Newsflash Employment Law / IT Law: LAG Baden-Württemberg on the scope of the duty to disclose information pursuant to Art. 15 GDPR
Cologne, 4th April 2019
In a recently published judgement dated 20 December 2018 (17 Sa 11/18), the Higher Regional Court [Landesarbeitsgericht, LAG] of Baden-Württemberg commented in the context of an unfair dismissal case on the scope of the right to inspect files under employment law and right to the disclosure of information under data protection law.
This gave rise to several recommendations for dealing with the disclosure claim under data protection law as well as for the implementation of whistleblower systems and internal investigations.
Firstly, the LAG emphasised in this connection that the employee's right to inspect files and be provided with information also extends to internal documents that are not intended for the employee (such as the file of an internal investigation). Secondly, the LAG makes it clear that the statutory exceptions that restrict the right to the disclosure of information are to be understood narrowly and must be substantiated by the employer in a concrete, detailed and convincing manner.
The main findings of the LAG to be considered here are, in our opinion:
1. Right to inspect files pursuant to § 83 BetrVG
- The LAG extends the right to inspect the personnel file pursuant to § 83 (1) German Shop Constitution Act [Betriebsverfassungsgesetz, BetrVG] to all collections of documents which are closely related to the employee, regardless of designation, form, position, location, etc. In the case at issue, a file on an internal investigation into the employee was considered to be part of the personnel file because accusations had been raised against the employee regarding the observance of his obligations under employment law.
- Contrary to the statement that the right to inspect files pursuant to § 83 (1) BetrVG is not restricted by law, the LAG then examined possible restrictions. In the specific case, there was no evidence of any threat to an ongoing internal investigation; conversely, one can deduce from this that this would otherwise constitute a possible restriction. The LAG negated a restriction to safeguard the legitimate interests of third parties (e.g. other employees) because the keeping of "secret files" in a personnel file was inadmissible. The LAG recommends that, where anonymity or confidentiality has been guaranteed to whistleblowers, their identity should not be part of the file from the outset or should be blacked out in the file.
2. Right to the disclosure of information under data protection law pursuant to Art. 15 GDPR
The LAG then addressed the right to the disclosure of information under data protection law pursuant to Art. 15 EU General Data Protection Regulation (GDPR). Its findings were initially general, and unsurprising from the point of view of data protection:
- Art. 15 GDPR contains two different claims, firstly a right to the disclosure of information, which (like § 34 German Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG], old version) permits a description of the stored personal data. In addition, Art. 15 (3) GDPR grants a right to the provision of a copy of all data.
- The term "personal data" is broad and includes all information about the employee, e.g. in the actual personnel file , in other files such as internal investigations, e-mails, etc.
- In the specific case, the employee himself had (permissibly) limited his claim to the disclosure of information to "personal performance and behaviour data". However, these are not terms that are defined or used in data protection law and they should therefore not be further generalised.
- The right to the disclosure of information extends to all personal data, whether they are processed in data processing systems or otherwise; this is an all-encompassing right which covers all data processing systems in the company.
3. No limitation of the right to the disclosure of information under data protection law
The LAG examined the statutory exemption under Art. 15 (4) GDPR in accordance with § 34 (1) in conjunction with § 29 (1) sentence 2 BDSG. According to this, the right to information does not exist to the extent information would be disclosed which, according to a legal provision or its nature, must be kept secret (in particular because of the overriding legitimate interests of a third party). It follows from this in particular that
- The exceptions of the GDPR are less extensive than those of the previous BDSG. The endangerment of the business objectives of the responsible party alone is no longer sufficient. According to the GDPR and the new BDSG, there are also different exceptions with regard to the right to information and disclosure.
- According to the LAG, grounds for exceptions only apply "to the extent" the need for secrecy exists. It is therefore necessary to weigh the specific pros and cons in each individual case.
- However, the LAG recognises in principle legitimate interests of the employer as an exception, in particular its interest in keeping secret a source of information in the context of whistleblowing systems (unless informants give incorrect information contrary to their better knowledge or recklessly).
- The confidentiality interests, which are fundamentally worthy of recognition, need to be precisely specified.
4. Our recommendations
On the basis of this ruling and our practical experience to date regarding the assertion of information claims under the new Art. 15 GDPR, we can make the following recommendations, in particular for structuring whistleblower systems and internal investigations:
4.1 Assessment of the received claim for the disclosure of information:
The right of employees to the disclosure of information and to inspect the files under data protection law is basically very far-reaching and includes all documents and records concerning the employees. Therefore, received claims for the disclosure of information first need to be precisely interpreted and, if necessary, clarified as to what the claims relate to.
4.2 Allocation of the storage locations:
For companies to be able to comply with these obligations within the statutory time limits at all (in data protection law generally one month), it is vital to determine in advance where and in what form data concerning the data subjects will be stored.
4.3 Strict separation of the data storage:
In case of whistleblowing systems and internal investigations, personal data on the whistleblower and the actual investigation files should be kept strictly separate in all areas, but above all in the file-keeping. The investigation files should not contain any personal information whatsoever about whistleblowers etc. which cannot also be disclosed within the scope of the claim for the disclosure of information.
4.4 Definition of exceptions:
In the context of claims for the disclosure of information, but preferably already when setting up files, it should be clearly defined and precisely specified which parts could be classed as exceptions and why, for example because legitimate interests of the enterprise or legitimate interests of third parties are endangered.
4.5 No unlimited collection of data:
In case of internal investigations and in the file-keeping, one should always be aware of the possible claims for the disclosure of information. A restriction to the data and content that is absolutely necessary not only protects the company, but also complies with the data protection principle of data minimisation.
4.6 Consistent implementation of deletion concepts:
Information no longer can or has to be provided on data that has previously been deleted. The indefinite or long-term storage of personal data therefore needs to be fundamentally reconsidered in case of files concerning internal investigations. It is advisable in this case to define a concrete deletion concept, possibly with different stages (such as the more long-term storage of a short case report, but the deletion of the more extensive files after a reasonable lapse of time).