Module 8 · Employee data - legal layers, works councils & legal bases
Employee data sits under more than the GDPR: local data-protection AND employment law also apply, and these are not fully harmonised. Article 88 lets Member States set specific rules (including via collective agreements). can hold considerable power over employee-data processing, and consent is a difficult and unreliable basis because of the employer–employee power imbalance.
The GDPR is only one layer for employee data. Employers must also consider local data-protection law and employment law, which are not fully harmonised across Member States. Article 88 expressly lets Member States set their own rules on employee data - covering human dignity, legitimate interests, fundamental rights, transparency, intra-group transfers and monitoring.
are formed at a threshold (typically 30–50 employees). In some jurisdictions they have considerable power - an employer may need to notify, consult and seek approval before, say, introducing email monitoring. Works councils and trade unions must themselves comply with the GDPR.
- Fulfilment of the employment contract - e.g. bank details to pay salary.
- Legal obligation - e.g. sharing salary data with tax authorities.
- Legitimate interests - e.g. migrating data between systems; not available to public authorities for their tasks, must not be adverse to employees, cannot cover special-category data.
- Consent - difficult and unreliable because of the power imbalance; processing may be unlawful even if consent was given.
Employees may feel pressured to agree, so consent (employment) is rarely freely given. Prefer contract, legal obligation or legitimate interests - and treat explicit consent as a last resort for sensitive data.