Third Party Access Prohibited: Employer forbidden from delegating personnel file control to external entities.

In today's digital world, handling employee data with utmost care and respect is paramount. A recent case from the Federal Court of Justice (BGH) sheds light on this, focusing on an employee from Hanover who objected to the management of her employee file by third parties.

Previously, administrative duties, including managing employee files, were handled by employees from Lower Saxony. The employee expressed concerns about this practice, leading to an intervention by the federal data protection officer, and subsequently, a change in the practice in 2019.

The employee then turned to the courts, suing her employer for damages. While the two lower courts ruled otherwise, the BGH, generally sided with the employee, declaring that her employer transferring her employee file to third parties without her consent constituted a violation of the General Data Protection Regulation (GDPR). The transfer of such sensitive information stripped the employee of control, potentially triggering a claim for damages under the GDPR. The federal government now needs to compensate the employee for this violation.

Interestingly, the judges in Karlsruhe clarified that claims for damages under the GDPR are distinct from any national law-based claims, such as those based on principles of official liability. However, due to procedural reasons, the BGH did not decide on the amount of damages. If both parties fail to reach an agreement, a further court proceeding will be needed to determine this.

Here's a quick rundown of the GDPR guidelines for processing employee data and third-party management:

Legal Basis: A legal basis, such as necessary for contract performance, statutory obligations, or employee consent, is required for processing personal data.[1][3]
Performance of a Contract: Employee data can be transferred to third parties if necessary for the performance of an employment contract.[1]
Statutory Obligation: Data may be transferred to comply with legal requirements.[1]

Data Protection by Design and Default: Employers must ensure appropriate security measures and GDPR adherence by any third-party service providers they engage.[3]
Data Subject Rights: Employees have the right to access, rectify, and erase their personal data, which must be respected by third parties.[4]
Privacy Policies: Employers should inform employees about how their data is being processed, including data recipients, and maintain transparency about data privacy practices.[4]

Security Obligations: Robust security measures must be implemented to protect employee data against unauthorized access or breaches.[3]
Record Keeping: Detailed records of all data processing activities can help demonstrate compliance and facilitate audits.[3]

In the rapidly evolving digital landscape, staying informed about GDPR regulations and their applications to real-world scenarios, like the one in Hanover, is essential. Keeping employee data protected and under control is not only good practice but also a critical aspect of maintaining trust within the workplace.

[1] European Commission - Key principles of GDPR (2020), link to https://ec.europa.eu/info/law/law-topic/data-protection/key-principles-gdpr_en[2] General Data Protection Regulation (GDPR), link to https://gdpr.eu/[3] European Data Protection Board - Recommendations 01/2018 on a data protection impact assessment (DPIA)(2018), link to https://edpb.europa.eu/our-work-tools/our-documents/data-protection/recommendations/recommendations-012018-data-protection-impact-assessment-d Act 2018 2017-0009 (as amended by Act 2019-960) (Employment Data Protection Act) (Hive reduced).[4] GDPR Recital 15, link to https://gdpr-info.eu/recitals/recital-15/

The Hanover case, where an employee objected to third-party management of her employee files, underscores the importance of adhering to the General Data Protection Regulation (GDPR) regarding sensitive data.
Employers must ensure GDPR compliance by third-party service providers handling employee data, as mandated by the GDPR's Data Protection by Design and Default principle.
In order to demonstrate compliance with GDPR, employers should maintain detailed records of all data processing activities and implement robust security measures to protect employee data.
When discussing employee data processing, transparency is key. Employers should inform employees about how their data is being processed, including data recipients, to respect their right to access, rectify, and erase their personal data.