The Supervisory Authority of Baden-Württemberg (“SA”), Germany, has published a new version of its guidance document on data protection issues in the employment context on March 12, 2019 (available here in German).

The guidance document specifically addresses issues such as the use of e-mail and IT systems by employees, urine drug tests, personal data collected during job interviews, pre-employment background checks, the retention of data on rejected applicants, the provision of information on job applicants to authorities, the use of tracking systems and video surveillance, and the transfer of employee data to other group companies.

The SA noted that, prior to the GDPR, data protection law was often “unknown” or seen as only consisting of non-binding recommendations and added that “this unfortunately common misconception will – hopefully – disappear now due to the potentially heavy fines that may be imposed [under the GDPR]“.

National laws continue to play a significant role in the employment context post-GDPR. Germany used the opening clause in Art. 88 GDPR to essentially ensure that the status quo pre-GDPR remains unchanged. The key provision is sec. 26 of the new Data Protection Act (BDSG), but the relevant rules are dispersed over various laws. Together, the rules continue to be both vague and fragmented. An attempt to codify more detailed data privacy rules in the employment context failed in 2013 due to disagreements between employer and employee associations.

In Germany, in particular, works council agreements are a permissible legal basis for the processing of employee personal data provided they comply with Art. 88 GDPR. The SA estimates that most collective agreements signed prior to the entry into application of the GDPR must be brought into compliance with the requirements of the GDPR, such as with the novel requirements on transparency.