Further to the recently published guidelines on new employee privacy rules (
of
Privacy Advisor
), the German Federal Ministry of the Interior (
Bundesinnenministerium - BMI
) on May 28 tabled a first draft of a respective law according to which a new section on employee privacy rules shall be introduced into the German Federal Data Protection Act (FDPA).
The new employee privacy rules are intended to form the new Sec. 32 - 32 (l) FDPA. Most of the provisions in the draft actually reflect the issues that were already selected for regulation in the earlier guidelines. It is noteworthy however, that (1) for some issues a rather strict approach is followed by the BMI—requiring opt-in consents for several data processing operations, and (2) to a certain extent, the draft creates new—and sometimes far-reaching—obligations of the employer, in particular a quite broad obligation to disclose employee data breaches. In detail:
- Medical examinations and assessment tests: Sec. 32a para. 3 and 4 of the draft requires that employees give their prior opt-in consent in any kind of medical examinations and assessment test irrespective of whether such tests are done during the term of the employment relationship or in the application phase. The employer shall also be obligated to inform the employee beforehand about the kind and scope of the tests.
- Data collection from applicants: According to Sec. 32a para. 8 of the draft, any personal data shall only be collected directly from the affected employee or applicant. Any collection of data on the applicant from a third party requires a prior opt-in consent. An exemption is made only for data that is publicly available so that Internet searches on the individual will generally remain permissible. In case an employment relationship has not been founded, the data of the applicant may only be stored further if the applicant has consented.
- Data Transfers: In case the employer transfers employee data to a third party (e.g. a customer, a government body, etc.) which, in fact, is often the case, he must instruct any recipient that the data may only be used for the purposes for which they are transferred.
- Employee pictures: photos of employees may only be used for identification and authorization purposes. In case any further use is desired (e.g. internal staff directories), an explicit consent of the employee is required.
- Internet and e-mail: The purposes for which data on the usage of Internet e-mail and other communication systems may be used by the employer will be stipulated in detail in Sec. 32i of the draft. It seems noteworthy that also data usages with respect to employees' private use of the company's communication systems shall be regulated explicitly.
- Data breach notification: A very far-reaching obligation to notify employees of data breaches shall be introduced in the new Sec. 32j. According to the suggested provision, any kind of unauthorized access by or unlawful transfer of employee data to a third party shall trigger an obligation to notify the affected employee. In case of a likelihood of severe impairments of the rights or interests of the employee, the data protection authorities also are to be informed of the data breach.
- Declarations of consent: Another quite strict approach is followed by new Sec. 32l of the draft. According to this provision, a declaration of consent by the employee might in the future only be a valid basis for data processing operations by the employer, in case the new Sec. 32 - 32 k explicitly provide for this option. This would be a quite radical deviation from the current legal situation in Germany, because for the time being, a consent is in any case a valid basis for all kinds of data processing (Sec. 4 para. 1 FDPA).
If the draft were to be adopted in the current form, this would have major implications on the employee data processing operations of all businesses in Germany.
