Germany: New draft bill for an "Employee Data Act" ("Beschäftigtendatengesetz")

30 Oct 2024    9 minute read
EC Featured Content DT Featured Content

In brief

On 8 October 2024, the Federal Ministry of Labour and Social Affairs (Bundesministerium für Arbeit und Soziales - BMAS) and the Federal Ministry of the Interior and Community (Bundesministerium des Innern und für Heimat - BMI) published a draft bill to strengthen employees' data privacy rights and to provide more legal certainty for employers and employees in the digital world of work ("Employee Data Act" (Beschäftigtendantenschutzgesetz – BeschDG),("BeschDG-E").

The primary reason for the draft is the fact that there is no specific data protection legislation applicable to the employment relationship in Germany, as well as a recent decision by the European Court of Justice (ECJ) dated 30 March 2023, which questioned the lawfulness of existing provisions on employee data protection.

Contents

What has applied so far?

To date , there has been no specific employment data protection legislation in Germany and the general provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz -BDSG) have applied. There have been several attempts to introduce such a specific law in the past, but without success. In 2010, for example, the then German government's attempt to introduce a corresponding law on employee data protection failed and the German Trade Union Confederation's (Deutscher Gewerkschaftsbund - DGB) draft Employee Data Protection Act of 2022 was also unsuccessful. It is not surprising that the current German government is again working on implementing specific legislation on employee data protection given its commitment to do so in its 2021 coalition agreement "in order to achieve legal clarity for employers and employees and to effectively protect privacy rights".

Ultimately, however, the ECJ decision dated 30 March 2023 (which we covered in our EMEA HR Privacy Newsletter (International: EMEA - HR Privacy Newsletter - Baker McKenzie InsightPlus) was probably the key reason for this draft bill. When considering a provision in the Data Protection and Information Act of the Federal State of Hessen the ECJ decided that the conditions that permitted derogation from the GDPR (set out in Article 88) were not met. As the legislation in Hessen broadly mirrors the provisions of the BDSG that deal with protection of employee personal data (Section 26, BDSG) the ECJ decision suggests that the provisions of the federal legislation are also inapplicable. Data processing can only be lawful where it complies with the legal bases set out in Art. 6 GDPR.

Overview: What does the new draft bill on an Employee Data Act say?

As a "more specific" provision within the meaning of Art. 88 GDPR, the BeschDG-E is intended to clarify the general data protection requirements of Art. 6 GDPR and codify employee data protection, which is currently largely based on case law, into a dedicated statute.

Specified requirements for data processing in the employment relationship: As is currently the case, under the BeschDG-E data processing must be necessary for a specific purpose, for example, to enter into or perform the employment relationship, or to safeguard a legitimate business interest (Sec. 3 BeschDG-E). The aspects to be taken into account when weighing up interests are listed in Sec. 4 BeschDG-E by way of example. Excluded are everyday routine processing activities (such as payroll), which would generally be considered permissible (Sec. 3 para. 4 BeschDG-E).

Extended right to information: At the request of the employee, the employer will also be required to inform the employee of the key considerations of the assessment in a comprehensible manner.

Further specification by works agreements: "More specific" rules will also apply to works agreements (Sec. 7 BeschDG-E). The government clarifies that works agreements are not a legal basis for data processing and that company partners cannot deviate from the level of protection set by BeschDG-E to the detriment of employees.

Data protection for breaches of duty?: In a departure from existing principles, employee data processed in violation of data protection law may no longer be used in dismissal protection proceedings in the future (Sec. 11 BeschDG-E). The only exception applies to obvious discrepancies, for example intentional criminal offences, however, not a mere breach of contract by the employee. Furthermore, contrary to the case law of the Federal Labor Court, it will also be possible to agree in works agreements that data processed contrary to data protection law or a works agreement cannot be used in litigation.

Co-determination regarding data protection officers: In future, the works council will have a right of co-determination in the appointment and dismissal of the data protection officer (Sec. 12 BeschDG-E). This right will even extend to the works council having a say in the basic decision as to whether an internal or external data protection officer is appointed.

Artificial intelligence: In future, special rules will also apply to the use of AI in HR. Employers will not only be required to provide information about the use of AI, but employees will also have the right to request information from employers regarding how the AI system works (Sec. 10 BeschDG-E).

Processing of data on protected characteristics in accordance with the General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz - AGG): Particularly noteworthy is Sec. 15 BeschDG-E, according to which the processing of personal data on certain characteristics that are protected from discrimination under Sec. 1 AGG (for example, disability)is permitted even before the employment relationship is established, insofar as this is necessary to prevent or compensate for disadvantages within the meaning of Sec. 5 AGG by means of suitable and appropriate measures. Previously, the processing of personal data was only possible on the basis of Art. 6 GDPR and Sec. 26 BDSG. One requirement was that processing served the purpose of determining eligibility or fulfilling a legal obligation. Sec. 15 BeschDG-E therefore creates a specific legal basis that provides an additional justification for data processing. However, processing is only permitted if the job candidate has voluntarily disclosed the data.

Codification of Recruiting: With regard to data processing in the application process, the law explicitly regulates what employers may and may not ask in the job interview (Sec. 14 BeschDG-E). The draft essentially takes into consideration the case law of the Federal Labor Court on the employer's right to ask questions. It also contains special requirements for examinations and tests as part of the application process (Sec. 16 BeschDG-E) as well as more precise requirements for the deletion of employee data that was collected before an employment relationship was entered into (Sec. 17 BeschDG-E).

Employee Monitoring: In future, the monitoring of employees will only be permitted within narrow limits, as is already the case under current case law. After introducing a general provision in Sec. 18 BeschDG-E, which deals with the - narrow - possibility of monitoring employees, the BeschDG-E distinguishes between the cases of "Not only short-term monitoring measures" (Sec. 19), "Covert monitoring" (Sec. 20), "Video monitoring" (Sec. 21) and the processing of employee data by "Tracking" (Sec. 22). It is interesting to note that e.g. Sec. 20 BeschDG-E, allows the use of detectives by the employer as a last resort in the event of suspected criminal offences or serious breaches of duty.

Profiling: Specific requirements will also apply to profiling in the future. Profiling is usually used to assist with decision making and essentially refers to the automated processing of data in order to analyze or predict certain personality traits, behavioral patterns or interests of employees. According to the BeschDG-E, this should only be possible within very narrow limits and only if the employer informs the persons concerned in detail (Sec. 25, 26 BeschDG-E). The obligation to inform should clearly exceed those obligations that already apply under the GDPR. In contrast to previous data protection law, the employer should also be obliged, at the request of employees, to explain decisions based on profiling and, if necessary, to review them (Sec. 27 BeschDG-E).

Data processing within a group: Sec. 30 BeschDG-E, which permits disclosure of employee data within a group of undertakings in certain circumstances is an amendment that is likely to be very relevant in practice. This had long been demanded by case law and legal scholars because the GDPR only referenced privileges for data processing within groups in its recitals (so-called "small group privilege") and not the operative provisions. The now proposed group privilege should be useful for groups as it addresses issues that are relevant in practice, such as matrix organizations, centralized group-internal administrative tasks or group-wide uniform administrative processes.

Authentication and Company Integration Management: Finally, the BeschDG-E also contains special provisions for the special processing situations of "data processing for authorization and authentication purposes" (Sec. 28) as well as for company integration management (Betriebliches Eingliederungsmanagement - BEM) (Sec. 29).

What would its implementation mean in practice?

The current version of the BeschDG-E contains both light and shade. On the one hand, the draft provides clarity for employers as to when data processing of employee data is or may be permitted in certain situations. Parts of the BeschDG-E are also interesting for employers, in which the BMAS and BMI indicate in the draft bill that they consider the processing of employee data to be permissible (under certain conditions). From this, employers could already draw conclusions to a limited extent about the current legal situation under the - often unclear - regulations on employee data protection.

However, the processing of employee data is likely to result in a significant increase in administrative effort. A similar administrative burden is to be expected regarding the various information obligations. Furthermore, the BeschDG-E would likely increase the influence of works councils. The introduction of a prohibition on using evidence of data processed in breach of data protection law or collective agreements is likely to make it considerably more difficult for employers to defend themselves, particularly in unfair dismissal proceedings.

What happens next?

The draft bill is currently being voted on by the cabinet. It is expected that an initial draft bill will be passed this year and that the parliamentary legislative process will be completed in the first half of next year. The plan is for the BeschDG to come into force as early as mid-2025, with the existing regulations continuing to apply until then. Even if the draft would certainly bring legal certainty for data processing in the employment relationship in some areas, recent feedback in practice has been predominantly negative. It can also be assumed that there will be extensive political discussions and that the draft will not be adopted in the current form.

In any case, employers are well advised to monitor further developments.

* * * * *

We would like to thank the following for their contributions to this legal update:

  • Dr. Benjamin Durst, Associate, Frankfurt
  • Isabell Marie Guntermann B.Sc., Associate, Berlin
  • Dr. Maurice Heine, Associate, Berlin
  • Jan Kammler, Associate, Frankfurt
  • Dr. Silvia Kristin Karmann, Associate, Munich
  • Franziska Klippstein, LL.M., Associate, Munich
  • Dr. Sebastian F. Pfrang, Associate, Frankfurt
  • Dr. Philipp Schlotthauer, Associate, Munich
  • Dr. Adrian Schürgers, LL.M., Associate, Berlin

Click here to read the German version.

Contact Information
Felix Diehl
Partner at BakerMcKenzie
Frankfurt
Read my Bio
felix.diehl@bakermckenzie.com
Matthias Köhler
Partner at BakerMcKenzie
Berlin
Read my Bio
matthias.koehler@bakermckenzie.com
Christian Koops
Partner at BakerMcKenzie
Munich
Read my Bio
christian.koops@bakermckenzie.com

Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.