Author: Achim Seifert

 

1. Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
2. Those rules shall include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.
3. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

 

A. General questions
I. Purpose of Art. 88

Art. 88 empowers Member States to adopt specific rules on the protection of personal data in the employment context and limits thereby the effect of a complete harmonisation, intended by the GDPR, for data protection within the employment relationship. In principle, the provisions of the GDPR also apply to the employment relationship; this results from Art. 2 para. 1 on the material scope of the GDPR and may also be concluded from Art. 9 para. 2 lit. b. Thus, the GDPR also protects employees from unlawful processing of their personal data in the employment context. However, the regulation does not comprise specific standards for the employment context: insofar, nothing has changed compared to the legal situation under the DPD (cf. → mn. 4). Art. 88, para. 1 contains an opening clause, empowering Member States to adopt, by law or by collective agreement, more specific rules concerning data processing in the employment context and by this limits the complete harmonisation of data protection law the GDPR as far as data processing within the employment relationship is concerned (for further details cf. → mn. 20-23). Para. 2 conditions this power of Member States by requiring safeguards that ensure the respect of the fundamental rights of workers as data subjects. Para. 3, finally, imposes to the Member States a duty to notify to the Comm those provisions of their national law which have been adopted by them in making use of the opening clause of para. 1

 

II. Evolution of employee data protection law at EU level

The adoption of specific rules on employee data protection was claimed as early as in the late 1970s by some labour lawyers. At that time, the debate was still concentrated on national law and resulted in a number of national rules protecting the processing of employees’ personal data in specific contexts (e.g. rules on video-surveillance and other forms of surveillance at the workplace).

In contrast to the CoE whose Committee of Ministers recommended to the Member States already in 1989 to adopt specific rules on employee data protection and unlike the ILO which adopted a ‘Code of practice on the protection of workers’ personal data’ in 1997, the EU established with the DPD, adopted in 1995, only a general legal framework for data protection, without providing specific rules for the employment context. As Art. 3 DPD did not exempt the employment relation from the material scope of that Directive, its provisions also applied to data processing in the employment relation. However, the idea behind the DPD was to supplement its general legal framework by sector specific data protection rules, such as on the employment context, consistent with the principles set out in the DPD.

In pursuance of this conception, the Comm took the initiative, in the aftermath of the adoption of the DPD, to adopt a Directive on the protection of employees’ personal data. On the basis of a legal research realised by Mark Freedland, the Comm consulted on 27 August 2001 the European social partners in accordance with ECT, Art. 138 para. 2 (= TFEU, Art. 154 para. 2) about its intention to adopt a Directive on employee data protection. It is interesting to note that the Art. 29 WP, in its opinion on data protection in the employment context, issued on 13 September 2001, did not explicitly comment on the Comm’s initiative but only examined questions of data protection in the employment context in order to contribute to the uniform application of the DPD (DPD, Art. 30 para. 1 lit. a). The European social partners’ statements on whether or not such Directive on data protection in the employment context should be adopted, revealed a strong disagreement between them. The Comm identified various subjects of such a Directive, namely the employees’ consent to the processing of their personal data by the employer, data processing of health data by the employer, as well as the conditions for drug-related or genetic tests and surveillance of employees at the workplace. Due to the divide between the European social partners, the Comm did not pursue its plans and did not draft a proposal for a Directive on data protection in the employment context. In recent times, the Comm has not come back to its initiative of 2001: in its ‘European Pillar of Social Rights Action Plan’ of March 2021, the adoption of specific data protection rules for the employment context has not been mentioned and does therefore not constitute a priority of the current Comm.

Despite this missing general framework for data protection in the employment context, the EU has adopted punctual and often incomplete rules dealing with the processing of employees’ personal data in the employment relationship. A few examples will suffice. According to Art. 9 para. 1 lit. a of the Directive 2003/88/EC, concerning certain aspects of the organisation of working time, for instance, the Member States shall take the measures necessary to ensure that night workers are entitled to a free health assessment before their assignment and thereafter at regular intervals; but this health assessment must comply with medical confidentiality (Directive 2003/88/EC, Art. 9 para 2). Moreover, the CJEU has recently recognised, under Art. 3, 5 and 6 of the Directive 2003/88/EC, read in the light of EU CFR (Art. 31 para. 2), that employers have the duty to set up a system enabling the duration of time worked each day by each worker to be measured: which implies that employers shall register the working hours of their employees. Another example is Art. 10 of the Directive 98/24/EC on the protection of the health and safety of workers from the risks related to chemical agents at work, imposing on Member States a duty to establish arrangements to ensure that for each worker who undergoes health surveillance, individual health and exposure records are made and kept up-to-date. And Directive 2013/59/Euratom laying down basic safety standards for protection against the dangers arising from exposure to ionising radiation requires medical surveillance of workers exposed to ionising radiation which shall include regular medical examinations (Art. 45 para. 3), but also the opening of a medical record for each exposed worker (Art. 48). Leaving aside the duty to medical confidentiality under Art. 9 para. 2 of the Directive 2003/88/EC, these EU provisions do not comprise further rules on the protection of personal data of the employees affected. As a result, the EU has not succeeded in establishing a legal framework for the protection of employees’ personal data within the employment relationship.

 

 

 

[…]