Member states can legislate to regulate the processing of personal data when they are empowered to do so in terms of the EU’s General Data Protection Regulation (GDPR). However, when doing so, they must ensure that they are fully compliant with the said regulation or otherwise the national law must be disregarded, the Court of Justice of the European Union (CJEU) has recently affirmed.

The GDPR empowers member states to legislate, or otherwise provide through collective agreements, specific rules which safeguard rights and freedoms of employees with respect to the processing of their personal data within an employment context.

However, the said regulation stipulates that any such rules must include suitable and specific measures to safeguard the data subjects’ human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data and monitoring systems at the workplace.

The facts of this case were briefly as follows.

Germany made provision for two legislative measures whereby it laid down the legal and organisational framework for school education during the COVID-19 pandemic, including the possibility for students who could not be present in a classroom to attend classes live by video conference.

To safeguard students’ rights in relation to the protection of their personal data, the law provided that connection to the video conference service would be authorised only with the consent of the students themselves or, of their parents, in the case of minors.

On the other hand, no provision was made for the attainment of the teachers’ consent to participate in the live streaming. A teachers’ committee filed an action against the relevant German ministry, alleging that the relevant legislative measures were in breach of the GDPR.

The ministry claimed that the basis for processing of personal data inherent in the said live streaming was being laid down in the national legislation itself  and hence there was no requirement for the relevant teachers’ consent to be obtained.

The national court seized of the case acknowledged that the promulgation of such specific rules by a member state within the context of employment is permissible in terms of the GDPR.

However, it was not clear to the national court whether the relevant national laws must also satisfy the conditions laid down in the GDPR, namely, the fact that such specific rules must include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights. To this end, it opted to file a preliminary reference before the CJEU, to attain guidance on the matter.

The CJEU observed that the processing of teachers’ personal data during the live streaming by video conference of educational classes falls within the material scope of the GDPR.

Since such teachers can be considered as employees or civil servants, then the member state is entitled, in terms of the GDPR, to make provision for specific rules concerning the processing of employees’ personal data within an employment context.

The court then went on to analyse whether any such specific rules must, however, also satisfy the conditions laid down in the GDPR itself.  It primarily observed that through the use of the words ‘more specific’, it is clear that any national laws promulgated within an employment context must have content which is specific to employment and which is distinct from the general rules of the GDPR.

Any national laws which are not in full compliance or which conflict with the EU’s acquis will be disregarded

Moreover, the GDPR also restricts the discretion of member states wishing to adopt such ‘more specific rules’. Such rules cannot merely reiterate the provisions of the GDPR laying down the conditions for the lawfulness of the processing of personal data and the principles of such processing, or merely refer to such conditions and principles, the court observed.

They must, however, seek to protect employees’ rights and freedoms in respect of the processing of their data and include suitable and specific measures to protect the data subjects’ human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data and monitoring systems at the workplace.

While affirming that it is for the national court ‒ which alone has jurisdiction to interpret national law ‒ to assess whether the national provisions at issue comply with the conditions and limits laid down in the GDPR, the CJEU proceeded to provide some guidance on the matter.

It noted that national legislative measures, which simply provide that the processing of employees’ personal data is subject to the condition that such processing is necessary for certain purposes connected with the performance of an employment relationship, are solely reiterating the condition for general lawfulness for processing as set out in the GDPR without adding more substance.

Should the referring court find that the national provisions do not comply with the conditions and limits laid down in the GDPR, it is, in principle, required to disregard them and the processing of personal data in an employment context  would then be directly governed by the provisions of the said EU regulation.

The CJEU went on to note that there are other instances, besides within an employment context, where the adoption of national legislative measures for the protection of personal data is permitted.

Such instances relate to the requirement laid down in the GDPR for national laws to make provision for the basis for processing when this relates to compliance with legal obligations to which the controller is subject or the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

In such cases, it is EU or national law which must define the purpose for processing, and hence national legislative intervention in this regard is necessary.

Hence, national courts analysing national provisions on the processing of personal data must also verify, prior to disregarding the said laws, whether, even though they do not fulfil the prescribed conditions for specific rules within an employment context, they are potentially laying down basis for processing in respect of the two categories aforementioned, as required by the GDPR.

The supremacy of EU law is an indisputable principle which any state opting to join the EU must accept and is obliged to adhere to upon accession. Hence, any national laws which are not in full compliance or which conflict with the EU’s acquis will be disregarded.

Mariosa Vella Cardona is an independent legal consultant specialising in European law.

 

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.