taking into account the circumstances
circumstances of the individual case as well as weighing up the interests of both contractual parties
partner make it unreasonable to use the person in question as a company data
protection officer only until the end of the normal notice period
continue to use.
a) Important reasons are particularly those that occurred at the age of 17
related to the function and activities of the data protection officer and
make it impossible or at least impossible to carry out this activity any further
significantly endanger, for example a betrayal of secrets or a permanent
Violation of control obligations as a data protection officer (BAG March 23
2011 - 10 AZR 562/09 - Rn. 15 mwN). An important reason for the revocation is
even if the person appointed as data protection officer
Employees have the required specialist knowledge or reliability. § 4f paragraph 2
Sentence 1 BDSG aF for the fulfillment of the task no longer has.
ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
- 7 - - 7 - 9 AZR 383/19
b) An overlap of spheres of interests can occur as per BDSG aF 18
contradict the required reliability (BAG March 23, 2011 - 10 AZR
562/09 - paragraph 24; March 22, 1994 - 1 ABR 51/93 - to B IV of the reasons, BAGE 76,
184). Not every conflict of interest justifies the revocation of the order
of the data protection officer. A degree of independence is required
of the data protection officer.
aa) Since the law requires the appointment of a company data protection officer - 19
ten permitted, who is employed as an employee by the responsible employer
is, not every touch of the different tasks can affect the reliability
question. The company data protection officer is responsible for ensuring compliance with the
Data protection regulations at the person responsible and thus the working environment
of the employee employed there. He has to do that in the end
As a consequence, also subject yourself to a check. Appropriate
applies to the function of the company data protection officer, as this does not apply
to only perform monitoring but also advisory functions and therefore
to reflect on the results of his own consultation.
bb) According to the case law of the Court of Justice of the European Union on the 20th
GDPR must ensure that a data protection officer is independent
whether he is an employee of the person responsible
or not, carry out his duties and tasks in complete independence
can practice (cf. ECJ February 9, 2023 - C-560/21 - [KISA] Rn. 20; June 22, 2022
- C-534/20 - [Leistritz] para. 26 f.). Only if this functional independence of the
data protection officer is safeguarded, the effectiveness of the data protection
legal provisions can be guaranteed (cf. ECJ February 9, 2023
- C-560/21 - [KISA] para. 22; June 22, 2022 - C-534/20 - [Leistritz] para. 28).
cc) This standard for an important reason does not only apply from the age of 21
The amendment to data protection law made by the entry into force of the GDPR,
but was already valid according to the old version of the BDSG. According to the will of the legislature
the replacement of Section 4f Paragraph 3 Sentence 4 BDSG old version by Section 6 Paragraph 4 BDSG
The standard by which a relevant conflict of interests is to be assessed,
ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
- 8 - - 8 - 9 AZR 383/19
left touched (BT-Drs. 18/11325 p. 82: “Paragraph 4 corresponds to the previous one
Regulation of § 4f paragraph 3 sentences 4 to 6 BDSG old version).
c) A reason for the revocation of the role of the data protection officer 22
This is usually the case when the employee is in the fulfillment of his duties
further tasks and obligations have an influence on data processing
in the responsible position. In such a case, the independent
Fulfillment of the duties of a data protection officer may be at risk.
aa) According to the case law of the Court of Justice on Article 38 Paragraph 6 Sentence 2 23
GDPR, the employee appointed as data protection officer may do so within
of the responsible body do not hold a position that requires a determination of
Purposes and means of processing personal data for counter purposes
has stood (cf. ECJ February 9, 2023 - C-453/21 - [X-FAB Dresden] Rn. 44, 46;
previously Art. 29 Data Protection Group WP 243 rev. 01 p. 19). The right of
responsible person, the appointment of the data protection officer in the event of a
To revoke the right to exercise influence on data processing preserves this
functional independence and thus guarantees the effectiveness of the data
protective regulations. Whether these conditions are met is
in individual cases, taking into account all relevant circumstances, in particular
the organizational structure of the person responsible and in the light of all applicable
Legal provisions, including any internal regulations of the responsible
(cf. ECJ February 9, 2023 - C-453/21 - [X-FAB Dresden]
Rn. 45 f.).
2. The plaintiff's office as works council chairman is then 24
further performance of his duties as data protection officer.
The legal tasks of both functions cannot be carried out without interests
exercise conflict with regard to data protection, which is covered by Section 4f Paragraph 2 Sentence 1
BDSG aF abolishes the assumed functional reliability. This justifies
the revocation of the appointment as data protection officer.
a) In accordance with Section 4g Paragraph 1 Sentence 1, the data protection officer has 25
BDSG aF on compliance with the BDSG aF and other regulations on the
ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
- 9 - - 9 - 9 AZR 383/19
to promote data protection. In particular, he must ensure the proper
Use of data processing programs with the help of which personal data is collected
Data to be processed should be monitored as well as during processing
people take appropriate measures to collect personal data
the regulations of the BDSG and other regulations on data protection
and familiar with the respective special requirements of data protection
(§ 4g para. 1 sentence 4 BDSG old version). These tasks coincide in general
essentially with the tasks of the data protection officer under Art. 39 GDPR.
The data protection officer is then responsible for providing information and advice
of the person responsible or the processor and the employees who
the processing with regard to its obligations under the GDPR and other data
Implement the protection regulations of the Union or the Member States. He has the
Compliance with the GDPR, other Union data protection regulations and/or the
member states as well as strategies of the controller or the processor
ters for the protection of personal data including the allocation of
responsibilities, sensitization and training of those involved in the processing
to check the employees involved in the processes. He is also available for advice
- upon request - in connection with the data protection impact assessment and
responsible for monitoring its implementation in accordance with Art. 35 GDPR.
b) The duties of a data protection officer are the same as those of a data protection officer
Chairman of the works council with regard to data protection regulations does not
to agree. Whether there is already a difference between the works council mandate and the office of the
protection officer there is an incompatibility that leads to a revocation
If there is a conflict of interest justifying the appointment, the Senate does not have to
divorce. In any case, there is a functional incompatibility with the tasks of the
Chairman of the works council, who, within the scope of his legal duties,
ben not only participates in the decision of the committee, but the body
represents externally within the framework of the decisions taken.
aa) The works council, as a body, determines the purposes and means of processing 27
personal data. He decides by decision, under
under what specific circumstances he will disclose which personal data
ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
- 10 - - 10 - 9 AZR 383/19
exercise the tasks assigned to him by the Works Constitution Act
collects it and how it then processes it.
(1) The Works Constitution Act grants the works council certain 28
social, personnel and economic matters participation and
Rights of participation that go beyond mere hearing or information (e.g. Section 80
Paragraph 2 Sentence 1, Section 102 Paragraph 1 BetrVG, Section 17 Paragraph 2 Sentence 1 KSchG) on the consultation
(e.g. Section 90 Paragraph 2 Sentence 1, Section 92 Paragraph 1 Sentence 2 BetrVG, Section 17 Paragraph 2 Sentence 2
KSchG) up to the right to refuse consent (§ 99 BetrVG) and
finally extend to the right of co-determination, in which the employer has the positive
Active consent of the works council is required (e.g. Sections 87, 94, 112 Para. 4 BetrVG). In
To fulfill these tasks, the works council processes personal data.
He receives this in particular when exercising his works constitution
legal participation and co-determination rights from the employer on the one hand
and on the other hand by employees themselves, for example during consultation hours
(§ 39 BetrVG), a complaint (§ 85 para. 1 BetrVG), the right to make proposals
of employees (§ 86a BetrVG), the exchange of opinions within the framework of employment
company or departmental meetings (§ 43 para. 3 sentence 1, § 45 BetrVG) or
hearing an employee affected by a personnel measure
mers (Section 102 Paragraph 2 Sentence 4 BetrVG, cf. Lembke FS Schmidt 2021 pp. 277, 282).
Furthermore, the works council can enter into works agreements with the employer
with direct and mandatory effect for the company's employees
close the company (Section 77 Para. 4 BetrVG). Also regulations in company agreements
ments, such as technical monitoring devices in the sense of. § 87 Paragraph 1 No. 6
BetrVG (see Lang NZA 2023, 269, 272 f.), the processing can be personal.
extracted data.
(2) The purposes of data processing by the works council are defined by Section 29
Allocation of tasks in the Works Constitution Act to their external framework
according to predetermined. The works council can therefore communicate protected data
not demand it independently of its legal duties. employees
Data may only be used for purposes that are in accordance with the Works Constitution Act.
expressly provides for this and is intended to fulfill the provisions of works constitution law
ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
- 11 - - 11 - 9 AZR 383/19
tasks are required. In this specific case, however, the works council intervenes
Execution of its legal tasks under its own responsibility, which
which employee-related information is requested and how the data transmitted
should actually be processed. This opens up for him in terms of
the use of the data provides considerable scope for decision-making (cf.
Maschmann FS Schmidt 2021 pp. 353, 356; Schulz ZESAR 2019, 323, 325;
Kurzböck/Weinbeck BB 2020, 500, 501).
(a) According to Section 80 Paragraph 2 Sentence 1 BetrVG, the employer has the works council on the 30th
To carry out his tasks in a timely and comprehensive manner. Vo-
The basis for the works council's right to information is, on the one hand, that
there is actually a task for the works council, and on the other hand, that
the requested information is required to carry out the task in individual cases
is (BAG April 9, 2019 - 1 ABR 51/17 - Rn. 12, BAGE 166, 269). Mirror image
In principle, the employer is also only allowed to provide employee data to the works council
for necessary works council tasks. When passing on
When sending sensitive data to the works council, special protective measures must be taken.
fen. Due to the independence of the works council as a structural principle of the
However, the employer does not have the power to provide appropriate work conditions
and specific protective measures or to give instructions to the works council about this.
gave to make. Regardless of whether the works council is part of the responsible
chen point (e.g. Bonanni/Niklas ArbRB 2018, 371 f.; Pötters in Gola DS-GVO
2nd ed. Art. 88 Rn. 38; on the data protection legal situation according to the BDSG old version see BAG
February 7, 2012 - 1 ABR 46/10 - Rn. 43 mwN, BAGE 140, 350) or even responsibility
more literally (e.g. Kurzböck/Weinbeck BB 2018, 1652, 1655; Kleinebrink
DB 2018, 2566 f.; Maschmann NZA 2020, 1207, 1209 ff.; Wybitul NZA 2017,
413 f.), this specific obligation to protect applies to him (BAG April 9, 2019
- 1 ABR 51/17 - Rn. 47, ibid).
(b) It can be left open as to whether the data protection officer will be appointed under the 31st
BDSG aF supervisory and control powers also vis-à-vis the authority
management council had to exercise (see Kleinebrink DB 2018, 2566, 2570 f.; Lücke
NZA 2019, 658, 667), or whether this is countered by the independence of the works council.
ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
- 12 - - 12 - 9 AZR 383/19
subject matter (so BAG November 11, 1997 - 1 ABR 21/97 - to B III 2 c and c bb of the
Reasons, BAGE 87, 64). In any case, according to the law at the time, it was his responsibility
version, data protection compliance at the request of the works council
Personal data transmitted by the employer - if necessary
more sensitive - to check employee data. When transmitting sensitive data
Accordingly, he had to monitor on his own behalf whether the protective
The works council's policy complies with data protection requirements and
Employer may transmit the data to the works council.
(3) Subject of the data supervisory and control authority 32
The protection officer is also responsible for compliance with data protection regulations.
requirements when implementing company agreements, for example Section 87 Paragraph 1
No. 6 BetrVG, which he himself helped to bring about.
bb) The works council also determines the means of processing personal data. 33
n-related data. This includes the technical methods of processing
personal data and the manner in which a result or goal is achieved
is achieved (Art. 29 Data Protection Group WP 169 p. 17).
(1) The means to be determined primarily concern the processing of the 34
Data. The works council decides on the technical aspects of the organizational
sation of its processes and decides whether it has concrete data in analogue form
or digital form stores which software he specifically uses
User rights he grants and what storage periods he sets (Brink/Joos
NZA 2019, 1395, 1397; Kurzböck/Weinbeck BB 2020, 500, 501; Schultz
ZESAR 2019, 323, 325).
(2) This does not conflict with the fact that the works council is involved in data processing. 35
material resources, in particular an IT and communications infrastructure,
sets that the employer made available to him in accordance with Section 40 Paragraph 2 BetrVG
has. Regardless of the fact that it is not possible to decide on the means of processing
It depends on which IT system - provided by the employer -
It is the responsibility of the works council to use systems or hardware for data processing
Check whether material resources are required to carry out works council tasks
ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
- 13 - - 13 - 9 AZR 383/19
and must be made available by the employer to the works council. He has at
his decision merely reflects the interests of the workforce in an appropriate
right exercise of the works council office and legitimate interests of the employee
donor, even insofar as it is aimed at limiting the obligation to bear costs
must be weighed against each other (BAG April 20, 2016 - 7 ABR 50/14 - Rn. 16
mwN, BAGE 155, 54).
c) A data protection officer involved as works council chairman who is 36
its monitoring task in the area of tension between its functional interests
and tasks must be fulfilled, does not have the necessary qualifications to guarantee the
Independence required by legal data protection. As a representative for the
Data protection, the chairman of the works council is obliged to check whether the
the decision of the works council represented by him externally with the provisions
is in line with data protection requirements.
aa) In his function under works constitution law, he is primarily responsible for 37
never a works council member like the other committee members. He practices the law
The works council's legally assigned powers and duties neither as an agent
more powerful or as a legal representative in his place (Fitting BetrVG
31st edition § 26 Rn. 21 f.). According to Section 26 Paragraph 2 Sentence 1 BetrVG, the operating
Chairman of the works council within the framework of the resolutions made by it.
It must also be handed over to the works council for receipt
Declarations entitled (Section 26 Paragraph 2 Sentence 2 BetrVG). So he doesn't act as a
Representative in the will, but as a representative in the declaration (BAG February 8, 2022
- 1 AZR 233/21 - Rn. 27; March 19, 2003 - 7 ABR 15/02 - to II 2 b of the reasons,
BAGE 105, 311).
bb) This task-related communication from the works council chairman 38
represents the functional independence as a data protection officer and thus the
Ensuring data protection is in question. By the works council chairman
within the framework and on the basis of the decisions of the works council by the employer
Transfer of personal employee data is required and, if necessary,
if the protective measures are presented that the works council is entitled to maintain -
has decided on the interests of the affected employees, he also represents
ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
- 14 - - 14 - 9 AZR 383/19
the interests of the works council. While simultaneously perceiving the radio
He would have to appoint a data protection officer in the same matter
- neutral and solely committed to data protection - check whether requests for information
chen and adopted protective measures in accordance with data protection regulations
sufficient, and may advise the employer on data protection law. The
the necessary guarantee of neutrality and distance from the information request
For structural reasons, it does not have any influence on the works council because, on the one hand
bound by the decision of the works council and, on the other hand, subject to the mandatory
is committed to data protection. This conflict of interest affects the functional
functional independence of the data protection officer and endangers the effectiveness
compliance with data protection regulations, so that the employer can be held responsible
entitled to cancel the order.
III. The person against the dismissal as data protection officer on May 25, 39
The Senate's second lawsuit filed in 2018 is not subject to decision.
This is a false auxiliary request in the event that the previous
senior revocation of the appointment of data protection officer from December 1st
should be deemed ineffective in 2017.
IV. As the losing party, the plaintiff has to bear 40 of the costs of the legal dispute
carry (Section 91 Paragraph 1 ZPO).
Kiel Suckow Zimmermann
Leitner Stang
ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
