(for further details, see Götz, Datenschutzverstöße des Betriebsrats, Dissertation 2021, Nomos).
With the entry into force of the General Data Protection Regulation (GDPR) on 25 May 2018, one question in particular has become the focus of numerous discussions on labour law and data protection law:
The question of the legal consequences of data protection violations by the works council.
The fact that the question is not only of a theoretical nature is meanwhile shown by practical cases in which works council members are confronted with breaches of duty due to data protection violations.
The question is not only whether the works council itself or its members are liable. In particular, it is also a question of whether the employer may not be liable for data protection violations by the works council. Furthermore, the question may arise whether a data protection violation even constitutes a "gross breach of duty" on the part of the works council. This could then result in a claim for dissolution by the employer under section 23 (1) BetrVG. The introduction of section 79a sentence 2 BetrVG in June 2021 has not eased the situation.
This article is intended to provide an overview of the current discussion, concrete recommendations for action and advice.
2. the works council as the person responsible for data protection?
First of all, it is decisive whether the works council itself - in contrast to the previous legal situation - can be regarded as a "data protection officer" within the meaning of Art. 4 No. 7 GDPR. Only if the works council is to be classified as a data controller in this sense - at least as long as it operates within the scope of its competences under works constitution law - can it (or, if applicable, individual members) be affected by measures of the supervisory authorities under Article 58 of the GDPR, can it (or, if applicable, individual members) be considered as an addressee of penalty notices under Article 83 of the GDPR or can it (or, if applicable, individual members) be a party to claims for damages under Article 82 of the GDPR.
What do the courts say?
The ECJ, which is solely responsible for the interpretation of the GDPR, tends to interpret the term "controller" extensively in order to protect data subjects. In the "Jehovah's Witness"decision, the "Facebook" decisionand the "Google" decision, the ECJ has repeatedly clarified that the term "controller" must be interpreted broadly in order to ensure effective and comprehensive protection of data subjects.
Under the old legal situation (until 24 May 2018), the Federal Labour Court took the view that the works council was not itself a responsible body within the meaning of data protection law. The Federal Labour Court justified its view by stating that non-public bodies within the meaning of Section 2 (4) BDSG (old version) were only natural and legal persons, companies and associations of persons under private law. Works councils are not included in this list and thus do not qualify as a responsible body. The vast majority of the literature shared this view. With regard to the new legal situation and Art. 4 No. 7 of the GDPR, the Federal Labour Court (Bundesarbeitsgericht) stated No decision taken so far. The courts of instance have so far ruled differently. The Saxony-Anhalt Regional Labour Court considers the works council to be a "controller" within the meaning of Article 4(7 ) of the GDPR. In contrast, the Hesse Regional Labour Court has only classified the works council as part of the employer's responsible body.
What is the state of opinion in the literature?
The literature takes very different positions. Large parts reject - with different reasons - a separate responsibility of the works council according to Art. 4 No. 7 GDPR. The reason given is that the German legislator has not made use of the possibility to assign a data protection responsibility to the works council and therefore such a responsibility cannot be assumed. Furthermore, it is argued that the opposing view is difficult to reconcile with the systematics of the GDPR. Under the GDPR, a body can only be classified as responsible if it decides independently on the purposes and means of processing. Since the Works Council Constitution Act (BetrVG) sets very narrow limits for the works council in this regard, the works council cannot be the controller within the meaning of Article 4(7 ) of the GDPR.
In contrast, parts of the literature consider the works council to be the data controller within the meaning of Art. 4 No. 7 GDPR. The works council's lack of legal capacity does not speak against this interpretation, since the provision in question covers not only natural and legal persons, but also "other entities". The primary objective of the GDPR is to ensure a comprehensive level of protection, which can only be achieved with a broad interpretation of the term "controller". Furthermore, it always depends on who actually has the power to decide on the purpose and means of data processing and who actually carries out the processing. Only when formal legal considerations are disregarded can authorities quickly and efficiently identify the controller. This could lead to different controllers in different processing steps. Finally, the fact that the Federal Labour Court did not extend the sphere of influence of the company data protection officer to the works council indicated that the employer could not be held responsible in this respect either and that the works council itself had to be considered the controller.
The data protection authorities of the Länder have not yet taken a position on this and, moreover, have taken different positions. The data protection commissioner of Baden-Württemberg has clearly stated that the works council is responsible for data protection within the meaning of Art. 4 No. 7 of the GDPR.
No relaxation through section 79a sentence 2 BetrVG
The introduction of section 79a sentence 2 BetrVG has not alleviated the situation. The provision is intended to establish the employer's responsibility under data protection law - at least in the relationship between the employer and the works council. However, according to the correct view, the national legislator cannot determine responsibility in this way. This is because the term "controller" is defined by Article 4 No. 7 of the GDPR (Union law). In principle, the national legislator cannot deviate from these requirements. An exception exists only with regard to so-called opening clauses. However, according to the correct view, both Art. 4 No. 7 p. 2 GDPR and Art. 88 GD PR are unsuitable as opening clauses. It follows from this: If the works council is to be classified as a controller under Art. 4 No. 7 GDPR. Then the national legislator cannot nullify this.
3. liability of works council members
Responsibility under data protection law pursuant to Art. 4 No. 7 of the GDPR and liability for data protection violations under civil law and the law on fines must be considered separately from each other and must also be legally assessed separately. Liability under data protection law pursuant to Art. 4 No. 7 of the GDPR is only a prerequisite for the liability provisions of Art. 82 and Art. 83 of the GDPR. It does not play a role in the context of possible claims for damages under Section 823 (1) of the German Civil Code (BGB) and Section 823 (2) of the German Civil Code (BGB ) in conjunction with a protective law.
Is the works council committee liable?
Subjects of liability for data protection violations committed within the sphere of the works council may be the works council as a collective body, the individual works council member or the employer.
However, the works council committee is not a suitable subject for claims for damages under Article 82 of the GDPR, Section 823 (1) of the German Civil Code (BGB) and Section 823 (2) of the German Civil Code (BGB ) in conjunction with a protective law. It is also not a suitable addressee for penalty notices under Article 83 of the GDPR. In this respect, it lacks, among other things, its own assets.
Are individual works council members liable?
The individual works council members, on the other hand, are suitable subjects of liability. This applies to claims for damages under Article 82 of the GDPR and Section 823 (1) of the German Civil Code (BGB), Section 823 (2 ) of the German Civil Code (BGB ) in conjunction with a protective law, as well as to penalty notices under Article 83 of the GDPR. Special features also apply here in the case of committee decisions (works council resolutions pursuant to section 33 BetrVG). Liability of the individual works council cannot be considered if it voted against a resolution that brought about the data protection violation, abstained or did not even participate in the meeting. When voting in favour of a resolution that violates data protection, the individual works council member is liable regardless of whether the vote was close or clear. This applies insofar as the event in general and not only under particularly peculiar, improbable circumstances to be disregarded in the ordinary course of events was likely to bring about a success of the kind in question. This is generally to be assumed in the case of works council resolutions which directly constitute a violation of data protection law. Individual works council members are not liable for data protection violations committed by other works council members or due to omissions. The limitation of liability claims against works council members must be rejected.
4. liability of the employer
If the works council alone violates data protection provisions without any action on the part of the employer, then initially the employer does not fulfil the respective elements of the offence for all provisions on damages and fines(Art. 82, 83 DS-GVO, Sec. 823 para. 1, Sec. 823 para. 2 BGB in conjunction with a protective law).
In the case of Art. 82, 83 of the GDPR, the employer is already not to be regarded as the data protection controller pursuant to Art. 4 No. 7 of the GDPR. Even if the employer were to be regarded as the data protection officer via section 79a sentence 2 of the BetrVG, there is in any case no reproachable conduct on its part.
The employer's reproachable conduct is also not present in the case of claims under section 823 (1) BGB and section 823 (2) BGB in conjunction with a protective law. In the absence of a suitable basis for a claim, the employer's liability for data protection violations by the works council must therefore be ruled out. At most, questions of attribution can still arise here.
However, the fact that the employer cannot exert any legal or factual influence on the works council to prevent or remedy data protection violations must also mean that the employer is not liable. This is clearly illustrated by the example of a possible remedial order pursuant to Art. 58(2)(d) GDPR issued by a supervisory authority against the employer in the event of a data protection breach by the works council. Here, the employer cannot remedy the situation because it cannot successfully influence the works council. The employer has no rights to issue instructions to the works council or even to enforce them with regard to compliance with data protection law - not even under section 79a sentence 3 BetrVG. Therefore, the employer can neither instruct the works council to act in a data protection compliant manner nor prevent data protection violations by the works council.
5. recommendations for practice
Pending a decision by the ECJ, the provisions of section 79a sentence 2 of the Works Council Constitution Act (BetrVG ) should be followed. In practice, there is no point in considering the works council as the responsible party.
What should be considered in company agreements?
When concluding company agreements, the following should be observed: If the works agreement is not needed as a legal basis for the processing of personal data, then no regulations on data protection should be included. Experience shows that this not only makes negotiation more difficult, but also implementation. For example, an IT works agreement on the introduction of a software tool should deal solely with potential co-determination rights (usually section 87 (1) no. 6 BetrVG).