Last September, the Advocate General of the Court of Justice of the EU (“CJEU”) issued an opinion on Article 88 of the General Data Protection Regulation (“GDPR”).  According to the article referred to above, Member States may, through national legislation or collective agreements, can lay down more specific rules to ensure the protection of rights and freedoms in the processing of employees’ personal data in the context of employment.

Article 88 of the GDPR is one of the so-called open-ended provisions that allow Member States to set further more specific (either stricter or different) national rules. This gives Member States room to depart from the uniform European legislation.

In his opinion, the Advocate General of the CJEU addressed in particular the compatibility of the German legislation, which was adopted on the basis of Article 88 of the GDPR, with European law. According to the Advocate General, there is a link between paragraphs 1 and 2 of the referenced Article of the GDPR, where the first paragraph gives the Member State the option to lay down more specific rules to ensure protection of the rights and freedoms when processing the personal data of employees in the context of employment, while the second paragraph specifies the content of such specific rules in a binding manner.

Thus, according to the second paragraph of Article 88 of the GDPR, these more specific rules should include specific and appropriate measures to ensure the protection of the human dignity, legitimate interests and fundamental rights of data subjects, in particular as regards the transparency of processing, the transfer of personal data within a group of companies or a group of undertakings engaged in a joint economic activity and monitoring systems in the workplace.

Therefore, in order for a Member State to establish a more specific rule under the first paragraph of Article 88 GDPR, the safeguards provided for in the second paragraph of Article 88 GDPR (see above) must be fulfilled.

According to the Advocate General, the German legislation under review did not even meet the requirements of the first paragraph of Article 88 of the GDPR, because its provisions essentially merely reiterated the principle of data limitation and minimising under Article 5 of the GDPR and thus did not provide any more specific rule. Moreover, the requirement set out in the second paragraph of Article 88 of the GDPR was not met either, in particular because the German legislation in question completely lacked any rules to ensure the protection of rights and freedoms in relation to the processing of employees’ personal data.

According to the Advocate General’s logic, then, the above-described requirements arising from Article 88 of the GDPR could also apply to other open-ended provisions of the GDPR, such as Article 9(2)(b) GDPR, which allows for the processing of special categories of personal data (including health data), provided that such processing is permitted under European Union law or under the law of a Member State that provides for appropriate safeguards relating to the fundamental rights and interests of the data subject. In other words, safeguards for the processing of personal data are also required under the aforementioned Article 9 GDPR, as in the second paragraph of Article 88 GDPR.

Employee health data, which fall under Article 9 of the GDPR, have been extensively processed in recent years due to the Covid-19 pandemic in the Czech Republic. In these cases, reference was often made to the general provision of Section 102 of the Labour Code, according to which the employer is obliged to create a safe and health-safe working environment and working conditions by appropriately organising health and safety at work.

However, in light of the Advocate General’s opinion described above, article 102 of the Labour Code appears to be insufficiently specific as to the manner and scope of the processing of personal data and does not contain any more specific guarantees to ensure the protection of the rights and freedoms of the data subjects.

Thus, the processing of special categories of personal data (including health data) under Article 9 of the GDPR is clearly not sufficiently regulated in the Czech legal order, as the possibilities of the open-ended provisions of the GDPR are not used.

The question awaiting the Czech legislators is therefore, if it is not necessary to adopt appropriate amending measures that would provide a valid legal basis for the processing of (special categories of) personal data of employees and define sufficiently specific rules for the processing of such data in relation to the open-ended provisions of the GDPR. However, this is rather a matter of the future, as it is uncertain whether the CJEU will apply the Advocate General’s opinion.

Given that a comprehensive regulation is not likely to come anytime soon, it is therefore appropriate for employers to always look for ad hoc solutions according to the specific situation. And preferably in the form of compliance with transparently set internal regulations that will provide, at least, sufficiently specific rules and safeguards for the processing of such data, if not a sufficient legal ground.

Autor: Veronika Odrobinová, Jessica Vaculíková