The draft bill for the Employee Data Protection Act (Beschäftigtendatengesetz, BeschDG) – the basis for the legally compliant handling of employee data in the digital world of work?

Data protection law in the employment context has been a matter that has raised numerous legal issues for years. This is due, among other things, to inconsistent case law, different views among supervisory authorities and courts, and the fact that the relevant provisions on employee data protection are formulated in very general terms. To make matters worse, the European Court of Justice (ECJ) ruled last year that Section 23 (1) of the Hessian Data Protection and Freedom of Information Act (HDSIG) was contrary to European law (see ECJ, judgment of March 30, 2023 - C-34/21). This means that the almost identically formulated central federal standard of Section 26 (1) sentence 1 of the Federal Data Protection Act (BDSG) is also likely to be contrary to European law.

In its coalition agreement, the German government set itself the goal of creating clear and manageable rules for employee data protection and of providing greater protection for the rights of employees in the digital age. A draft bill for an Employee Data Protection Act (E-BeschDG) has now been in existence since October 8, 2024. In this update, we summarize the main new provisions. A separate update on the subject of employee data and artificial intelligence will be published soon.  

The draft bill for an Employee Data Protection Act

The aim of the draft Employee Data Protection Act is to clearly regulate and govern the use of modern technologies and data processing for the protection of employees and to create a legally secure framework for employers.

The draft of the BeschDG makes use of the opening clause in Article 88 of the GDPR and regulates the processing of employee data, i.e. personal data of employees, by the employer in the employment context. The law also applies when data processing takes place in connection with a possible (e.g. applicant) or already terminated employment relationship.

In terms of content, the draft bill provides for the following main areas of regulation (summarized in overview form, not exhaustive):

• Purposes of processing: Section 3 of the draft sets out the conditions under which employee data may be processed and provides examples of permissible purposes of processing. The principle of purpose limitation applies. In addition, employers are required to document the processing purposes in writing due to the extended rights of data subjects (see below). If an employer later wishes to process employee data for purposes other than those specified, the law imposes very strict requirements for the permissibility of the change of purpose (e.g. use of data for performance review).
• Necessity test: The draft provides a non-exhaustive list of criteria for the balancing of interests that has always been required as part of the necessity test. This list of criteria is intended to assist employers.
• Consent: The draft contains examples of situations in which consent in the employee context can be given voluntarily and thus effectively obtained, e.g. when publishing photos on the intranet.
• Rights of data subjects: The draft bill expands the rights of data subjects already granted by the GDPR and the BDSG (e.g. right of access under Art. 15 GDPR). Upon request, the employer must, among other things, present the essential considerations of its necessity assessment to the employee in an understandable manner.
• Measures for monitoring employees: The draft bill strictly regulates measures for monitoring employees (collecting data on performance or behavior), such as compliance investigations, video surveillance, GPS tracking and other monitoring measures. Covert surveillance is only permitted if there is suspicion of criminal activity.
• Profiling: The bill includes specific provisions on when profiling is permissible in relation to employees.
• Prohibition of use: The draft provides for a ban on the use of employee data collected in violation of data protection laws in legal proceedings relating to personnel measures. An exception is to be made in the case of an obvious disproportion between the infringement of personal rights and the interests of the employer.
• Co-determination of the works council: The co-determination rights of the works council are to be expanded, particularly with regard to the appointment and dismissal of data protection officers and the use of new technologies such as artificial intelligence.
• Processing within the group: Section 30 of the E-BeschDG contains regulations on data processing within the group and defines legitimate purposes of such cross-company processing.

Outlook and conclusion

The ongoing digitalization and increasing use of artificial intelligence in the world of work require clear regulations for the protection of employee data. Although the draft of the E-BeschDG appears at first glance to be a step in the right direction, a detailed analysis unfortunately reveals less encouraging aspects for employers.

Instead of offering a balanced solution between innovation, employee data protection and employer interests, the draft contains numerous detailed provisions that create administrative hurdles for employers. The law would further complicate data processing for companies in the employment context in the future; one only has to think of the proposal for an extended right to information.

In addition, the general and broad justification for data processing in the employment context in accordance with Art. 6 (1) f GDPR is likely to be superseded by this draft in the future, which is likely to significantly reduce the scope for action and interpretation for employers.

In view of the end of the legislative period next year, the discrepancies within the coalition government and the failure of previous attempts to create special regulations for employee data protection, the chances of the draft being adopted in time are slim. Employers should keep an eye on developments. However, most of the areas regulated in the E-BeschDG could continue to be resolved with the wording of the GDPR alone, in the interest of all parties involved.