Data protection is also an important issue in works council elections: Section 79a German Works Constitution Act (Betriebs-verfassungsgesetz – “BetrVG”) requires the works council to comply with the provisions of data protection law when processing personal data, but designates the employer as the controller under data protection law and, hence, as the liable party. However, how can an employer monitor the works council, if at all, in order not to become liable?
The works council comes into contact with a large amount of personal data as part of its work (for example, in connection with rights to information, the hiring or transfer of employees or a reconciliation of interests agreement). Before Section 79a German Works Constitution Act came into force on 18 June 2021, there were no specific provisions regarding compliance with data protection law by the works council. According to the rulings of the German Federal Labour Court (Bundesarbeitsgericht – “BAG”), it was an established fact that the works council must take into account data protection requirements at least within certain limits. By contrast, it was a matter of dispute whether the works council is liable as an independent controller according to Article 4(7) GDPR or whether it is a dependent part of the controlling employer. This has now been clarified by the German legislator; the second sentence of Section 79a German Works Constitution Act reads as follows:
“Insofar as the works council processes personal data in order to carry out the tasks for which it is responsible, the employer is the controller for the processing of the data within the meaning of data protection law.”
This clarification is to be welcomed, at first glance. However, it raises questions in view of the introductory sentence of the new clause, which reads as follows:
“When processing personal data, the works council has to comply with data protection law.”
Pursuant to Article 4(7) GDPR, the German legislator may determine by law who is the controller, in certain cases. The only problem is that the German legislator has not adhered to the systematics of the GDPR as far as the further provisions of data protection law are concerned, but has instead divided the duties between employer and works council. Even if one disregards the question of whether such a division can be validly made at all from a European law perspective, this division leads to practical problems, in particular because the employer is ultimately liable for compliance.
The German Works Constitution Act has complicated the relationship between works council and employer by choosing a middle path and distinguishing between control under the GDPR and obligation within the meaning of the GDPR. The employer is the controller under data protection law and must, therefore, ensure that the requirements under the GDPR are complied with. The employer can only do so, however, if it can give instructions to the works council with regard to data protection law and monitor the way in which the works council implements these obligations. The works council is autonomous, though, according to the structural principle of the works constitution, which means that it is not required to take instructions from the employer.
Nothing different results from Section 79a sentence 3 German Works Constitution Act, which requires the works council and the employer to support each other. This requirement does not define whether and to what extent the employer has monitoring rights under data protection law. This is because the German legislator wanted to maintain the works council’s autonomy also in the area of data protection law, and that the employer continues to be prohibited from giving instructions to the works council with regard to data protection. The overall responsibility in data protection matters remains, however, with the employer.
The reference to the data protection officer in Section 79a sentence 4 German Works Constitution Act does not help the employer, either: the data protection officer is obliged to maintain confidentiality vis-à-vis the employer with regard to information that allows conclusions to be drawn about the works council’s opinion-forming process. If the data protection officer becomes aware of a violation in connection with that opinion-forming process, it may not inform the employer about this violation. The fact that the data protection officer is not required to follow instructions and his or her independence might definitely make it more difficult for the employer to act in conformity with the law in such situations.
Unfortunately, Section 79a German Works Constitution Act does not provide for a possible way for the employer to justify itself or be released from liability. Even though the employer has no control over how the works council organises the protection of data, the undertaking is nevertheless liable for any misconduct of the works council under data protection law. In particular, the employer is unable to plead insufficient performance of the duty to provide support because insufficient performance of that duty does not change the fact that the employer is responsible. The situation created by Section 79a German Works Constitution Act thus constitutes an uncontrollable liability trap for the employer. The entire system set out in Section 79a German Works Constitution Act breaches the civil-law principle that everyone is only liable within the scope of his or her own fault and is, therefore, very problematic from a legal doctrine perspective. As a result of the inadequate statutory provisions, employers are ultimately forced to tolerate data breaches and then, if necessary, bring proceedings in accordance with Section 23 German Works Constitution Act.
Section 79a German Works Constitution Act is, frankly speaking, superfluous for the reasons set out above – it simply does not help anybody. There are no provisions that deal with the decisive question of how to handle such liability in practice, or possible means of control. The employer is unable to mitigate the above-described systematic liability. In our opinion, the only option available to the employer is to establish binding rules together with the works council regarding compliance with data protection requirements. Where there are indications that the works council is careless in its work from a data protection perspective, the employer should always examine very carefully what information has to be disclosed to the works council for the performance of the works council’s duties and what information need not be disclosed. This is because the works council will have to ensure the protection of personal data in particular within the scope of the general rights to information under Section 80 (2) German Works Constitution Act.