Multinational company groups often use unified ERP software which frequently involve processing employee data. In such cases, it may be necessary to transfer personal data to a non-EU based country and the legal basis of the transfer might be a collective agreement. But how far does the contractual freedom of the parties to a collective agreement extend? Can the general principles of the GDPR be circumvented? In our article, we analysed the recent decision of the CJEU which provides an answer to this question.
Smartlegal Schmidt&Partners reports from Hungary:
- Facts
The applicant is the chairman of the works council (“Applicant”) of a German employer (“Employer”) which belongs to a multinational company group. In 2017, the company group introduced the so-called Workday software as a personnel information management system.
The Employer and the works council concluded a works agreement[i] under which only certain categories of the employees’ personal data may be transferred in relation to the Workday software.
The Employer transferred various personal data of its employees to the server of its parent company in the United States in relation to the Workday software, not limited to categories defined by the works agreement.
- Procedure in Germany
The Applicant started procedures before the German labour courts claiming that the transfer of his personal data to the Employer’s parent company was not necessary for the purposes of the employment relationship. According to him, even if the data transfer could be considered as necessary and the works agreement was a valid basis for it, the Employer exceeded the authorization granted in the works agreement by transmitting further categories of personal data than set forth in the works agreement.
The Federal Labour Court stayed the proceedings and referred the case to the Court of Justice of the European Unionin order to interpret Article 88 of the GDPR[ii].
- Questions to the CJEU
Basically, the Federal Labour Court wanted to know
- whether the law of a Member State which concerns the processing of personal data for the purposes of employment relationships adopted based on Article 88 of the GDPR must comply with the general provisions of the GDPR as well (e.g. the principles and lawfulness),
- if the parties of a collective agreement have are entitled to a margin of discretion in assessing the necessity of data processing that is subject to only a limited judicial review?
- Can a collective agreement circumvent the general provisions of the GDPR?
The Luxembourg Court reminded that Article 88 of the GDPR allows Member States to provide more specific rules for the processing of personal data in the context of employment.
As this is clear from the interpretation of the GDPR, these specific rules must comply not only with the conditions set forth in Article 88 but also with the general provisions, such as Article 5 (principles) and 6 (lawfulness).
The CJEU emphasized that Member States must legislate in such a way as not to undermine the objectives of the GDPR, namely, to ensure a high level of protection of the rights and freedoms of the data subjects.[iii] The more specific rules adopted by Member States in relation to processing personal data in the employment context could not have the purpose or effect of circumventing the obligations of the controller resulting form other provisions of the GDPR.
It means that even a collective agreement (or a works agreement) cannot bypass the general provisions of the GDPR, so data processing based on a collective agreement must comply with the principle of necessity.
- Is the full judicial review of a collective agreement possible?
At a starting point, the CJEU stated that although the parties to a collective agreement have a margin of discretion to introduce more specific rules in relation to data processing in the employment context, this cannot result in the requirement of necessity being applied less strictly or even disregarded.
While it is true that the parties to a collective agreement are generally well placed to assess whether data processing is necessary in a given context, this assessment must not lead to those parties reaching compromises, on the basis of economic or practical considerations, which would undermine the GDPR’s objective to ensure a high level of protection regarding employees’ personal data.
Therefore, the national courts shall have the possibility (and the obligation) to carry out a full judicial review in relation to a collective agreement, and check that the collective agreement complies with the principles of the GDPR, e.g. the necessity requirement.
- Comment
As it can be seen from the CJEU’s judgement, a national legislation or even a collective agreement can provide for more specific rules for data processing in the employment context. However, the contractual freedom of the parties is limited, and they cannot circumvent the general principles of the GDPR such as the necessity of the processing. Consequently, national courts are obligated to review if a data processing under a collective agreement is in conformity with the GDPR.
In this article we analysed the judgement C-65/23 of the CJEU.
Written by Anita Vereb
SMARTLEGAL is a team of agile business & litigation lawyers in Budapest, Hungary, helping international corporate clients and individual entrepreneurs doing business in Hungary. For more information please visit our website at Smartlegal.hu
[i] A works agreement is a similar type of agreement than a collective agreement.
[ii] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
[iii] see also Hauptpersonalrat der Lehrerinnen und Lehrer, C‑34/21, EU:C:2023:270