Works councils process a lot of personal data, and often sensitive data, in the course of their work. In this context, of course, the requirements of data protection law must be observed. The crucial question for the works council, the works council members and the employer is determining who is legally responsible and ultimately liable. Section 79 a Works Council Act (BetrVG) now contains wording in this regard. However, the problems remain the same and should be addressed and solved. Learn more in this article.
1. The Starting Point
With the Works Council Modernisation Act (Betriebsrätemodernisierungsgesetz), the legislator created the provision in Section 79 a BetrVG stipulating the following
- the works council must comply with data protection law,
- the employer is data controller for the activities of the works council within the scope of the works council’s competence,
- the employer and works council should support each other in data protection matters, and
- the data protection officer is bound to secrecy vis-à-vis the employer insofar as the works council’s opinion-forming process is concerned.
Section 79 a BetrVG also implicitly states that
- the employer is not responsible if the works council is active outside its competence, and
- the data protection officer is responsible for data protection at the works council.
However, crucial questions and problems for the parties involved (works council, works council members and employer) remain unresolved by section 79 a BetrVG, namely:
- Who is liable in case of data protection violations by the works council?
- Who is responsible if the works council processes personal data outside its competence?
- How does the employer fulfil (documentation) obligations, data subjects’ rights and other obligations for processes in the works council’s sphere of responsibility?
Read for yourself, the wording of Section 79 a BetrVG:
When processing personal data, the works council must comply with the regulations on data protection. If the works council processes personal data in order to fulfil its responsibilities, the employer is the data controller in accordance with data protection law. The employer and the works council shall support each other in complying with the provisions of data protection law. The data protection officer shall be bound to secrecy vis-à-vis the employer with regard to information that allows conclusions to be drawn about the works council’s opinion-forming process. Sections 6 (5) (2), 38 (2) of the Federal Data Protection Act (BDSG) also apply with regard to the relationship of the data protection officer to the employer.
2. The Problems: Liability
GDPR creates a drastic sanctions regime in order to effectively enforce data protection law. Data protection law should no longer be a toothless tiger. Thus, data protection supervisory authorities can impose fines of EUR 20 million and more per violation and affected parties can claim material and immaterial damages.
The addressee of fines and the liable party for claims for damages is the data controller. Based on Section 79 a BetrVG the employer. This is unsatisfying for the employer because he bears responsibility for processes from the sphere of the works council, which he can only influence to a very limited extent due to the works council’s independence. The employer therefore has a clear interest in fulfilling duties of care and creating the conditions to defend itself against corresponding sanctions or claims.
Section 79 a BetrVG provides an approach to this by limiting the employer’s responsibility to activities within the competence of the works council. Hence, if the works council exceeds its competence, the employer could rely on this fact in order to exclude his own responsibility. The other approach is the delegation of responsibility and the fulfilment of duties of care. Insofar as the employer defines a framework of duties of conduct in dealing with IT and personal data without violating the works council’s rights under works constitution law, and the data protection breach occurred in violation of these provisions, the employer’s responsibility is likely to be excluded and thus also liability.
3. The Problems: Works Council Acting Outside its Competence
If the works council acts outside its competence, liability of the employer is excluded pursuant to section 79 a Sentence 2 BetrVG. The works council as a body and its members individually or as a group then become the focus of the liability threat. The same is likely to apply if the employer has permissibly defined the framework conditions for IT use and the works council violates them.
In such cases, liability of the works council as a body is precluded by the fact that it has no legal personality and is by law not able to posess financial assets. According to the case law of the Federal Labour Court (Bundesarbeitsgericht – BAG) and the Federal Supreme Court (Bundesgerichtshof – BGH), however, personal liability of works council members individually or as a group is possible, namely if they act outside the works council’s competence on the basis of their own decision or a works council decision. However, whether and in which cases works council members are liable for data protection violations under data protection law is still largely unclear in case law.
The interest of works council members must therefore be to clarify and observe the framework of their duties in order to avoid legal uncertainty.
4. The Problems: Data Protection Compliance for Works Council Procedures
The employer’s responsibility under data protection law gives rise to numerous obligations, such as the obligation to keep a register of processing activities pursuant to Article 30 GDPR or the obligation to provide information pursuant to Article 15 GDPR in the event of corresponding requests from data subjects. In many cases, the employer cannot fulfil these and other obligations for the activities of the works council on his own. For example, the provision of complete and correct information to data subjects with regard to works council procedures is only possible if the works council supports the employer in doing so. It is possible that the employer could claim a duty to cooperate on the part of the works council. However, this is likely to be a rough road in the event of conflict. It must therefore be in the employer’s interest to clarify mutual rights and obligations within the data protection organisation.
6. Solution in Sight?
Despite the supposedly clarifying provision of section 79a BetrVG, the crucial issue of the works council’s responsibility under data protection law has still not been resolved. The parties involved (works council, works council members and employer) must be concerned to create clear competences and responsibilities here in order to fulfil their duties efficiently, to meet their own responsibilities and finally to be able to prevent liability.
The parties can resolve some aspects on their own and without the other party. For example, the works council can organise itself internally through its rules of procedure. The employer, as the works council’s IT infrastructure provider, can determine the framework conditions for IT use on a factual and with limited grounds on a legal basis.
However, many issues can only be jointly regulated and resolved within the framework of mutual support. This clearly speaks in favour of concluding a works agreement on data protection with the works council. This allows for the definition of spheres of responsibility, the specification of duties and the establishment of processes to solve problems that Section 79 a BetrVG has not solved.