Can a works council exercise influence in matters concerning data privacy?

In a landmark ruling on December 5, 2024, the Hessian Regional Labour Court (Landesarbeitsgericht Hessen) addressed the question of who has the final say on data protection within a company. The case, numbered 5 TaBV 4/24, sheds light on the employer's sole responsibility in data protection matters.

The works council, invoking its right to co-determination under § 87 (1) No. 6 of the Works Constitution Act (BetrVG), believed that this right also extended to data protection regulations. However, the court clarified that the works council's right to co-determination does not extend to enforcing data protection regulations.

The court reiterated that there is no scope for co-determination regarding mandatory legal regulations, such as those provided by the General Data Protection Regulation (GDPR). The responsibility for data protection compliance lies solely with the employer as the data protection responsible party (according to Art. 4 No. 7 GDPR).

The works council's concerns were particularly evident in the case of a planned introduction of a new IT system for managing employee master data, hosted on servers in the USA. Despite these concerns, the court ruled that the works council's interpretation went too far regarding the inclusion of data protection in co-determination rights.

The Works Constitution Act grants the works council the right to co-determine the introduction and application of technical facilities intended to monitor the behavior or performance of employees, but only if there is no legal or collective agreement regulation (§ 87 (1) No. 6 BetrVG). The court emphasised that the right to co-determination in this context is limited to the works council's general monitoring task (§ 80 (2) BetrVG) and its right to information (§ 80 (2) BetrVG).

Article 88 GDPR in conjunction with § 26 (4) BDSG allows the employer and the works council to agree on specific provisions for ensuring the protection of rights and freedoms with regard to the processing of personal employee data in the employment context through a works agreement. This provision, however, does not grant the works council the power to enforce binding data protection regulations.

The court's ruling emphasises the employer's position vis-à-vis the works council, stating that the employer is solely responsible for data protection compliance. The works council may control and request information, but it cannot enforce binding data protection regulations.

The decision strengthens the employer's position in data protection matters, clarifying that the works council's right to co-determination does not extend to enforcing data protection regulations. Employers are now better equipped to handle data protection concerns within their organisations, with the final responsibility for compliance resting solely with them.

Can a works council exercise influence in matters concerning data privacy?