Wherever personal data is processed in the company, the respective controller must comply with data protection regulations. Violations of data protection regulations can result in high fines. As a rule, this fine is imposed on the employer in the event of a breach. However, in the case of processing by the works council, the works council can also Controller under data protection law be?
To what extent does the works council process data?
In companies that have a works council (co-determined companies), the majority of disposals are made via the works council. personal data to this. The works council must be involved when new employees are hired. It receives all application documents (§ 99 I BetrVG). The works council is also informed about reasons for dismissal, long-term incapacity to work and pregnancies. In addition, the works council can inspect non-anonymized wage and salary lists (§ 80 II 2 BetrVG). This means that not only personal databut even those of the special category (Art. 9 GDPR) are processed by the works council.
Where are data processing and accountability regulated?
In principle, the GDPR any data processing in Europe. The GDPR contains an opening clause for data processing in the employment context (Art. 88 GDPR). This means that national regulations are possible in this area. The German legislator has therefore created Art. 26 BDSG. However, this does not contain any regulation on whether the works council can be the controller. The Definition of the term "responsible person lies entirely with the GDPR. In summary, it can be said that the controller is the person who personal data actually processed and decides on the purposes and means of processing (Art. 4 No. 7 GDPR).
Can the works council be the responsible party?
That the works council personal data is obvious, as already stated.
In addition, the controller would also have to decide on the means and purposes of processing. This step comes before the actual processing. After all, the Processing of personal data lawful only for predefined purposes (Art. 5 Ib GDPR). In the same way, a controller decides on the means of processing, i.e. primarily on technical methods.
A works council decides on the Processing of personal data not only whether or for what purpose he takes note of them (purpose), but also how or what then happens to these data (means). From this point of view, he can be seen as the controller.
Labor law criticism
Criticism of this view is voiced above all by labor law experts. They emphasize that the Works Council Act (BetrVG) places tight limits on the works council's ability to decide whether and how to process data. Thus, it cannot decide freely and cannot be the person responsible.
The consequence of this view would be that all data processing operations of the works council would have to be attributed to the employer. However, the works council processes the data within the framework set by the BetrVG precisely for itself and not for the employer. The employer has no say in the works council's decisions on whether and how to process the data. The restrictions imposed by the BetrVG do not change this situation.
Problem legal capacity
In addition, the view that affirms liability is countered by the fact that liability as a responsible person contradicts the activity in the works council as an unpaid honorary office. The works council itself has no liability and the members should not have to be personally liable because of their honorary office. No effective compensation for damages could be demanded.
In the view of the ECJ, however, the legal capacity of the person responsible does not play a role. Accordingly, the responsibility is to be interpreted broadly as the one who is capable of making decisions. Accordingly, it must be examined to whom this action is attributable, i.e. in whose interest the processing takes place. According to the ECJ, the works council in the form of its members can therefore be considered the controller if they decide independently. It is therefore neither a processor (Art. 28 III GDPR) nor a subordinate person (Art. 29 GDPR).
Consequences for the Works Council
As the responsible party, the works council is thus subject to the obligations under data protection law. According to case law, these are also reasonable for the works council. The works council is also the addressee for data subject rights.
If the works council does not fulfill these obligations, it may be subject to investigative measures (Art. 58 I GDPR), remedial measures (Art. 58 II GDPR) and, as a last resort, fines (Art. 83 GDPR against the individual member) in the event of a correspondingly high level of infringement. In principle, the employer is not liable alongside the works council in the event of violations.
You would like advice on the subject of Data protection in the company? Our team of experts will be happy to help you!
Deutsch 
English 
Español 
Français 
Polski