A Deep Dive into German Employee Data Protection: Understanding § 26 BDSG

For international privacy professionals, navigating the landscape of EU data protection means understanding not only the General Data Protection Regulation (GDPR) but also the specific national laws enacted under its "opening clauses." One of the most significant of these is Germany's approach to employee data, codified in Section 26 of the Federal Data Protection Act (§ 26 BDSG). This provision creates a distinct and often stricter compliance framework than the GDPR baseline.

This article provides a detailed analysis of § 26 BDSG, designed for privacy experts who need to grasp the specific criteria, legal tests, and practical implications of processing employee data in Germany.

1) European Context: The GDPR Opening Clause

Article 88 of the GDPR allows EU Member States to enact "more specific rules" for the processing of personal data in the employment context. Germany has made use of this clause, essentially transplanting its pre-GDPR principles of employee data protection into the new legal framework. Consequently, § 26 BDSG does not merely repeat the GDPR; it creates a detailed and self-contained legal regime that takes precedence over the GDPR's general provisions like Article 6(1)(f) (legitimate interests) when processing data for employment purposes.

2) The Core Principle: The "Necessity" Test (§ 26 Abs. 1)

The cornerstone of § 26 BDSG is the principle of necessity (Erforderlichkeit). Data processing is only lawful if it is necessary for one of three specified stages of the employment lifecycle:

1. Initiating the employment relationship (recruitment).

2. Performing the employment relationship.

3. Terminating the employment relationship.

Unlike a simple check, the German concept of "necessity" involves a rigorous, multi-layered proportionality test derived from constitutional law similar to the balance of interest test under Art. 6 (1) f GDPR. Any data processing measure must pass all three of the following hurdles:

1. Suitability (Geeignetheit): The measure must be capable of achieving a legitimate, pre-defined employment purpose.

2. Necessity in the Narrow Sense (Erforderlichkeit im engeren Sinne): The measure must be the least intrusive means available to achieve the purpose. If a less invasive alternative exists that would achieve the objective equally well, it must be chosen.

3. Appropriateness (Angemessenheit): This involves a comprehensive balancing of interests between the employer's objectives (e.g., property rights, business continuity, compliance) and the employee's fundamental right to privacy and informational self-determination.

The German "Sphere Theory" in Balancing Interests

A crucial element in the appropriateness test is the German "Sphere Theory" (Sphärentheorie), which categorizes information based on its sensitivity:

• The Intimate Sphere (Intimsphäre): This includes thoughts, health secrets, and sexuality. Intrusion into this sphere is almost always prohibited.

• The Private Sphere (Privatsphäre): This covers family life, hobbies, and activities outside of work. Intrusion requires a very strong justification.

• The Social Sphere (Sozialsphäre): This pertains to an individual's professional and public life. Processing data within this sphere is most likely to be justifiable.

Example: An employer suspects an employee of faking illness. Placing a hidden camera in the employee's home would be a massive violation of the intimate and private spheres and therefore unlawful. However, analyzing publicly available data from the company's access control system to check attendance patterns falls within the social sphere and is much more likely to be deemed proportionate.

3) Initiating the Employment Relationship (Recruitment)

During the hiring process, "necessity" is defined by the employer's right to ask questions (Fragerecht). The employer may only process data that is directly relevant to assessing the candidate's suitability for the specific role.

Key Criteria:

• Job Relevance is Paramount: Data processing must be strictly limited to what is needed to determine if the candidate can perform the job.

• Data Minimization: Collect only the data you truly need for the hiring decision.

Examples:

• Permissible:

  • Asking an applicant for a truck driver position for their driver's license and accident history.

  • Requesting a criminal background check for a candidate applying for a senior accounting role with access to company funds, but only for relevant offenses like fraud or embezzlement.

  • Reviewing a candidate's public portfolio or publications listed on their professional networking profile (e.g., LinkedIn, Xing).

• Impermissible:

  • Asking any candidate about their family planning, sexual orientation, or religious beliefs.

  • Requesting a blanket criminal background check for a junior marketing assistant with no financial responsibilities.

  • Screening a candidate's private social media profiles (e.g., Facebook, Instagram) to assess their lifestyle or personal opinions.

Practical Tip: Applicant data may be retained after a rejection only for as long as necessary to defend against potential discrimination claims under Germany's General Equal Treatment Act (AGG). This period is typically interpreted as three to six months. Storing data in a "talent pool" for future opportunities requires the candidate's explicit consent.

4) Performing the Employment Relationship

This is the broadest category, covering day-to-day operations.

Performance and Conduct Monitoring

While employers are permitted to monitor performance, German law is highly protective of employees against excessive surveillance.

Key Criteria:

• No General, Constant Surveillance: Any monitoring must be justified by a specific purpose and cannot create a situation of constant "surveillance pressure" (Überwachungsdruck).

• Transparency: Covert monitoring is only permissible under the extremely strict conditions for crime detection (see below). In all other cases, employees must be informed about the nature, scope, and purpose of any monitoring.

Examples:

• Permissible:

  • Using software to track sales figures and customer interactions for a sales team, provided the system is transparent and not used to micromanage every minute of the day.

  • Implementing an automated time-tracking system for recording working hours.

  • Conducting random, announced bag checks at the exit of a retail store to prevent theft, based on a clear policy or works agreement.

• Impermissible:

  • Installing a keylogger on an employee's computer to record every keystroke. This is considered a form of total surveillance and was ruled unlawful by the Federal Labour Court.

  • Using GPS to track a field service employee's movements 24/7, including outside of working hours. Tracking must be limited to work hours and justified by specific needs (e.g., dispatching or safety).

  • Constant, uninterrupted video surveillance of an employee's workspace.

IT Systems: Email and Internet Use

This is a major compliance trap. The legal status of monitoring depends entirely on the company's policy regarding private use.

• Policy: Strictly Prohibited Private Use: If private use of company email and internet is clearly prohibited and this rule is enforced, the employer may generally inspect these systems for business purposes, as they are considered company property. However, the principle of proportionality still applies.

• Policy: Private Use Permitted (or Tolerated): This creates a highly complex legal situation. The employer may be considered a public telecommunications provider under the German Telecommunications Act (TKG), making any inspection of content a potential violation of the fundamental right to telecommunications secrecy.

Practical Tip: The safest and most recommended approach is to implement a formal policy that completely prohibits private use of company communication systems. If this is not feasible, a works agreement that precisely defines the terms of any monitoring is essential. Alternatively, private use of the company's IT systems can be made dependent on giving a data proteciton consent, allowing the company to handle private use in the same way as business use of IT systems (e.g. regarding, monitoring, etc.). 

5) Detecting Criminal Offenses (§ 26 Abs. 1, Satz 2)

This provision provides a separate, stricter legal basis for processing data to investigate suspected crimes. It is a narrow exception for repressive, not preventive, measures.

Strict Preconditions:

1. Factual, Documented Suspicion: There must be concrete, documented evidence pointing to a specific employee or group of employees committing a criminal act. A general "hunch" or anonymous, unsubstantiated tip is insufficient.

2. Proportionality and Last Resort: The investigative measure (e.g., reviewing emails, covert video surveillance) must be proportionate to the suspected crime. It must also be the ultima ratio, i.e.the last resort after all less intrusive means of investigation have been exhausted.

3. No Overriding Employee Interest: The employee's interest in privacy must be weighed against the employer's interest in the investigation.

Example: An audit reveals that specific financial transactions have been falsified, and system logs show that only one employee had the access rights and was logged in at the time the changes were made. This constitutes a factual suspicion. The company could then, as a last resort, justifiably review that employee's business emails from the relevant period for further evidence. In contrast, reviewing the emails of an entire department based on a rumor of "disloyalty" would be unlawful.

6) Consent in Employment (§ 26 Abs. 2)

While the GDPR is generally skeptical of consent in the employment context due to the power imbalance, § 26 BDSG provides a specific, albeit narrow, path for its use.

Key Criteria for Valid Consent:

• True Voluntariness: Consent is only voluntary if the employee has a genuine choice without facing any detriment for refusal.

• Legal or Economic Advantage: Voluntariness is presumed if the data processing provides a clear benefit to the employee (e.g., using a company car for private trips, which requires processing location and usage data).

• Aligned Interests: Voluntariness can also exist if employer and employee share a common goal (e.g., consent to GPS tracking for a lone worker's safety).

• Written Form Requirement: Crucially, § 26 BDSG requires that employee consent must be given in written or electronic form. This is a stricter formal requirement than the GDPR's general flexibility. Verbal consent is not sufficient.

• Informed and Specific: The employee must be informed in text form about the purpose of the processing and their right to withdraw consent at any time.

Example: An employer wants to feature an employee in a marketing brochure. They cannot simply demand this. They must ask for written consent, explaining exactly how the photo will be used and that refusal will have no negative consequences for their employment.

7) The Power of Collective Agreements (§ 26 Abs. 4)

For privacy professionals accustomed to frameworks where company policy is dictated solely by management, the German system of co-determination can be a paradigm shift. It is arguably the most critical and uniquely German aspect of employee data protection, and understanding it is non-negotiable for successful compliance. A Works Agreement (Betriebsvereinbarung) is not merely a policy document; it is a powerful legal instrument that can legitimize data processing activities that would otherwise be difficult or impossible to justify.

The Foundation: The Works Council and the Right of Co-Determination

In any German company with typically five or more permanent employees, the workforce can elect a Works Council (Betriebsrat). This body is not a trade union, but an independent entity representing the interests of the employees of that specific company. Its rights and obligations are enshrined in the Works Constitution Act (Betriebsverfassungsgesetz, BetrVG).

The Works Council's power stems from its co-determination rights (Mitbestimmungsrechte). This is not a right to be consulted or informed; it is a right to jointly decide with management on an equal footing. In specified areas, the employer cannot act unilaterally. If the two parties cannot agree, the matter is settled by a binding decision from an arbitration committee (Einigungsstelle).

The most potent of these rights in the context of data protection is § 87(1) No. 6 of the BetrVG. This provision grants the Works Council a co-determination right in:

"the introduction and application of technical facilities designed to monitor the behavior or performance of the employees."

The threshold for what constitutes a "technical facility" is extremely low in the eyes of German labor courts. It is not limited to overt monitoring tools like cameras or keyloggers. The mere potential for a system to generate data that could be used to monitor employees is sufficient to trigger this right.

Practical Examples of Systems Triggering Co-Determination:

• Human Resources Information Systems (HRIS): Systems like Workday, SAP SuccessFactors, or Personio that process performance reviews, salary data, and absence records.

• Customer Relationship Management (CRM) Systems: Tools like Salesforce that track sales activities, call logs, and customer interaction times.

• Access Control Systems: Electronic keycard systems that log entry and exit times.

• Modern Collaboration Suites: Even tools like Microsoft 365 can fall under this provision due to features like Productivity Score or other analytics that can provide insights into employee activity.

• Fleet Management Systems: GPS tracking in company vehicles.

• Internal Ticketing Systems: Helpdesk or project management software that tracks ticket resolution times and workloads.

Essentially, almost any modern software implemented in a corporate environment will trigger the Works Council's co-determination right. The employer cannot legally roll out such a system without the Works Council's agreement.

The Works Agreement as a Legal Basis for Data Processing

This is where the Works Agreement becomes a central tool for data protection compliance. As the formal outcome of successful co-determination negotiations, a Works Agreement is a legally binding contract between the employer and the Works Council. Its provisions apply directly and mandatorily to all employees covered by its scope, much like a local law within the company.

Section 26(4) BDSG, in conjunction with Article 88 GDPR, explicitly recognizes a Works Agreement as a valid legal basis for processing employee personal data. This has profound practical advantages:

1. Replaces Individual Consent: For large-scale processing, obtaining and managing valid, individual consent from every employee is an administrative nightmare and legally precarious due to the high bar for voluntariness. A Works Agreement provides a single, collective, and robust legal basis for the entire covered workforce.

2. Provides Legal Certainty: A well-drafted agreement provides a clear, transparent, and legally defensible framework for the data processing activity, significantly reducing compliance risks.

3. Enhances Legitimacy and Trust: Because the agreement is negotiated with and approved by the employees' own elected representatives, it fosters greater trust and acceptance of the system among the workforce.

The Content of a Data Protection Works Agreement: A Detailed Checklist

A comprehensive Works Agreement for a new IT system goes far beyond a simple approval. It is a detailed data protection rulebook tailored to a specific processing activity. International privacy professionals should expect negotiations to cover the following points in minute detail:

• Preamble and Scope (Geltungsbereich): Clearly defines which employees, company locations, and specific IT systems or modules are covered by the agreement.

• Purpose Specification (Zweckbindung): This is the core of the agreement. It must exhaustively list every legitimate purpose for which the data will be processed. Crucially, it should also explicitly state for which purposes the data may not be used. For example, "Data from the access control system may be used for security purposes and to verify time recording, but not for general performance analysis."

• Data Categories (Datenkategorien): A precise list of all personal data fields to be processed in the system. This serves as a key tool for enforcing data minimization. The Works Council will often challenge the necessity of collecting certain data points.

• Access Rights and Role Concept (Berechtigungskonzept): A detailed matrix defining which roles (e.g., HR Business Partner, Line Manager, System Administrator) can access which data categories, and with what rights (read, write, delete). This operationalizes the "need-to-know" principle.

• Performance and Conduct Monitoring (Leistungs- und Verhaltenskontrolle): This section directly addresses the § 87(1) No. 6 trigger. It will specify what forms of reporting and analysis are permissible and which are prohibited. For instance, it might allow for aggregated, anonymized reports for management but prohibit reports that rank individual employees.

• Data Retention and Deletion Concepts (Löschkonzept): Specifies precise retention periods for different data categories, linking them to legal obligations or business needs. This creates a legally binding deletion schedule for the system.

• International Data Transfers (Datenübermittlung): For global systems, this section is vital. It will stipulate the conditions for transferring data outside the EU/EEA, often requiring the implementation of Standard Contractual Clauses (SCCs) and referencing the outcomes of any required Transfer Impact Assessments (TIAs).

• Employee Rights (Betroffenenrechte): Lays out the process for employees to exercise their rights of access, rectification, and erasure, often defining specific contact points and response timelines.

• Information and Training: May include obligations for the employer to inform employees about the system and provide adequate training.

• Rights of the Works Council: Includes provisions for the Works Council to audit the system's compliance with the agreement, often with the help of an independent expert.

The Regulatory Scope: Can a Works Agreement Deviate from the GDPR?

This is a subject of ongoing legal debate, but a dominant and cautious consensus has emerged. While Article 88 GDPR allows for "more specific rules," a Works Agreement cannot lower the fundamental level of protection afforded by the GDPR. It cannot, for instance, abolish the right of access, permit processing without a valid purpose, or allow indefinite data retention.

Instead, the power of a Works Agreement lies in its ability to specify, concretize, and operationalize the principles of the GDPR within the specific context of the company.

Example:

• GDPR Principle: Data should be kept no longer than is necessary for the purposes for which it is processed (Article 5(1)(e)). This is abstract.

• Works Agreement Specification: "Application data from unsuccessful candidates for non-management positions will be deleted automatically from the HRIS six months after the date of rejection." This creates a specific, necessary, and legally binding rule.

Strategic Implications for International Companies

• Engage Early and Always: For any project involving new software or processes affecting employees in Germany, the Works Council must be a primary stakeholder engaged at the project's inception, not as a final checkpoint.

• Factor in Time: Negotiations can be complex and time-consuming, lasting several months. This must be built into international project timelines. A global rollout plan that doesn't account for this will fail in Germany.

• Collaborate, Don't Dictate: Approach negotiations as a partnership to find a mutually acceptable, compliant solution. A confrontational approach is likely to lead to delays, arbitration, and a poor outcome. The Works Council's goal is to protect employees, which aligns with the principles of the GDPR.

• Invest in Framework Agreements: For companies that frequently introduce new tools, negotiating a Framework Works Agreement (Rahmenbetriebsvereinbarung) that sets out general data protection principles can streamline the process for subsequent, more specific agreements.

In conclusion, the Works Agreement is not a bureaucratic hurdle but the central mechanism for achieving legitimate and sustainable employee data processing in Germany. For international privacy professionals, mastering the dynamics of co-determination is as crucial as understanding the text of the GDPR itself.

8) Legal Consequences: The Potent "Prohibition on Use of Evidence"

Beyond GDPR fines, a critical consequence of unlawful data processing in Germany is the potential for a prohibition on the use of evidence (Beweisverwertungsverbot) in court.

If an employer dismisses an employee based on evidence obtained in violation of § 26 BDSG (e.g., from an illegal covert camera), a German labour court may rule that the evidence is inadmissible. The court will balance the severity of the privacy violation against the employer's interest in presenting the evidence. A severe violation can lead to the evidence being excluded, which often results in the employer losing the case, even if the employee was factually at fault. This principle, often summarized as "Datenschutz ist kein Tatenschutz" (Data protection is not perpetrator protection), means that while privacy rights are strong, they do not automatically shield a guilty party. The outcome depends on a case-by-case balancing act.

9) Conclusion: Key Takeaways for International Professionals

1. § 26 BDSG is King: For employment-related data processing in Germany, § 26 BDSG is the primary legal basis, not the general provisions of GDPR Article 6.

2. Master the "Necessity" Test: Every processing activity must be rigorously justified through the three-step test of suitability, necessity, and appropriateness, with special attention to the employee's personality rights.

3. Beware of Monitoring: Germany has a very low tolerance for employee surveillance. Transparency is paramount, and any monitoring must be minimal and purpose-driven.

4. Handle Consent with Extreme Care: Relying on consent is risky. If you do, ensure it meets the high bar for voluntariness and, critically, the written form requirement.

5. Engage the Works Council: If a Works Council exists, it is your most important partner and stakeholder. Works Agreements are a powerful and often necessary tool for creating a legal basis for data processing.

6. Understand the Consequences: The risk of evidence being deemed inadmissible in court is a significant and uniquely powerful deterrent against data protection violations in Germany.