Data protection and collective agreements: provisions of national collective agreements that breach data protection rules should be disapplied

In its judgment of December 19, 2024,  case C-65/23, the Court of Justice of the European Union ruled that (i) the provisions of national collective labor agreements must comply with data protection regulations and that:(ii) ”Should the national court seized of the matter conclude, following its review, that certain provisions of the collective agreement […] do not comply with the conditions and limits set forth by the GDPR, it would be required not to apply such provisions […].”

The case  

The case originates from a claim filed by a German employee, who claimed that the company he worked for was unlawfully processing his personal data. In particular, the company used a SAP software for accounting purposes and the personal data entered in it was transferred to a server located in the United States of America. The company defended itself by claiming that the processing of personal data carried out was lawful because it complied with the provisions of the collective agreements applied in the company.

The employee therefore brought the case before the territorially competent national courts, seeking: (i) access to his personal data, (ii) the deletion of data concerning him and (iii) the recognition of compensation.

The German national judges, called upon to decide the case, raised questions about the scope of the applicability of Article 88 of the GDPR. Article 88 of the GDPR provides that “Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context […]”.

Can collective agreements establish rules on data processing, even by derogating from the provisions of the GDPR, or must they fully comply with them?

In its ruling, the Court of Justice clarified that when the provisions of a national collective agreement regulate the processing of personal data in the workplace, they must comply with the fundamental principles of the GDPR. The effect must be to bind its addressees (employers and trade unions) to ensure compliance with the principles of lawfulness, fairness, and transparency of the processing, the requirements for lawful consent, and the rules regarding the processing of special categories of personal data.

This means that if a judge were to determine that the provisions of a collective agreement regulating one or more personal data processing activities in the workplace violate the conditions and limits set by the applicable sectoral legislation, the judge would be required to disapply the non-compliant provisions, without the discretion available to the parties to the agreement in determining the “necessary” nature of a personal data processing activity preventing the court from exercising full judicial review in this regard.

Other related insights:    

• Italian Data Protection Authority: no to attendance monitoring via facial recognition and no to monitoring workers’ activities
• Evolving challenges in Employment law and privacy: The challenges for Italian companies (Global Legal Chronicle Italia, 19 November 2024)