Banner1.jpg

CJEU - C‑65/23 - K GmbH

From GDPRhub
CJEU - C‑65/23 K GmbH
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 88(1) GDPR
Article 88(2) GDPR
§ 26(4) BDSG
Decided: 19.12.2024
Parties: MK
K GmbH
Case Number/Name: C‑65/23 K GmbH
European Case Law Identifier: ECLI:EU:C:2024:105
Reference from: BAG (Germany)
8 AZR 209/21 (A)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: tjk


The CJEU held that national provisions in the context of employment adopted under Article 88 GDPR (e.g. collective agreements or works agreements) must assure compliance with the whole GDPR and not just Article 88(2) GDPR. Further, such agreements are subject to full judicial review.

English Summary

Facts

The data subject is employed by the controller, a company governed by German law. In 2017, the group of companies to which the controller belongs introduced a cloud-based new software as a personnel information management system. In that context, the controller transferred personal data of its employees from the to-be-replaced software to a server of the group’s parent company in the USA. The controller and its works council had concluded an agreement confirming acquiescence to the introduction of the new software, which limited the transfer of data to certain categories.

In that context, the data subject brought applications before the Labour Court (Arbeitsgericht Ulm - AG Ulm) and then before the Higher Labour Court (Landesarbeitsgericht - LAG Baden-Württemberg) for access to certain information, erasure of data concerning him, and compensation. Not fully satisfied in the course of these procedure, the data subject brought an appeal before the Federal Labour Court (Bundesarbeitsgericht - BAG), claiming that the transfer of his personal data to the parent company’s server was neither necessary for the purposes of the employment relationship (as the controller still used the to-be-replaced software) nor for the purpose of testing the new software, since the use of dummy data would have been sufficient. Additionally, the data subject claimed that, even if the works agreement confirming acquiescence could constitute a valid basis for that processing, the authorisation contained therein was exceeded, since the controller transmitted data other than those provided for.

The Federal Labour Court stayed the proceedings and referred the following questions to the CJEU:

  1. Is a national legal provision that has been adopted pursuant to Article 88(1) GDPR – such as Paragraph 26(4) of the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG) – and which provides that the processing of personal data, including special categories of personal data, of employees for the purposes of the employment relationship is permissible on the basis of collective agreements subject to compliance with Article 88(2) GDPR, to be interpreted as meaning that the other requirements of the GDPR must always also be complied with?
  2. If the answer to Question 1 is in the affirmative: May a national legal provision adopted pursuant to Article 88(1) GDPR – such as Paragraph 26(4) BDSG – be interpreted as meaning that the parties to a collective agreement (in this case, the parties to a works agreement) are entitled to a margin of discretion in assessing the necessity of data processing within the meaning of Article 5, Article 6(1), and Article 9(1) and (2) GDPR that is subject to only limited judicial review?
  3. If the answer to Question 2 is in the affirmative: In such a case, to what is the judicial review to be limited?

Holding

Regarding the first question

The court argued that while the wording is inconclusive Article 88(1) and (2) GDPR must be interpreted as meaning that, even where Member States introduce ‘more specific rules’, by law or by collective agreements, the other provisions must also be satisfied. Otherwise, Article 88 GDPR’s objective of protecting employees’ rights and freedoms in the context of data processing and the member state’s responsibility not to undermine the content and objectives of the GDPR stated in Recital 10 GDPR would be circumvented.

According to the court, this also follows from Article 88 GDPR’s context, as generally, the ‘Principles’ of Chapter II are of a general scope extending also to ‘specific … situations’, as clear especially from Article 6(2) and (3) GDPR. Therefore, Chapter II also applies to the ‘Provisions relating to specific processing situations’ in Chapter IX, which includes Article 88 GDPR.

Consequently, Article 88(1) and (2) GDPR must be interpreted as meaning that a provision of national law concerning the processing of personal data for the purposes of employment relationships must have the effect of requiring its addressees to comply not only with the requirements arising from Article 88(2) GDPR but also with those arising from Article 5, Article 6(1), and Article 9(1) and (2) GDPR.

Regarding the second question

The court argued that due to the primacy of EU law, if a court finds that national law does not comply with the GDPR, it must disregard those provisions. The same applies to the judicial review of collective agreements (to which the works agreement affirming acquiescence belongs, as clarified in Recital 155 GDPR). The parties to such an agreement have a margin of discretion when determining whether the processing of personal data is ‘necessary’, within the meaning of Article 5, Article 6(1), and Article 9(1) and (2) GDPR. However, as a collective agreement must not undermine the GDPR’s objective of ensuring a high protection of employees’ freedoms and fundamental rights Article 88(1) GDPR must be interpreted as not to prevent full judicial review by the national court where a collective agreement falls within the scope of that provision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!