In Case C-34/21, Hauptpersonalrat der Lehrerinnen und Lehrer beim Hessischen Kultusministerium vs Minister des Hessischen Kultusministeriums, decided on the 30 March 2023, the European Court of Justice (the “Court of Justice”) provided a preliminary ruling on a request made by the Administrative Court of Wiesbaden, Germany (the “Referring Court”), wherein it requested the Court of Justice to decide on the lawfulness of a live-streaming system for classes, adopted during the COVID-19 pandemic, without the prior consent of the teachers concerned. This decision was to be made through the interpretation of Article 88 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”) which concerns the processing of data in the context of employment.
Case background and preliminary questions
The Minister for Education and Culture of the Land Hessen (the “Minister for Education”) had established a framework during the COVID-19 pandemic whereby students who could not be present in a classroom could attend their classes online. To safeguard students’ rights in relation to the protection of personal data, it was decided that such live streaming service would need to be consented to by the students themselves or for younger students, by their parents. However, no provision was made for the consent of the teachers participating in this service. Consequently, the Principal Staff Committee for Teachers (the “Principal Staff Committee”) at the Ministry of Education brought an action before the Referring Court, complaining that the live streaming of classes by videoconference was not made conditional on the consent of the teachers concerned.
The Minister for Education maintained that paragraph 23 of the ‘Law on data protection and freedom of information of the Land Hessen’ (the “HDSIG”) and paragraph 86 of the ‘Law on the civil service of the Land Hessen’ (the “HBG”), which regulate the processing of employees’ personal data by public bodies, by relying on ‘necessity’ as the legal basis for the processing of such data, were in conformity with Article 88(1) of the GDPR. Article 88 of the GDPR concerns the processing of data in the context of employment, whereby Member States are given the discretion to provide for more specific rules regarding the processing of employees’ personal data.
However, the Referring Court was not convinced that the relevant articles in the HDSIG and HBG were in compliance with Article 88 of the GDPR. Accordingly, the Referring Court, referred the following questions to the Court of Justice for a preliminary ruling:
· Is Article 88(1) of the GDPR to be interpreted as meaning that, in order to be a more specific rule for ensuring the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context within the meaning of Article 88(1) of the GDPR, a provision must meet the requirements imposed on such rules by Article 88(2) of the GDPR?
· If a national rule clearly does not meet the requirements under Article 88(2) of the GDPR, can such rule nevertheless remain applicable?
It is worth noting that the German Government submitted that the request for a preliminary ruling was inadmissible, as the questions referred for a preliminary ruling were not relevant to the outcome of the dispute in the main proceedings. However, the request for a preliminary ruling was later deemed to be admissible.
Interpretation and decision of the Court of Justice
As regards to the first question, the Court of Justice held that Member States’ power to adopt ‘specific rules’ under Article 88 of the GDPR is discretionary. However, should a Member State choose to adopt these rules, they must be adopted with the objective to protect employees’ rights and freedoms in respect of the processing of their personal data in the employment context.
Article 88(2) of the GDPR clarifies that the ‘specific rules’ adopted shall “include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the workplace.” Therefore, the discretion afforded to Member States in enacting ‘specific rules’ must be guided by this provision. This aims to counter the possible lack of harmonisation amongst Member States in enacting ‘specific rules’, through safeguards intended to protect employees’ rights and freedoms as was also observed by the Advocate General in his Opinion on the matter.
The Court of Justice pointed out that the term ‘more specific rules’ infers that the rules enacted under that provision must be distinct from the general rules of the GDPR and cannot be a reiteration of the principles as laid out in the GDPR. The Court of Justice referred to the Advocate General’s opinion, which held that paragraph 23 of the HDSIG and paragraph 86 of the HBG merely reiterate the condition for the general lawfulness of data processing already set out in Article 6(1)(b) of the GDPR, without adding a ‘more specific rule’ within the meaning of Article 88(1) of the GDPR. Therefore, should the Referring Court conclude that the provisions of national law do not comply with Article 88 of the GDPR, it would be required to disregard those provisions.
In the light of the foregoing considerations, the Court of Justice replied to the first question by holding that “Article 88 of the GDPR must be interpreted as meaning that national legislation cannot constitute a ‘more specific rule’ […] where it does not satisfy the conditions laid down in paragraph 2 of that article”, meaning that it must include suitable and specific measures to safeguard the data subject’s legitimate interests and fundamental rights.
In examining the second question, the Court of Justice noted that it is only the Referring Court that has jurisdiction to assess whether national law is in compliance with the conditions and limits laid down in Article 88 of the GDPR. The Court of Justice replied to the second question by holding that, where the Referring Court finds that the national provisions on the processing of personal data do not comply with the conditions laid down in Article 88 of the GDPR, it must still verify whether those provisions constitute a legal basis under Article 6(3) of the GDPR, which provides that the processing of data must be based on EU law or on Member State law to which the controller is subject; and that the purposes of the processing are to be determined on that legal basis.
Concluding remarks
For companies and employers, this preliminary ruling essentially means that as far as the "classic" processing processes in the employment relationship are concerned - the rules of the GDPR must be applied. Specifically, employers will need to rely on Article 6(1) of the GDPR when processing employee data.
The Hamburg Commissioner for Data Protection and Freedom of Information has also commented on the preliminary ruling and has called upon the Hamburg legislature to review and revise the relevant sections of the Hamburg Data Protection Act.
Dr. Nigel Micallef is an Associate at Ganado Advocates