01-14-2025Article

Update Data Protection No. 198

Company agreements as a legal basis for data processing

On December 19, 2024, the Court of Justice of the European Union (CJEU) ruled on the data protection requirements for company agreements (collective agreement between the works council and the employer; judgment of December 19, 2024 C-65/23). In the following, we summarize the key points of the judgment and explain the data protection requirements for company agreements.

Background

The ECJ judgment relates to a legal dispute between an employee (MK) and his employer (K GmbH). The employee sued for damages due to the unlawful processing of his personal data by K GmbH. The data processing was carried out on the basis of a company agreement that concerned the introduction of new personnel information management software and the transfer of personal data to the server of the parent company in the USA for testing purposes. The employee considered the data transfer to be a violation of his rights and a breach of the GDPR.

Key principles of the ECJ's decision

  1. Legal basis: Company agreements can provide a specific legal basis for the processing of personal data in the employment context. However, they must meet the requirements of the GDPR and must not circumvent the general data protection rules (see below).
  2. Compatibility with the GDPR: The ECJ clarified that national legislation or collective agreements based on Art. 88 (1) GDPR must not only fulfill the requirements of Art. 88 (2) GDPR, but also the general provisions of the GDPR, in particular Art. 5, Art. 6 (1) and Art. 9 (1) and (2) GDPR. This means that works agreements must always be in line with the principles of the GDPR as a legal basis for the processing of personal data in the employment context.
  3. Necessity of data processing: According to the ECJ, the parties to a company agreement have a certain leeway in assessing the necessity of data processing. The processing of personal data must be adequate, relevant and limited to what is necessary. Company agreements must therefore ensure that only the data necessary for the respective purpose is processed. Data processing that does not comply with the GDPR cannot be justified as a legal basis by means of a “company agreement”.
  4. Comprehensive judicial control: The ECJ emphasizes that judicial control must not be restricted. National courts are obliged to verify compliance with all conditions and limits of the GDPR, even if data processing is based on a collective agreement. Judicial control also fully encompasses the necessity considerations.

Conclusion

The ECJ ruling is not surprising. The GDPR is intended to fully harmonize data protection in the EU. The admission of deviations in the level of protection “downwards” should be excluded. With this decision, the court once again clarifies the high requirements that must be met by company agreements as a legal basis for the processing of personal data. Companies should ensure that their company agreements comply with the data protection requirements of the GDPR and are regularly reviewed. Data processing that does not comply with the GDPR cannot be justified by a “company agreement”. If you have any questions regarding the design of company agreements that comply with data protection regulations, please do not hesitate to contact us.

Download as PDF

Contact persons

Related articles

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.