The General Data Protection Regulation (GDPR) comes into force on 25.05.2018. Although the GDPR does not provide a separate chapter for employee data protection, there is an opening clause in accordance with Art 88 GDPR.

Art 88 GDPR provides that Member States may adopt more specific regulations for personal employment data in the employment context. According to Section 11 DSG 2000 new, the Labor Constitution Act – insofar as it regulates the processing of personal data – is a provision within the meaning of Art 88 GDPR. The powers to which the works council is entitled under the ArbVG remain unaffected by this.

However, it is questionable here how far the opening clause under Art 88 GDPR extends and whether this provision has an influence on the co-determination rights and information obligations/rights of employees.

According to the current legal situation, when processing data, an employer must ensure that
– the personal rights of the employee are not violated,
– the rights of the works council – if one of the elements of co-determination are fulfilled – are safeguarded and
– the provisions of the DSG 2000 are complied with.

As the GDPR does not provide for any separate regulations on employee data protection, this assessment will not change in principle. Justification must continue to exist at each of the three levels listed above. The previous legal situation will therefore be maintained.

For this reason, a works agreement must be concluded between the works owner and the works council(Section 96 ArbVG) when introducing control measures and technical systems for monitoring employees in the future, insofar as these measures (systems) affect human dignity (e.g. regularly in the case of video surveillance). Works agreements that have already been concluded continue to apply. However, it is advisable to review and adapt the works agreements if existing works agreements refer to provisions of the old DSG 2000.

It is currently still unclear whether the reference to the ArbVG in Section 11 DSG 2000 New means that the liability regime of the GDPR (fines of up to EUR 20 million or 4% of global group turnover) applies to the ArbVG.

Article 83(5)(d) GDPR provides that all obligations imposed by Member States under Chapter IX are to be sanctioned with the financial penalties of the GDPR. By triggering this direct sanction mechanism, this would mean that the mere failure to conclude a company agreement would in future be sanctioned with a fine of up to EUR 20 million!

Company agreements within the meaning of Art 88 GDPR must include appropriate and specific measures to safeguard human dignity, legitimate interests and the fundamental rights of data subjects, in particular with regard to the transparency of processing, the transfer of personal data within a group of companies or a group of companies engaged in a joint economic activity and monitoring systems in the workplace.

According to the ArbVG, only provisions stipulated by law or collective agreement can be the content of a works agreement. From the perspective of data protection law, §§ 96 para. 1 no. 3 and 96a ArbVG must be taken into account. The specific content of a works agreement is fundamentally alien to Austrian law. The case law of the ECJ will show exactly what is meant by appropriate and specific measures within the meaning of Art 88 (2) GDPR.

CONCLUSION:
If you as an employer have not concluded any works agreements or individual agreements in accordance with Section 10 (1) AVRAG, this should be done by 25.05.2018 at the latest.

_{cf. for more details: Josef Grünanger, Effects of the GDPR on employee data protection in Austria, ZAS 2017/55}