Skip to main content
Data Protection / GDPR

Employee data protection

Employee data protection refers to safeguarding the personal data of employees within the employment relationship, governed in Germany primarily by Section 26 BDSG and the GDPR.

Employee data protection covers all rules governing how an employer processes the personal data of its workforce. It applies not only to employees in the strict sense but, under Section 26(8) BDSG, also to trainees, temporary agency workers, persons treated as employees, applicants and former employees. The material scope extends from the application stage through the establishment and performance of the employment relationship to its termination and the post-contractual settlement.

The central legal basis in German law is Section 26 BDSG, which implements the opening clause of Art. 88 GDPR. Under Section 26(1) BDSG, employee data may be processed where necessary for deciding on the establishment, the performance or the termination of the employment relationship. Processing for the detection of criminal offences is permitted only under the stricter conditions of the second sentence of Section 26(1) BDSG. Consent as a legal basis is particularly sensitive in the employment context because of the relationship of dependence, and is bound by the voluntariness criteria of Section 26(2) BDSG.

Special categories of personal data, such as health data, may only be processed under Section 26(3) BDSG, and collective-law conditions also apply: works agreements can form an independent legal basis under Section 26(4) BDSG but must comply with the requirements of Art. 88(2) GDPR. It is important to note that the Federal Constitutional Court and the CJEU have clarified the reach of Section 26 BDSG; the requirement of proportionate, transparent and purpose-bound processing must be maintained throughout. Infringements can lead to fines, claims for damages and co-determination conflicts.

Legal Basis

Section 26 BDSG in conjunction with Art. 88 GDPR; Art. 5, 6 and 9 GDPR

Practical Example

A company plans to introduce an electronic time-recording system with biometric login via fingerprint. The data protection officer notes that a fingerprint is biometric data and thus a special category under Art. 9 GDPR, which in the employment context may be processed only under the strict conditions of Section 26(3) BDSG. She recommends a more privacy-friendly alternative without biometric features, concludes a works agreement with the works council as the legal basis, and documents a data protection impact assessment before the system goes live.

FAQ

The decisive provision is Section 26 BDSG, which gives concrete form to the opening clause of Art. 88 GDPR. Processing is permitted where it is necessary for the establishment, performance or termination of the employment relationship. In addition, works agreements or, within narrow limits, voluntary consent may serve as a basis.
Yes, but it is subject to heightened requirements. Under Section 26(2) BDSG, the dependence inherent in the employment relationship must be taken into account when assessing whether consent is voluntary. Voluntariness may exist, for example, where the employee gains a legal or economic advantage. Consent must generally be obtained in writing or electronically.
Yes. Health data is a special category under Art. 9 GDPR and may only be processed under the stricter conditions of Section 26(3) BDSG. This requires in particular appropriate technical and organisational measures as well as strict purpose limitation, for instance when fulfilling labour-law obligations.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Personal Data Special categories of data Legal basis Consent Federal Data Protection Act
Back to Glossary