menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Austria) language
Contact our local member in Austria mail_outline
Visit the website of Geistwert account_balance

arrow_backPrevious Article
Article 88
Next Articlearrow_forward

Processing in the context of employment

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 88 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 88 keyboard_arrow_up

Key words related to article 88

Show the recitals of the Regulation related to article 88 keyboard_arrow_down Hide the recitals of the Regulation related to article 88 keyboard_arrow_up

(155) Member State law or collective agreements, including ‘works agreements’, may provide for specific rules on the processing of employees' personal data in the employment context, in particular for the conditions under which personal data in the employment context may be processed on the basis of the consent of the employee, the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

There is no recital in the Directive related to article 88.

The GDPR

Article 88 of the Regulation allows Member States, either by law or through collective agreements, make adjustments to data protection rules for  employment relationship, including more precise rules for the protection of rights and freedoms.

These rules could be provide for processing to be limited purposes such as recruitment, performance of the employment contract, other obligations established by law or by collective agreements, management, planning and organization of labour, equality and diversity in the workplace, occupational health and safety, protection of property belonging to the employer or client, exercise and enjoyment of rights and benefits related to the employment, individually or collectively, as well as for the termination of the employment relationship.

Those rules must include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place (paragraph 2).

Initially, the second proposed version of the Regulation authorised the Member State to establish, by law, the conditions, in which the personal data relating to employment could be processed on the basis of the employee’s consent. This provision was deleted, as the G29 argued consent of an employee can be considered as expressed explicitly and freely as part of an employment contract characterized by a subordination link (Opinion 15/2011 of 13 July 2011 on the definition of consent, WP 187, p 15;. see also WP 48 on the processing of personal data in the employment context. WP 114 - Working document on a common interpretation of Article 26, paragraph 1 of Directive 95/46/EC of 24 October 1995, is also relevant).

Finally, Each Member State shall notify the Commission of those provisions adopted into its law no later than 2 years after the publication of the Regulation and, without delay, any subsequent amendment affecting them.

The Directive

The Directive did not contain any specific provision in the context of labour law.

Potential issues

The difficulty will doubtlessly arise from the divergences of the regime between the Member States and from a lack of harmonization, as the lowest severity to be applied in a matter could foster a social dumping phenomenon. Therefore, control is provided via the notifications to the Commission, which should help to avoid excessive disparities.

 

arrow_back Previous ArticleArticle 88Next Article arrow_forward
arrow_back Previous ArticleArticle 88 Next Article arrow_forward

Summary

European Union

European Union

Retour au sommaire

Article 29 Working Party

Opinion 2/2017 on data processing at work - wp249 ( 8 June 2017)

This Opinion complements the previous Article 29 Working Party (“WP29”) publications Opinion 8/2001 on the processing of personal data in the employment context (WP48) , and the 2002 Working Document on the surveillance of electronic communications in the workplace (WP55). Since the publication of these documents, a number of new technologies have been adopted that enable more systematic processing of employees’ personal data at work, creating significant challenges to privacy and data protection. This Opinion makes a new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees by outlining the risks posed by new technologies and undertaking a proportionality assessment of a number of scenarios in which they could be deployed. Whilst primarily concerned with the Data Protection Directive, the Opinion looks toward the additional obligations placed on employers by the General Data Protection Regulation. It also restates the position and conclusions of Opinion 8/2001 and the WP55 Working Document, namely that when processing employees’ personal data:

-  employers should always bear in mind the fundamental data protection principles, irrespective of the technology used; -  the contents of electronic communications made from business premises enjoy the same fundamental rights protections as analogue communications;

- consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequence;

- performance of a contract and legitimate interests can sometimes be invoked, provided the processing is strictly necessary for a legitimate purpose and complies with the principles of proportionality and subsidiarity;

- employees should receive effective information about the monitoring that takes place; and

- any international transfer of employee data should take place only where an adequate level of protection is ensured.

Link

Retour au sommaire
arrow_back Previous Article Article 88 Next Article arrow_forward

Summary

European Union

European Union

CJEU caselaw

C-34/21 (30 March 2023) - Hauptpersonalrat der Lehrerinnen und Lehrer

1.      Article 88 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that national legislation cannot constitute a ‘more specific rule’, within the meaning of paragraph 1 of that article, where it does not satisfy the conditions laid down in paragraph 2 of that article.

2.      Article 88(1) and (2) of Regulation 2016/679

must be interpreted as meaning that the application of national provisions adopted to ensure the protection of employees’ rights and freedoms in respect of the processing of their personal data in the employment context must be disregarded where those provisions do not comply with the conditions and limits laid down in Article 88(1) and (2), unless those provisions constitute a legal basis referred to in Article 6(3) of that regulation, which complies with the requirements laid down by that regulation.

Judgment of the court

Opinion of the advocate General

Retour au sommaire Retour au sommaire
arrow_back Previous Article Article 88 Next Article arrow_forward
Regulation
1e 2e

Art. 88

1. Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

2. Those rules shall include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.

3. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
1st proposal close

Art. 82

1. Within the limits of this Regulation, Member States may adopt by law specific rules regulating the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

2. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the safeguards for the processing of personal data for the purposes referred to in paragraph 1.
2nd proposal close

Art. 82

1. Member States may by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship. (…)

2. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.

3. Member States may by law determine the conditions under which personal data in the employment context may be processed on the basis of the consent of the employee.
Directive close

No specific provision
Austria
compare_arrows
visibility Old law

Confidentiality of data

§ 6 DSG

(1) The controller, the processor and their employees, i.e. employees and persons in a quasi-employee relationship, shall ensure the confidentiality of personal data from data processing activities that have been entrusted or have become accessible to them solely due to their employment, without prejudice to other statutory obligations of confidentiality, unless a legitimate reason for the transmission of the data that have been entrusted or have become accessible to them exists (confidentiality of data).

(2) Employees may transmit personal data only if expressly ordered to do so by their employer. Unless such an obligation of their employees already exists by law, the controller and the processor shall contractually bind their employees to transmit personal data from data processing activities only on the basis of orders and to maintain the confidentiality of data even after the end of their employment with the controller or processor.

(3) The controller and the processor shall inform the employees affected by these orders about the transmission orders applicable to them and about the consequences of a violation of data confidentiality.

(4) Without prejudice to the right to give instructions under constitutional law, an employee must not incur any disadvantage from refusing to comply with an order for a prohibited transmission of data.

(5) The statutory right of a controller to refuse to give evidence shall not be avoided by questioning a processor working for the controller, and in particular not by seizing or confiscating documents processed by automated means.

Permissibility of recording images

§ 12 DSG

[...]

(4) It is not permitted to

  1. [...]
  2. record images to monitor employees,

[...]
Old law close

No specific provisions under the DSG 2000, but under Austrian Labour Law.
arrow_back Previous ArticleArticle 88 Next Article arrow_forward
close

2016 - www.itiplaw.eu.