The German Data Protection Implications of International Group-Wide HR Databases
Dr. Flemming Moos
Many German companies intend to introduce, or already have in place, IT-based systems for administrating their employee relationships. Apart from the storage of the employee's basic data (i.e., name, address etc.), such databases often serve further purposes, such as the recording of the employee's work hours and reviews of their performance. In groups of companies, these databases are mostly centralized. Access to the data is granted to the local human resources (HR) department and to employees of sister or parent companies for centralized budget and fee calculations or, perhaps, coordinated salary and bonus assessments. These practices may give rise to data protection concerns because as a general rule, groups of companies enjoy no privilege under German data protection law when it comes to intra-group transfers of personal data.
Basically, three aspects become relevant from a data protection law perspective when a company establishes an HR database on an international level: (1) The general permissibility of granting access rights to the employee data to individuals who are employed by other group companies; (2) The transfer of data outside the EU; and (3) The role of the works council.
Access Rights of Individuals Outside the German Legal Entity
The transfer of data within a group of companies can be justified by the employment contract only if the employment relationship itself has a group dimension. In this context, a group dimension is defined as an employee willing to work throughout the group of companies, and the employment relationship can, therefore, be classified as a so-called "group-dimensional employment relationship." Another group dimension occurs when staff-related decisions are taken by the company heading the group through a transfer of functions.
Such a group dimension of the employment relationship may exist when employees are involved in projects implemented together with the groups' other companies through the use of a joint and centralized staff, budget and fee planning. Granting the group company in charge of the centralized planning access to the employee data may be covered by the defined purposes of the respective employment contracts. However, this would apply only to the data specifically required for the planning, calculation and handling of an order handled internationally. As far as staff members work in a mere national context and only for the company they are formally employed at, their employment relationship lacks a group dimension. If in addition to this, the introduction of the international HR system is not intended to bring about a transfer of the responsibility for personnel matters to another group company, the grant of access rights to the employees' data to another group company could not be based on the employment contract.
Yet, Sec. 28 para. 1 no. 2 BDSG (Federal German Data Protection Act) could legally permit the transfer of employee data to a group company. According to this provision, the transfer of personal data is permissible as a means of fulfilling one's own business purposes to the extent that the transfer is necessary to safeguard justified interests of the controlling body and that there is no reason to assume that the data subjects have an overriding legitimate interest in their data's exclusion from the transfer. However, some restricting factors have to be taken into account within the framework of the balancing of interests: the highest supervisory office for data protection in Baden-WÃ¼rttemberg, for example, takes the view that although this provision has its own relevance besides Sec. 28 para. 1 no. 1 BDSG, it must be interpreted more strictly if a contractual relationship exists. The contract partner must generally be able to rely on the fact that the data is used exclusively for the purpose for which it has been furnished, with the consequence that a different use would, in most cases, prejudice the legitimate interests of the contract partner. The decisions of the BAG (German Federal Labour Court) - in which the court performs the balancing of interests within the framework of the determination of the purpose of the employment contract - explain that "the employee's privacy may not be invaded to a greater extent than is absolutely necessary for the purposes of the employment relationship." In the light of the quoted ruling of the BAG, further actual and legal factors must be taken into account within the balancing of interests. The following questions would especially have to be looked at: What specific information about the employees is to be transferred and for what purposes the group company will process it.
If a German company wishes to transfer data of employees within the framework of a centralized IT system on the basis of Sec. 28 para. 1 no. 2 BDSG, it would have to be described clearly and examined within the framework of balancing the interests. An assessment must be made of the individual data, including for what specific purposes it is to be transferred and whether the transfer of this data is actually required for the respective purposes. The balancing of interests can also lead to the conclusion that individual data may not be transferred because of the lack of a corresponding requirement. For this reason, it may be worth considering basing the transfer of data on a legally secure basis, i.e., by entering into a corresponding works agreement.
Place of Data Processing
For the assessment of the lawfulness of the data transfer, the place of residence of the individuals that have access to the transferred data must additionally be taken into account. In the event that the data will be stored in the EU and that only people residing in the EU will be given access to it, it is treated in the same manner as a domestic data transfer. However, if the data is to be transferred to a recipient outside the EU, data transfers are permissible subject to the additional requirement that an adequate level of data protection is guaranteed at the level of the body receiving the data (Sec. 4b para. 2 sentence 2 BDSG). Whether an adequate level of data protection is guaranteed must be assessed by the transferring body pursuant to Sec. 4b para. 3 BDSG - especially considering the nature of the data, the purpose of the data
processing, the duration of the planned processing operation and the rules of law that apply to the recipient.
The EC Commission has confirmed in a general manner the adequacy of the data protection levels of Switzerland, Hungary, Canada, Argentine, Guernsey and the Isle of Man, a small island next to the UK. With regard to the U.S., the EC Commission has acknowledged the adequacy of the data protection level subject to the reservation that the company to which data is transferred has joined the so-called "Safe Harbor" regime. If a U.S. group company obtaining the data is unwilling to sign the Safe Harbor Agreement, the data transfer would be legal under one of the exceptions regulated in Sec. 4c para. 1 BDSG. According to this provision, personal data may be transferred even if an adequate level of data protection is not guaranteed by the data recipient if the data subject has consented or if the competent supervisory authority has permitted the data transfer because the data recipient has furnished sufficient guarantees for its protection. Under Sec. 4c para. 2 sentence 1 BDSG, these guarantees may especially result from contractual clauses or binding corporate rules. In practice, associations of enterprises frequently establish corporate regulations in the form of works agreements to justify the international transfer of data.
Another alternative would be to enter into an agreement concerning the protection of the transferred data with the group company receiving it. After its decision on Jan. 7, 2005, the EC Commission has at last adopted contractual standard clauses for these agreements, which, if used, result in the fulfillment of the requirements for an exception pursuant to Sec. 4c para. 2 BDSG.
Involvement of the Works Council
Additionally, the works council may play an important role in the introduction of global IT-based HR systems. Under Sec. 80 para. 2 BetrVG (German Works Council Constitution Act) and under Sec. 90 sentence 1 nos. 2 and 3 BetrVG, the company must inform the works council in a timely and comprehensive manner. Additionally, the introduction of such a system is probably also subject to co-determination by the works council under Sec. 87 para. 1 no. 6 BetrVG. According to this provision, the works council has a right of co-determination - especially in the event of the introduction and application of technical systems to monitor the employees' conduct or performance. According to the rulings of the BVerwG (German Federal Administrative Court), automatic time recording systems are technical monitoring systems within the meaning of Sec. 87 para. 1 no. 6 BetrVG.
Conclusion and Recommendations
With all aspects taken into consideration, it is wise to adopt a corresponding works agreement to grant access rights to employee data to individuals employed by other group companies. If employees' data is transferred within the EU and to a non-EU member state as well, further measures would be required to guarantee an adequate level of data protection, including a specific data protection agreement with the group company receiving the data or the introduction of group-wide corporate regulations concerning data protection. Lastly, the introduction of centralized IT-based HR systems is likely subject to co-determination by the works council, making it necessary to make appropriate preparations.
Dr. Flemming Moos is a Senior Associate and member of the Technology, Media and Communications (TMC) Group in the Hamburg office of DLA Piper. Flemming specializes in IT, data protection and e-commerce law. He advises German and international clients on all contentious and non-contentious IT-related matters. He has a strong focus on the drafting and negotiation of all kinds of IT contracts including licensing, development, maintenance and distribution agreements and general terms and conditions. He is regularly involved in outsourcing deals and also advises public administrative bodies in IT-related procurement processes. Flemming has in-depth knowledge of the setting-up of software license management systems. His data protection law advice focuses on international data flows within groups of companies and Internet-related data usages. Moreover, his practice focuses on issues relating to the setting up of commercial Web sites, copyright and other content licensing, hosting agreements and domain disputes. He may be reached by email at email@example.com