(for further details see Götz, data protection violations by the works council, dissertation 2021, Nomos)

1. INTRODUCTION

With the entry into force of the General Data Protection Regulation (GDPR) on May 25, 2018, one question in particular has become the focus of numerous labor law and data protection discussions:

The question of the legal consequences of data protection violations by the works council.

The fact that the question is not only of a theoretical nature is now shown by the practical cases in which works council members are confronted with breaches of duty due to data protection violations.

It is not just a question of whether the works council itself or its members are liable. In particular, it is also a question of whether the employer may even have to be held responsible for data protection violations by the works council. Furthermore, the question may arise as to whether a “gross breach of duty“ of the works council is available. This could then result in a claim for termination by the employer Section 23 Paragraph 1 BetrVG entail. The introduction of the § 79a sentence 2 BetrVG in June 2021 did not provide any relaxation here.

This article is intended to provide an overview of the current discussion and concrete recommendations for action and advice.

2. THE WORKS COUNCIL AS RESPONSIBLE FOR DATA PROTECTION?

The first decisive factor is whether the works council itself – in contrast to the previous legal situation – is considered a “person responsible for data protection“ iSd Art. 4 No. 7 GDPR can be viewed. Only if the works council is classified as responsible in this sense - at least as long as it moves within its scope of competence under the works constitution - can it (or individual members, if applicable) be subject to measures by the supervisory authorities Art. 58 GDPR meet, he (or individual members, if applicable) may be the recipient of fine notices Art. 83 GDPR into consideration or can he (or, if applicable, individual members) respond to claims for damages Art. 82 GDPR.

Whether the works council itself is responsible according to Art. 4 No. 7 GDPR can still be - even after the introduction of the § 79a sentence 2 BetrVG – subject of controversy.

What do the courts say?

The ECJ, which is solely responsible for interpreting the GDPR, tends to interpret the term responsible party extensively for reasons of protecting those affected. The ECJ stated in the “Jehovah's Witnesses decision", the "Facebook decision" and the "Google decision“It has been made clear several times that the term “responsible party” should be interpreted broadly in order to ensure effective and comprehensive protection of the persons affected.

Regarding the old legal situation (until May 24.05.2018, 2), the Federal Labor Court took the view that the works council was not itself a responsible body within the meaning of data protection law. The Federal Labor Court based its opinion on the fact that non-public bodies within the meaning of Section 4 Paragraph XNUMX BDSG old are only natural and legal persons, companies and associations of persons under private law. Works councils are not included in this list and therefore do not qualify as responsible bodies. The vast majority of the literature shared this view. About the new legal situation and Art. 4 No. 7 GDPR the Federal Labor Court has no decision has been made yet. The lower courts have so far ruled differently. The Saxony-Anhalt State Labor Court sees the works council as “Responsible person“ iSd Art. 4 Para. 7 GDPR at. In contrast, the Hesse State Labor Court classified the works council as only part of the employer's responsible body.

What is the state of opinion in literature?

Very different positions are taken in the literature. Large parts reject - with different reasons - the works council's own responsibility Art. 4 No. 7 GDPR away. The reason given is that the German legislature has not made use of the possibility of assigning data protection responsibility to the works council and that such responsibility cannot therefore be assumed. It is also argued that the opposing view is difficult to reconcile with the system of the GDPR. Under the GDPR, a body can only be classified as responsible if it decides independently on the purposes and means of processing. However, since the BetrVG sets very strict limits on the works council in this regard, the works council cannot be responsible within the meaning of Art. 4 No. 7 GDPR .

In contrast, parts of the literature see the works council as responsible Art. 4 No. 7 GDPR at. The lack of legal capacity of the works council does not speak against this result of interpretation, since the provision in question not only covers natural and legal persons, but also "other places“. The primary goal of the GDPR is to ensure a comprehensive level of protection, which can only be achieved with a broad interpretation of the term responsible. Furthermore, it always depends on who actually has the power to decide on the purpose and means of data processing and who actually carries out the processing. Authorities can only quickly and efficiently identify the person responsible if formal legal considerations are not taken into account. This could lead to different controllers in different processing steps. Finally, the fact that the BAG does not extend the sphere of influence of the company data protection officer to the works council indicates that the employer cannot be held responsible in this respect and that the works council itself must therefore be considered responsible.

The state data protection authorities have not yet taken a position on this and have taken different positions. The state data protection officer of Baden-Württemberg has clearly decided that the works council should be responsible under data protection law in the sense of Art. 4 No. 7 GDPR pronounced.

No relaxation through Section 79a Sentence 2 BetrVG

The introduction of the § 79a sentence 2 BetrVG did not defuse the situation. The regulation is intended to stipulate the employer's data protection responsibility - at least in the relationship between the employer and the works council. However, according to the correct view, the national legislature cannot determine responsibility in this way. Because the concept of the responsible person is through Art. 4 No. 7 GDPR (Union law). In principle, the national legislature cannot deviate from these requirements. There is only an exception with regard to so-called opening clauses. However, according to the correct view, both Art. 4 No. 7 S. 2 GDPR as well as most Art. 88 GDPR unsuitable as opening clauses. It follows from this: The works council is following Art. 4 No. 7 GDPR to be classified as responsible. Then the national legislature cannot override this.  

3. LIABILITY OF WORKS COUNCIL MEMBERS

Responsibility under data protection law Art. 4 No. 7 GDPR and civil and fine liability for data protection violations must generally be viewed separately from one another and also assessed separately legally. Responsibility under data protection law Art. 4 No. 7 GDPR is only for the liability standards Art 82 and Art. 83 GDPR a prerequisite for the offense. As part of possible claims for damages § 823 Para. 1 BGB and § 823 Para. 2 BGB i. In view of a protective law it plays no role.  

Is the works council liable?

The works council as a collective body, the individual works council member or the employer can be considered as liable subjects for data protection violations that are committed within the sphere of the works council.

However, the works council is not a suitable subject for claims for damages Art. 82 GDPR, § 823 Para. 1 BGB and § 823 Para. 2 BGB i. V. m. a protection law. It is also not a suitable addressee for fine notices Art. 83 GDPR. In this respect, among other things, there is a lack of own assets.

Are individual works council members liable?

The individual works council members, on the other hand, are suitable liability subjects. This applies to both claims for damages Art. 82 GDPR and § 823 Para. 1 BGB, § 823 Para. 2 BGB i. V. m. according to a protection law as well as for fine notices Art. 83 GDPR. Special features also apply here to committee decisions (works council resolutions). § 33 BetrVG). Liability of the individual works council cannot be considered if it voted against a resolution that caused the data protection violation, abstained or did not even take part in the meeting. When voting for a decision that violates data protection, the individual works council member is liable, regardless of whether the voting decision is close or clear. This applies to the extent that the event was likely to bring about a success of the kind in question in general and not only under particularly strange, unlikely circumstances that cannot be taken into account in the normal course of things. This can generally be assumed in the case of works council resolutions that directly constitute a violation of data protection law. Individual works council members are not liable for data protection violations by other works council members or due to omissions. The restriction of liability claims against works council members must be rejected.

4. LIABILITY OF THE EMPLOYER

If the works council alone violates data protection regulations without any action on the part of the employer, then all compensation and fine regulations are initially missing (Art 82, 83 GDPR, § 823 paragraph 1, § 823 paragraph 2 BGB i. V. m. a protective law) the fulfillment of the respective elements of the offense by the employer.

In the case of Art 82, 83 GDPR The employer is already not considered the person responsible for data protection Art. 4 No. 7 GDPR to watch. Even if you over § 79a sentence 2 BetrVG If the employer sees the employer as the person responsible for data protection, there is in any case no reproachable behavior on his part.

The employer's reprehensible behavior is excluded from the claims § 823 Para. 1 BGB and § 823 Para. 2 BGB i. There is also no protection law. In the absence of a suitable basis for a claim, the employer must therefore be excluded from liability for data protection violations by the works council. Questions about attribution may arise here.

But the fact that the employer cannot exercise any legal or factual influence on the works council to prevent or remedy data protection violations also means that the employer must be exempt from liability. This becomes clear using the example of a possible remedial order Art. 58 Paragraph 2 Letter d) GDPR, which a supervisory authority issues to the employer in the event of a data protection violation by the works council. The employer cannot help here because he cannot successfully influence the works council. With regard to compliance with data protection regulations, the employer has no instructions or even enforcement rights towards the works council - not even after § 79a sentence 3 BetrVG. It can therefore neither instruct the works council to behave in accordance with data protection nor prevent its actions that violate data protection.

 5. RECOMMENDATIONS FOR PRACTICE

Until the ECJ makes a decision, the requirements of the § 79a sentence 2 BetrVG be followed. In operational practice, there is no point in viewing the works council as the person responsible.

What needs to be taken into account in company agreements?

When concluding company agreements, the following should be taken into account: If the company agreement is not required as a legal basis for the processing of personal data, then no data protection regulations should be included. Experience has shown that this not only makes negotiation but also implementation more difficult. For example, an IT company agreement for the introduction of a software tool should only contain potential co-determination rights (usually Section 87 Paragraph 1 No. 6 BetrVG) treat.