Some time ago, the European Union issued regulations to combat terrorism(Regulation (EC) No. 2580/2001 and Regulation (EC) No. 881/2002) (hereinafter also: regulations). These regulations prohibit, among other things, all companies operating in the European Union from maintaining business contacts with certain persons and from making financial resources available to them. Accordingly, no remuneration may be paid to employees who are on the terror lists (ban on making funds available). A violation of these requirements can be punished with imprisonment or fines. At first glance, therefore, it seems advisable to simply comply with the requirements. Unfortunately, the so-called terror list screening is not unproblematic in terms of data protection law. The following article is intended to provide a brief legal overview and concrete recommendations for action in the series "Short Articles".
1. What is the threat to companies if terror list screening is not carried out?
The mere non-implementation is not critical in itself. There is no legal obligation to do so. It only becomes problematic if a person on the lists (also: sanction lists) is paid remuneration, for example. This can, for example, be the result of a screening that has not been carried out. The regulations refer in each case to national provisions on penalties and fines. Violation of the provisions of the ordinances may result in criminal or regulatory consequences (sections 17, 18, 19 AWG, sections 130, 30 OWiG): According to the Foreign Trade and Payments Act (AWG), an intentional violation of the provision ban is punishable by imprisonment of three months to five years; in the case of negligent action, fines of up to EUR 500,000.00 are threatened. Those particularly affected are the executives responsible for the payment as well as organs of the company authorised to represent the company. In addition, in the event of failure to take the necessary supervisory measures, fines may be imposed on company owners, executive bodies authorised to represent the company, board members, managing directors and shareholders authorised to represent the company, cf. sections 130, 30 OWiG.
2. requirements of the GDPR
There should be no doubt about the fundamental right of employers to carry out employee screenings. This is because companies are threatened with serious disadvantages if they do not comply with the requirements (fines, penalties, etc.).
Exercise of legitimate interests according to Art. 6 para. 1 lit. f) DSGVO?
A suitable legal basis for screening by companies is Art. 6 para. 1 lit. f). DSGVO can be considered. The legitimate interest of the employer in these cases is the avoidance of disadvantages or sanctions. Because these threaten - as explained above - in the event of the non-performance of a screening and the resulting provision of remuneration, if any, to persons who are on the sanctions lists. The employees concerned must have been informed accordingly in accordance with Art. 13 GD PR before the screening is carried out. It is possible that the screening is also carried out by another service provider within the framework of commissioned data processing.
Uncertainty due to supervisory authorities?
Since no obligation to screen employees arises from the above-mentioned regulations themselves, the permissibility of such screenings remains controversial. The supervisory authorities criticise such employee data matches in some cases. However, they are also considered permissible under data protection law, especially in view of customs practice (cf. 32nd Activity Report of the LfDI BW 2014/2015, p. 146 f.). As a result, the better arguments speak for the admissibility of employee screenings under data protection law. Nevertheless, companies are well advised to comply with the general data protection requirements (information, purpose limitation, data minimisation, storage limitation, etc.).
3. labour law dimension
Ineffectiveness of the employment contract
Contestation or termination by the employer?
4. recommendations for action
In compliance with general data protection requirements, companies should conduct employee screenings before entering into an employment contract and also during an ongoing employment relationship.
In the event of a positive data match, employers should:
- Do not employ / no longer employ the employee,
- Stop all payments,
- As a precaution, challenge or terminate the employment contract,
- Check whether any remuneration already paid can be reclaimed.
