Published on 12 March 2024
In the course of exercising their powers, works councils have to process large amounts of (workers’) personal data, thus acting as processors of data. As a collegial body, however, a works council neither possesses legal personality, nor does it have the capacity to hold property. Therefore, it has been a matter of dispute if a works council can nevertheless be a controller within the meaning of the GDPR, if it can be liable and subject to sanctions under the GDPR, and if fines can be imposed on a works council as a result.
Based on the functional concept of controller referred to in the GDPR, arguments have predominantly been made in favour of considering works councils as controllers within the meaning of the GDPR.
The ECJ has confirmed this view in its recent judgment C 231/22. The legal personality of an actor is not relevant to its classification as a controller within the meaning of point 7 of Article 4 of the GDPR. Notwithstanding its lack of legal personality, an agency or body may therefore be classified as a controller in the processing of personal data.
That eliminates the last vestiges of doubt: Under a functional definition, a works council is a controller within the meaning of the GDPR. Individual members or groups of members of a works council, e.g. factions, may also be controllers. The relevant question is whether or not they determine, alone or jointly with others, the purposes and means of the processing of personal data. In its sphere of competence, a works council is therefore also responsible for implementing technical and organisational measures to ensure data security. Neither the owner of a business nor its staff bear any responsibility for data processing carried out by the works council or its individual members. However, although the works council and the owner are usually two separate and independent actors, they may be joint controllers and be jointly and severally liable for breaches of data protection laws in individual cases.
