– CJEU Rules on Processing in the Employment Context –
On 30th March, the CJEU ruled in the case of Hauptpersonalrat der Lehrerinnen und Lehrer beim Hessischen Kultusministerium v Minister des Hessischen Kultusministeriums. The case concerns a dispute over the live streaming of lessons by video conferencing systems, and whether this requires the consent of teachers, or whether the data processing is covered by the first sentence of Paragraph 23(1) of the HDSIG – the relevant local law. The referring court, however, had ‘doubts as to whether the first sentence of Paragraph 23(1) of the HDSIG and Paragraph 86(4) of the HBG are compatible with the requirements laid down in Article 88(2) of the GDPR’. In this regard, the referring Court asked the following two questions to the CJEU:
1. ‘Is Article 88(1)’ – concerning the employment context – ‘to be interpreted as meaning that, in order to be a more specific rule for ensuring the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context within the meaning of Article 88(1)…a provision must meet the requirements imposed on such rules by Article 88(2)’?
2. ‘If a national rule clearly does not meet the requirements under Article 88(2) of [the GDPR], can it nevertheless remain applicable?’.
In response, the Court held:
1. In ‘order to be classified as a ‘more specific rule’ within the meaning of Article 88(1) of the GDPR, a rule of law must satisfy the conditions laid down in paragraph 2 of that article. Apart from having a normative content specific to the area regulated, which is distinct from the general rules of that regulation, those more specific rules must seek to protect employees’ rights and freedoms in respect of the processing of their personal data in the employment context and include suitable and specific measures to protect the data subjects’ human dignity, legitimate interests and fundamental rights. Particular regard must be had to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity, and monitoring systems at the work place’.
2.‘Article 88(1) and (2) of the GDPR must be interpreted as meaning that the application of national provisions adopted to ensure the protection of employees’ rights and freedoms in respect of the processing of their personal data in the employment context must be disregarded where those provisions do not comply with the conditions and limits laid down in Article 88(1) and (2), unless those provisions constitute a legal basis referred to in Article 6(3) of that regulation, which complies with the requirements laid down by that regulation.’
This is a fascinating case. This is true as it deals with interesting subject matter – the employment context, distance learning etc. This is also true, however, as the CJEU provides a range of observations and clarifications concerning significant aspects of data protection law – concerning, for example, the concept of employment, and the of the scope of the possibility for Member States to rely on concepts drawn directly from EU law when drafting national legislation in relation to an opening clause.
– AG Offers Broad Interpretation of Article 22 GDPR –
On 16th March, AG Pikamäe delivered an Opinion in the case OQ v Land Hesse, according to which credit scoring constitutes profiling under the GDPR, and entails the applicability of Article 22 GDPR as well as the transparency provisions of Article 15(1)(h) GDPR. As to the facts of the, the applicant in the main proceedings applied for a bank loan. The bank refused it on the basis of the applicant’s low credit score, performed by an entity called SCHUFA, and transmitted by it to the bank in question. The applicant requested access to the profile created by SCHUFA, and its deletion, but received only general information about the criteria applied to them. SCHUFA argued that further information on the scoring algorithm constitutes a trade secret. The applicant submitted a complaint with the Hessian DPA, which ended in a court battle between the applicant and the DPA, and resulted in preliminary questions regarding the interpretation of the GDPR provisions on profiling and automated decision-making. In his Opinion, AG Pikamäe first argued that the credit scoring in question constitutes profiling under Article 4(4) GDPR. He furthermore reasoned that the profiling in question fulfils all the conditions for the applicability of Article 22 GDPR – i.e. it constitutes an automated decision which is ‘based solely on automated processing’ and produces ‘legal effects concerning him or her or similarly significantly affects him or her’. This is in particular because negative scorings in practice reportedly lead automatically to loan refusals by the banks. The AG explicitly advocated against a formalistic and narrow interpretation of Article 22 GDPR which according to him, would lead to a legal vacuum in protecting the rights of data subjects if the profiling in question would not be classified as a decision falling within the scope of Article 22 GDPR. In that regard, he proposed that SCHUFA should be responsible for answering data subject access (and rectification) requests, even if it formally does not take the final decision on granting or refusing a loan. This is because only SCHUFA is in a position to provide sufficient transparency about the creation of individual profiles and not the bank, which formally takes the final decision. As to the granularity of the information, AG Pikamäe argued that SCHUFA should provide more than general information about the profiling applied to the applicant under Article 15(1)(h) GDPR. It should rather inform data subjects how the criteria were applied to them, including the respective weight given to the individual criteria. Even where trade secrets would need to be protected, this should not be used as a ground for complete refusal to be transparent towards the data subject about the way their credit score was calculated. Finally, for those interested in German law, the AG provided a short analysis as to whether § 31 of the German data protection act may be seen as transposing an opening clause of the GDPR and answered this in the negative, providing an interesting analysis of Articles 6 and 22 GDPR and the space they leave for national legislators. Note: At the time of writing the above summary, the Opinion was not available in English. The above text is based on the German version of the Opinion.
– EDPB Holds 77th Plenary Meeting –
- ‘Guidelines on data subject rights – Right of access (after public consultation)’
- ‘Targeted update of the Guidelines for identifying a controller or processor’s lead supervisory authority (after public consultation)’
- ‘Targeted update of the Guidelines on data breach notification (after public consultation)’
- ‘Update on EDPB litigations’
- ‘Creation of a taskforce on the interplay between data protection, competition and consumer protection’
- ‘Draft letter on data sharing for AML/CFT purposes’
- ‘2022 EDPB budget execution and 2024 EDPB budget proposal’
- ‘Proposal for a Regulation on the Transparency and targeting of political advertising’
At the time of writing, only the Agenda of the meeting is available. We presume materials relating to the outcome of the meeting will become available in due course.