Pro­tect­ing Em­ploy­ee Data

When it comes to processing employee data, it is nothing new that employers have to adhere to the legal stipulations governing data privacy. Neither the GDPR nor the Austrian Data Protection Amendment Act 2018 (in German “Datenschutz-Anpassungsgesetz”) will change anything about that. Personal employee data will have to be processed lawfully, in good faith and transparently also in the future.

GDPR – a variety of new duties for the employer

Nevertheless, the GDPR poses a change of paradigm to the employer. In particular, employers qualifying as data controllers will no longer have to file their data processing operations with the Austrian Data Protection Authority prior to starting with the processing.

Employers, the data controllers in this context, will have to keep a record of processing activities themselves in the future and present those to the Austrian Data Protection Authority on request. Furthermore, employers will have to – depending on the nature, scope, context and risks of data processing as well as available technologies and implementation costs – implement suitable technical and organisational measures to fully protect the rights of the data subjects in the course of data processing (also see: (privacy by design/privacy by default).

Another novelty is the requirement for employers that use new technologies: in this case, employers are required to perform a privacy impact assessment (PIA) if the intended data processing operation is likely to pose a high risk of infringing the rights of natural persons. Further, certain enterprises and especially public authorities will be obligated to appoint a data protection officer. According to the GDPR, this data protection officer will fulfil his or her duties independently.

The Austrian legislator once again missed the opportunity to create a specific employee data protection law to resolve the old conflict between labour and data protection law. In effect, there is no change to the current legal situation, which is rife with uncertainties.

Adhering to labour law AND data protection law

If employers intend to process employee data, they will have to comply with both data protection law and labour law also in the future. In practical terms, this means that employers may introduce control measures and technical systems for monitoring employees, provided the measures affect the employees human dignity, only after entering into a works council agreement (plant agreement) even if they heed all data protection regulations of the GDPR. This also applies to the digital telephone systems, which have become indispensable in many companies, as well as to access control systems, video surveillance and “everyday” systems like email and even the internet. All of these systems are objectively suitable to control data subjects and therefore subject to the Austrian Labour Constitution Act (in German “Arbeitsverfassungsgesetz”). Similarly, employers still have to obtain the approval of the works council when introducing automated personnel data systems and staff appraisal systems.

Missing works council agreements (plant agreements) may result in penalties

Keep in mind: for now, it remains uncertain whether the mere failure to conclude a works council agreement, which is compulsory pursuant to the Austrian Labour Constitution Act, is also subject to the penalty mechanism of the GDPR and may therefore result in substantial fines. This conclusion stands to reason as Austria’s legislator has declared the Austrian Labour Constitution Act, especially Article 96 and 96a, to be a data protection legal provision in the context of employment (specifically as laid down in Article 88 GDPR).

This is just one of many reasons why you should pay close attention to the topic of compliance in the context of labour law. For these reasons, we recommend a thorough review of the data processing operations in use at your company and to establish a record of processing activities before the GDPR and the Austrian Data Protection Amendment Act 2018 enter into force on 25 May 2018. In doing so, it is important to consider aspects of labour relations law and industrial relations law as a lot of personal data is permanently used, especially in the context of employment.

If no works council agreements (or individual agreements pursuant to Article 10 par. 1 Employment Contract Law Amendment Act (in German “Arbeitsvertragsrecht-Anpassungsgesetz”) in companies not having a works council) have been signed, you should do so as soon as possible. We also recommend to check whether existing works council agreements are compliant with the new Austrian Data Protection Amendment Act 2018.


<<< back to homepage