Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Germany
CMS Germany Abroad
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
Press releases
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office - Press Room Germany
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Deutsch English
Legal Update

European Court of Justice: No deviation from GDPR standards via works agreements

31 Jul 2025 Germany 6 min read

This article highlights the practical consequences of the new ECJ ruling ("Workday") on data processing based on a works agreement.

Works agreements are frequently used in practice as the legal basis for processing employee data. However, the ECJ had not yet determined whether and to what extent the GDPR requirements could be deviated from in a works agreement. While the German local labor courts have largely granted the parties to the works agreement (employer and works council) a certain degree of flexibility, the ECJ has now rejected such leeway in its "Workday" decision (Case C-65/23, MK v K GmbH, ECLI:EU:C:2024:1051).

Employee claims data protection violation despite provisional works agreement

The plaintiff – who was also the chairman of the works council – claimed non-material damages of EUR 3,000.00 from his employer on the grounds of alleged unlawful data processing. In the context of the group-wide introduction of the cloud-based personnel management system "Workday," the employer had concluded a "provisional works agreement" with its works council for the introduction of the system during a test period with limited use. For this test run, the employer had transferred various employee data from the SAP software previously used to a server of the parent company in the US. The plaintiff considered this data transfer to be unlawful, as it was not necessary for the execution of the employment relationship or for testing the Workday software. In addition, he claimed that the limits of the "provisional works agreement" had been exceeded because the employer had transferred data categories that were not covered by the works agreement (including contract and remuneration details, social security number, and tax identification number) to the parent company.

Questions referred to the ECJ

While the German courts of first and second instance had dismissed the lawsuit, the German Federal Labor Court was skeptical about the admissibility of data processing on the basis of the "provisional works agreement". To clarify the legal situation, it referred the following questions to the ECJ for a preliminary ruling: 

  • Must data processing regulated in a works agreement comply with all the provisions of the GDPR or only with the requirements of Art. 88 para. 2 GDPR (appropriate measures to safeguard the fundamental rights of employees)?
     
  • Do the parties to the works agreement have discretion regarding the necessity of data processing, or are the legal bases they have created subject to full judicial review?

ECJ: No privileged standard for works agreements 

The ECJ's decision rejected the hope that customized solutions for company data processing would be permissible.

With regard to the first question, the ECJ stated that data processing regulated by works agreements must meet all the requirements of the GDPR. Otherwise, the high level of protection afforded by the GDPR in the employment context could be circumvented. Accordingly, the principles relating to processing of personal date set out in Art. 5 GDPR, the requirements for lawful data processing set out in Art. 6 para. 1 GDPR and the special requirements for special categories of personal data (e.g. health data) set out in Art. 9 para. 1 GDPR must be observed.

The ECJ also rejected any discretion on the part of the parties to the works agreement in assessing the necessity of data processing. The ECJ answered the second question clarifying that legal bases in works agreements are subject to full judicial review with regard to the requirements of the GDPR. The EJC acknowledged that the parties to the works agreement "usually have extensive knowledge of the specific needs arising in the field of employment and in the sector of activity concerned". Nevertheless, the court continued, it must be ruled out that the parties to the works agreement may, for reasons of efficiency and simplicity, enter into compromises that could undermine the high level of protection afforded by the GDPR.

The bottom line of this the ruling is that data processing that is not permitted under the GDPR cannot be legitimized on the basis of a works agreement.

Practical advice: The ECJ's "Workday" decision does not contain any indication of a right of co-determination for the works council in matters of data protection. Rather, data protection is not subject to co-determination and is not covered by the works council's IT co-determination right under Section 87 para. 1 no. 6 of the German Works Constitution Act (BetrVG).

Practical consequences for employers

The ECJ's decision has far-reaching implications for employers and the negotiation of works agreements. Employers must ensure that any processing of personal employee data on the basis of a works agreement complies with the requirements of the GDPR.  In view of the full judicial review, this means that employers must ensure that any new systems or procedures for processing personal data are truly necessary and comply with the principles of data minimization and lawfulness. Care must be taken here because violations can result in claims for damages and administrative fines.

Practical advice: Companies that use works agreements as the basis for processing personal data should review those agreements for compatibility with the GDPR. The review should focus in particular on the necessity of data processing and the principle of data minimization. When processing sensitive data within the meaning of Art. 9 GDPR, particular care must also be taken to ensure that adequate safeguards are in place.

For the negotiation of works agreements, this means that the parties to the agreement must apply a high standard of diligence. They must ensure that the agreements contain detailed provisions that guarantee the protection of employees' personal data. This also includes the obligation to take appropriate technical and organisational measures to ensure data security and prevent unauthorized access.

In addition, the parties to the works agreement must ensure that the agreements are transparent and that employees are comprehensively informed about the data processing procedures. This includes clearly defining the purposes of data processing and specifying the categories of data concerned.

Overall, the ECJ's decision requires close cooperation between employers and works councils, as well as careful preparation of negotiations on the employer side. Only in this way can it be ensured that the processing of personal data in the employment context meets the high requirements of the GDPR and that the rights and freedoms of employees are preserved in a pragmatic way.

More insights
Labor, Employment & Pensions Data Protection Law & IT Security Law

Explore more

Newsletter Germany

CMS On your radar | Issue 11

13 Nov 2019 3 min read
Event Germany

IP Insights webinar series 2026

28 Apr 2026
Expert Guide International

Dismissals and Termination of Employment in Germany

7 min read
Back to top Back to top
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.