CJEU rules that national derogations on employees' data protection must respect the conditions and limits of Article 88 GDPR

The case (Case C-34/21) before the CJEU concerned two measures that the Minister for Education and Culture of the Land Hessen, Germany, implemented during the Covid-19 pandemic to allow pupils to attend lessons via live video stream from the classroom. The videoconference system for streaming the classes required the consent of the pupils (or their parents), but not of the teachers. The Minister for Education and Culture argued that Section 23 of the Data Protection and Freedom of Information Act of the German State of Hessen (HDSIG) authorised the personal data processing involved in the live streaming and made teachers’ consent unnecessary. 

The Administrative Court of Wiesbaden referred the case to the CJEU to interpret Article 88 GDPR and determine whether a national rule that clearly does not meet the conditions set out in Article 88(2) can still be used as a basis for the processing.

Article 88 GDPR allows EU member states to provide, by law or by collective agreements, “more specific rules to ensure the protection of the rights and freedoms” of employees in relation to the processing of their personal data in the context of employment. Article 88(2) GDPR provides that such “more specific rules” must include suitable and specific measures to safeguard the data subject interests. The CJEU ruled that national legislation that fails to meet these requirements cannot qualify as “more specific rules” for processing in an employment context and therefore must be disregarded. 

The CJEU examined the GDPR provisions, German law and its own precedents and explained that to comply with Article 88 GDPR, the national law must satisfy the following criteria:

• it must have a normative content specific to the area regulated, which is different from the general rules of the GDPR;
• its objective must be to protect the rights and freedoms of employees regarding the processing of their personal data in an employment context; and
• it must contain suitable and specific measures to protect the data subjects’ human dignity, legitimate interests and fundamental rights (and in particular regarding the transparency of processing, intragroup data transfers and monitoring systems in the work place).

It is for the referring court to determine whether the specific provisions of the national legislation meet the criteria under Article 88 GDPR. However, that legislation could still be a legal basis for processing under Article 6(1)(c) or (e) – legal obligation or public interest – if it complies with the requirements of Article 6(3) GDPR. The CJEU also noted that EU member states should consider the overall objectives of the GDPR, including harmonising national data protection law, when adopting legislative measures under Article 88 GDPR. 

The CJEU did not address the issue of whether teachers' consent for videoconferencing was needed in this case, but it examined the definition of “employee” under EU law in detail, especially because it was argued that civil servants' employment relationship was not based on an employment contract. The CJEU interpreted this term broadly, emphasising that the relevant factor for the GDPR was the subordination relationship between the employee and the employer, not the type or nature of the legal relationship that linked them.

The CJEU decision might give rise to inconsistencies with other German rules on employee data processing with the GDPR. On 3 April 2023, the Hamburg supervisory authority (the Hamburg DPA) issued a statement on this issue. It expects the CJEU decision to affect many employee data processing activities, as similar provisions apply to employee data in the private sector under federal law (e.g. Section 26 BDSG). 

The Hamburg DPA expects the Conference of German data protection authorities (DSK) to issue common guidance about this case. In the meantime, it recommends that companies do not suspend or terminate employee data processing based on these rules, but consider, on a case-by-case basis, other possible legal grounds for processing employee data, such as an employment contract (Article 6(1)(b) GDPR) or a legal obligation (Article 6(1)(c) GDPR). Companies may also need to update certain documents (such as data protection notices, records of processing activities and consent forms) to reflect the change of legal basis for processing employee data.

Read the CJEU decision here, the summary of the decision here and the press release of the Hamburg DPA here (in German only).