Processing of employees' personal data: the ECJ on company agreements that limit the scope of the protection granted by the GDPR

The discretion granted to national law and collective agreements, pursuant to section 88, paragraph 1 of Regulation No. 679/2016, in determining “more specific rules” that ensure the protection of rights and freedoms with regard to the processing of employees' personal data, does not prohibit the national judge hearing the case from carrying out a full judicial review in compliance with the general principles established by the GDPR.

In its judgement dated December 19^th, 2024, in case C-65/23, the European Court of Justice (“ECJ”) ruled on the provisions contained in a company agreement signed between a German company and the works council of its employees pursuant to section 88, paragraph 1 of EU Regulation No. 679/2016 (the “Regulation” or “GDPR”) as potentially breaching its general principles regarding the protection of personal data.

More specifically, section 88 of the GDPR establishes that Member States may provide, by law or through collective agreements, more specific rules to ensure the protection of rights and freedoms with reference to the processing of employees' personal data in the framework of employment relationships. 

The case originated from a lawsuit filed by an employee of the mentioned German company, who requested: (i) access to certain information, (ii) the deletion of his personal data, as well as (iii) compensation for the moral damage allegedly suffered as a result of the unlawful processing of his personal data, which had been transferred from the company's software to an American server owned by the parent company, as stipulated in the company agreement itself. 

The employee claimed that the transfer of his personal data was not necessary and that some of the transferred data were not even covered by the agreement itself. In favour of said claims, the employee referred to sections 5, 6, paragraph 1, and 9, paragraphs 1 and 2 of the GDPR, which define the principles applicable to the processing of personal data, delineating the boundaries of lawfulness and providing specific limits for the processing of special categories of personal data (e.g., revealing racial or ethnic origin, political opinions, or religious beliefs).

More specifically, the employee argued that the processing of his data, made for the purposes of the employment relationship, ended up violating the mentioned provisions and that, for this reason, the company agreement – which provided for such kind of processing – should be substantially disregarded to ensure full protection granted by the GDPR. Furthermore, even assuming the validity of the company agreement, still the latter was infringed, considering that various personal data not listed in it (e.g., private contact details, social security numbers, and tax identification numbers) were transferred from the employer to the parent company, meaning it had not been authorized.

After evaluating the questions referred by the German Supreme Court, the ECJ wondered whether company collective agreements governing the processing of personal data pursuant to section 88, paragraph 1 of the GDPR, should only respect the limits set by paragraph 2 of the same section (i.e., safeguarding human dignity, legitimate interests, and fundamental rights of the data subjects) or the general principles established in sections 5, 6, paragraph 1, and 9, paragraphs 1 and 2, of the same Regulation, including the criterion of “necessity of processing”, should be considered as limitations, too.

Following its evaluations, the European Court opted for the second solution. It also stated that the leeway of discretion in defining the “necessity of data processing” that should be recognized to the parties signing a trade union agreement pursuant to section 88, paragraph 1 of the GDPR, considering that this criterion could vary from sector to sector, and that, typically, trade unions and companies possess knowledge and sensitivity suitable to appreciate sector-specific peculiarities, does not prevent judicial review “on compliance with all the conditions and limits prescribed by the provisions of that regulation for the processing of personal data”, including verification of the necessity of data processing, pursuant to sections 6, 7, and 9 of the GDPR.

The solution offered by the ECJ seems to clearly exclude the possibility for national trade unions and companies to contractually derogate from the limits and protections granted in terms of privacy by EU Regulation No. 679/2016, regardless of the specific characteristics of each sector.