Wherever personal data is processed in a company, the person responsible must comply with data protection regulations. Violations of data protection regulations can result in heavy fines. As a rule, this fine is imposed on the employer in the event of a violation. But can the works council also be the data protection controller in the event of processing by the works council?
To what extent does the works council process data?
In companies that have a works council (co-determined companies), the majority of the disposal of personal data falls to the works council. The works council must be involved when new employees are hired. Here it receives all application documents (§ 99 I BetrVG). In the same way, the works council is informed about reasons for dismissal, prolonged incapacity for work and pregnancies. In addition, the works council can inspect non-anonymized wage and salary lists (§ 80 II 2 BetrVG). Thus, not only personal data, but even special category data (Art. 9 DSGVO) is processed by the works council.
Where are data processing and accountability regulated?
In principle, the GDPR regulates all data processing in Europe. For data processing in the employment context, the GDPR contains an opening clause (Art. 88 GDPR). This means that national regulations are possible in this area. The German legislator has therefore created Art. 26 BDSG. However, this does not contain any regulation on whether the works council can be the controller. The Definition of the term "responsible person is entirely up to the GDPR. In summary, the controller is the person who actually processes personal data and decides on the purposes and means of the processing (Art. 4 No. 7 GDPR).
Can the works council be the responsible party?
That the works council processes personal data is obvious, as already stated.
In addition, as the controller, he would also have to decide on the means and purposes of the processing. This step is mentally prior to the actual processing. After all, the processing of personal data is only lawful for predetermined purposes (Art. 5 Ib GDPR). In the same way, a controller decides on the means of processing, i.e. primarily on technical methods.
When processing personal data, a works council decides not only whether or for what purpose it takes note of it (purpose), but also how or what then happens to this data (means). From this point of view, he can be seen as the controller.
Labor law criticism
Criticism of this view is voiced above all by labor law experts. They emphasize that the Works Council Act (BetrVG) places tight limits on the works council's ability to decide whether and how to process data. Thus, it cannot decide freely and cannot be the person responsible.
The consequence of this view would be that all data processing operations of the works council would have to be attributed to the employer. However, the works council processes the data within the framework set by the BetrVG precisely for itself and not for the employer. The employer has no say in the works council's decisions on whether and how to process the data. The restrictions imposed by the BetrVG do not change this situation.
Problem legal capacity
In addition, the view that affirms liability is countered by the fact that liability as a responsible person contradicts the activity in the works council as an unpaid honorary office. The works council itself has no liability and the members should not have to be personally liable because of their honorary office. No effective compensation for damages could be demanded.
In the view of the ECJ, however, the legal capacity of the person responsible does not play a role. Accordingly, the responsibility is to be interpreted broadly as the one who is capable of making decisions. Accordingly, it must be examined to whom this action is attributable, i.e. in whose interest the processing takes place. According to the ECJ, the works council in the form of its members can therefore be considered the controller if they decide independently. It is therefore neither a processor (Art. 28 III GDPR) nor a subordinate person (Art. 29 GDPR).
Consequences for the Works Council
As the responsible party, the works council is thus subject to the obligations under data protection law. According to case law, these are also reasonable for the works council. The works council is also the addressee for data subject rights.
If the works council does not fulfill these obligations, it may be subject to investigative measures (Art. 58 I GDPR), remedial measures (Art. 58 II GDPR) and, as a last resort, fines (Art. 83 GDPR against the individual member) in the event of a correspondingly high level of infringement. In principle, the employer is not liable alongside the works council in the event of violations.
Would you like advice on data protection in your company? Our team of experts will be happy to help you!