GINDAT would like to draw your attention once again to Section 79a of the Works Constitution Act (BetrVG), which came into force in 2021. This states that the employer is responsible for the implementation of data protection regulations within the meaning of the General Data Protection Regulation (GDPR) for the entire company. However, according to Section 79 a BetrVG, the works council must also comply with the data protection regulations when processing personal data. It acts independently in this regard, but can and should rely on the cooperation of the company data protection officer.
To ensure that the works council can comply with and demonstrate compliance with the relevant provisions of the GDPR and the German Federal Data Protection Act (BDSG), the handling of personal data should be defined in a data protection concept in which the measures for data protection and the security of personal data are set out.
This also serves as proof to the employer, the employees and other third parties, such as data protection authorities and, if applicable, courts, that the works council maintains or has taken protective measures that safeguard the legitimate interests of the employees concerned.
In particular, the transfer of sensitive employee data (special categories of personal data, Art. 9 Para. 1 GDPR), which the works council requires in order to fulfil its duties under the Works Constitution Act, requires the existence of "appropriate and specific measures to safeguard the interests of the data subject" (§§ 26 Para. 3 S. 3, 22 Para. 2 BDSG).
GINDAT develops such a data protection concept together with the works council, which also includes the deletion of personal data. Our customers and their works councils are also requested to contact GINDAT on their own initiative if there is a need for action in this regard.