OPINION OF ADVOCATE GENERAL
CAMPOS SÁNCHEZ-BORDONA
delivered on 22 September 2022 (1)
Case C‑34/21
Hauptpersonalrat der Lehrerinnen und Lehrer beim Hessischen Kultusministerium
intervener:
Minister des Hessischen Kultusministeriums als Dienststellenleiter
(Request for a preliminary ruling from the Verwaltungsgericht Frankfurt am Main (Administrative Court, Frankfurt am Main, Germany))
(Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Processing of data in the context of employment – Article 88(1) – More specific rule – Requirements of Article 88(2) – Regional school system – Lessons live-streamed by videoconference – Absence of explicit consent from the teachers)
1. The matter to be determined in the proceedings which have given rise to this request for a preliminary ruling is, in essence, whether teachers employed by a Land Hessen ministry (Germany) have to consent to the streaming of their lessons by videoconference or whether, if they do not consent to this, the processing of their personal data (2) may be based on one of the legitimate aims provided for in Regulation (EU) 2016/679. (3)
2. The reference for a preliminary ruling provides the Court with the opportunity to give a ruling for the first time, unless I am mistaken, on Article 88 of the GDPR. Pursuant to that provision, Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context.
I. Legislative framework
A. European Union law. GDPR
3. The wording of the following recitals is:
‘…
(8) Where this Regulation provides for specifications or restrictions of its rules by Member State law, Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of this Regulation into their national law.
…
(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation. …
…
(45) Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. …
…
(155) Member State law or collective agreements, including “works agreements”, may provide for specific rules on the processing of employees’ personal data in the employment context, in particular for the conditions under which personal data in the employment context may be processed on the basis of the consent of the employee, the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
…’
4. Article 5 (‘Principles relating to processing of personal data’) provides:
‘1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”)’.
5. Article 6 (‘Lawfulness of processing’) of the GDPR provides:
‘1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
…
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
(a) Union law; or
(b) Member State law to which the controller is subject.
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.
4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
(d) the possible consequences of the intended further processing for data subjects;
(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.’
6. Article 88 (‘Processing in the context of employment’) reads:
‘1. Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
2. Those rules shall include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.
3. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.’
B. National law
1. Hessisches Datenschutz- und Informationsfreiheitsgesetz (4)
7. Paragraph 23 provides:
‘(1) Personal data of employees may be processed for the purposes of an employment relationship where this is necessary for the decision on the establishment of an employment relationship or, after the establishment of the employment relationship, for the implementation, termination or administration thereof, as well as for the implementation of internal planning, organisational, social and personnel measures. This also applies to the exercise or discharge of the rights and obligations arising from the representation of employees’ interests and laid down by law or a labour agreement or works or service agreement (collective agreement).
…
(4) The processing of personal data, including special categories of personal data of employees, for the purposes of an employment relationship is permitted on the basis of collective agreements. In so doing, the negotiating parties shall comply with Article 88(2) [of the GDPR].
(5) The controller must take appropriate measures to ensure that, in particular, the principles for the processing of personal data set out in Article 5 [of the GDPR] are complied with.
…
(8) The following are employees for the purposes of this Law:
…
7. civil servants subject to the Hessisches Beamtengesetz, [(5)] senior judges of the Land, and persons performing civil service.
…’
2. Hessisches Beamtengesetz
8. Paragraph 86(4) is worded as follows:
‘The employer may collect personal data on applicants, civil servants and former civil servants only if this is necessary for the establishment, implementation, termination or administration of the employment relationship or for the implementation of organisational, personnel and social measures, in particular for the purposes of personnel planning and deployment, or if it is permitted by a legal provision or a service agreement …’
II. Facts, dispute and questions referred for a preliminary ruling
9. The Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden, Germany), which was initially responsible for the submission of this request for a preliminary ruling, did not provide a detailed description of the facts of the dispute, the provisions contested therein (6) or the successive stages of the proceedings, focusing instead on setting out its uncertainties regarding the legal aspects.
10. That court merely states that the parties ‘are in dispute as to whether the introduction of live streaming lessons by means of video conferencing systems also requires – in addition to the consent of the parents for their children or of the pupils who have reached the age of majority – the consent of the respective teachers, or whether, on the other hand, the data processing which takes place in that context is covered by the first sentence of Paragraph 23(1) of the HDSIG …’
11. In particular, that court questions whether the first sentence of Paragraph 23(1) of the HDSIG is a ‘more specific rule’ in respect of the processing of employees’ personal data within the meaning of Article 88 of the GDPR. In its view, that provision does not satisfy the requirements of Article 88(2) of the GDPR because:
— it merely cites ‘necessity’ as the legal basis for the processing of the data of employees and civil servants;
— any processing of employees’ data that goes beyond what is merely necessary for the purposes of the employment contract must be carried out after a balancing of interests that goes beyond mere ‘necessity’, which national law does not provide for.
12. The referring court states that it does not agree with the case-law of the Bundesarbeitsgericht (Federal Labour Court, Germany) on the compatibility of the federal equivalent of the first sentence of Paragraph 23(1) of the HDSIG (7) with Article 88 of the GDPR.
13. The referring court takes the view, on the contrary, that:
— the inclusion of the principle of ‘necessity’ in the national legislation does not amount to specific fulfilment of the requirements of Article 88(2) of the GDPR;
— stating that the controller must comply, in particular, with the principles set out in Article 5 of the GDPR does not meet those requirements either because Article 5 does not provide for any special protection for employees;
— although the legislature has in principle recognised and considered Article 88(2) of the GDPR in that it requires compliance with that provision in collective agreements, it has not addressed or fleshed out the list of requirements set out in paragraph 2, either in the law itself or in the explanatory memorandum to the respective statutory provisions.
14. Against that background, that court referred the following questions to the Court of Justice:
‘(1) Is Article 88(1) of [the GDPR] to be interpreted as meaning that, in order to be a more specific rule for ensuring the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context within the meaning of Article 88(1) of [the GDPR], a provision must meet the requirements imposed on such rules by Article 88(2) of [the GDPR]?
(2) If a national rule clearly does not meet the requirements under Article 88(2) of [the GDPR], can it nevertheless remain applicable?’
III. Procedure before the Court of Justice
15. The request for a preliminary ruling was received at the Registry of the Court on 20 January 2021.
16. With effect from 1 December 2021, (8) jurisdiction to adjudicate on the main proceedings was allocated to the Verwaltungsgericht Frankfurt am Main (Administrative Court, Frankfurt am Main, Germany), before which the proceedings continued.
17. Written observations were lodged by the German, Austrian and Romanian Governments and the European Commission. All of the former and the Teaching Staff Committee replied in writing to the questions addressed to them by the Court before the hearing.
18. At the hearing, held on 30 June 2022, oral argument was presented by the Teaching Staff Committee, the Land Hessen Ministry of Education and Culture, the German Government and the Commission.
IV. Analysis
A. Admissibility of the reference for a preliminary ruling
19. In its written observations, the German Government argued that the reference for a preliminary ruling is inadmissible because, as regards the assessment of whether the processing of personal data related to the live streaming of lessons by videoconference is covered by Paragraph 23(1) of the HDSIG, the referring court does not explain the reasons for ruling out the possibility that that processing is authorised as a result of teachers’ consent.
20. At the hearing, the German Government partially qualified that argument, acknowledging that the Court would have to give a ruling (in other words, that the reference would be admissible) if the teachers concerned had not consented to the processing.
21. In any event, the Court may refuse to rule on a question referred for a preliminary ruling by a national court only where it is quite obvious that the interpretation of EU law that is sought is unrelated to the actual facts of the main action or its purpose, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it. (9)
22. None of those circumstances is present in this reference for a preliminary ruling, in which the presumption of relevance takes precedence. (10) The underlying premiss is that not necessarily all teachers consent to the processing of their personal data, and therefore, there is still an interest in determining whether the rule (11) which is claimed to cover such processing without the consent of the data subject is compatible with EU law.
23. The question comes down specifically to the issue of whether or not the legislation which is the basis for the processing of teachers’ personal data without their consent satisfies the requirements laid down in Article 88(1) and (2) of the GDPR. It is therefore undeniable that a sufficient connection exists between the dispute and the provisions of EU law the interpretation of which is sought.
B. The substance
1. Preliminary considerations
24. By its first question, the referring court seeks to ascertain whether, for a legislative provision to constitute a ‘more specific rule’ within the meaning of Article 88(1) of the GDPR, it must satisfy the requirements of Article 88(2).
25. It follows from a reading of Article 88 of the GDPR that the ‘more specific rules’ mentioned in paragraph 1 thereof must comply with the requirements of paragraph 2.
26. In accordance with Article 88(2) of the GDPR, ‘those rules’ (in other words, the more specific rules mentioned in paragraph 1 which Member States may adopt) must include ‘suitable and specific measures’ to safeguard employees’ dignity, legitimate interests and fundamental rights. Those rules must have particular regard to the transparency of processing, the transfer of personal data within a group of undertakings or a group of enterprises and monitoring systems at the work place.
27. There is, therefore, an obvious link between those two paragraphs of Article 88 of the GDPR: the second paragraph sets out, in mandatory terms, (12) the subject matter of the specific rules that Member States may adopt, in the context of employment, under the first paragraph.
28. Therefore, the reply to that question does not present any great difficulty: Article 88 of the GDPR is to be interpreted as meaning that a legislative provision which is intended to be a ‘more specific rule’, within the meaning of paragraph 1, ‘must meet the requirements’ – to use the referring court’s words – of paragraph 2.
29. It is unlikely that the referring court would need the assistance of the Court of Justice to reach that conclusion. Perhaps, therefore, to ascertain the true meaning of the first question referred, it should be read in the light of the second. That question asks whether a national rule which ‘does not meet the requirements under Article 88(2)’ of the GDPR (13) can remain applicable.
30. From that perspective (which is that set out in the order for reference), the discussion extends to whether legislative provisions of Member States which were adopted under Article 88(1) of the GDPR but which do not comply with Article 88(2) may be covered by other provisions of the GDPR, in particular other opening clauses of that regulation such as that of Article 6(2).
31. The overlapping of the two questions from the referring court is such that the Austrian Government and the Commission submit that they should be answered together, an approach with which I agree and which I shall follow.
2. Article 88 of the GDPR and the public teaching service
32. The referring court presumes that, as regards the domestic provisions on data protection, the teachers represented on the Teaching Staff Committee and the Land Hessen Ministry of Education and Culture have an employment relationship.
33. That assumption is consistent with the HDSIG, which, in governing the processing of workers’ personal data, classifies as employees, within the meaning of that law, civil servants who are subject to the HBG, which includes teachers.
34. Therefore, at no point does the national court question the applicability of Article 88 of the GDPR to employees of the Land who work in the public teaching service.
35. Moreover, when the parties and the interveners in the reference were asked about this point by the Court of Justice, they did not dispute that assumption either. All agree that employment in the public teaching service does not fall outside the scope of Article 88 of the GDPR.
36. In my view, that is the right approach and it may be used to examine the scope of Article 88 of the GDPR where it refers to the ‘protection … in respect of the processing of employees’ personal data in the employment context’.
37. As the German Government has observed, the category of ‘worker’ in the broad sense naturally includes teachers who are civil servants employed by the Land whose interests are represented by the Teaching Staff Committee.
38. The case-law of the Court of Justice on the employment relationship (14) and the definition of ‘worker’ in relation to the free movement of workers and the inapplicability of the old Article 39(4) EC (now Article 45(4) TFEU) to employment in the public service may, by analogy, form the basis for the solution which I propose.
39. Pursuant to that case-law, which highlights the functional aspect of the task performed:
— the concept of public service within the meaning of that article must be given uniform interpretation and application throughout the European Union and cannot therefore be left entirely to the discretion of the Member States;
— Article 45(4) TFEU covers posts which involve direct or indirect participation in the exercise of powers conferred by public law and duties designed to safeguard the general interests of the State or of other public authorities. (15)
40. Given that teachers who are civil servants do not participate, as such, in the exercise of powers conferred by public law in the strict sense but, rather, provide a service of an educational nature, (16) similar to that provided to other private entities or undertakings, those teachers may be classified as ‘workers’ in general terms and, consequently, in the field of data protection.
41. Otherwise, and the Austrian Government has pointed this out, it would mean giving unequal treatment to substantially equivalent situations, such as those which, from a substantive point of view, define the position of teachers in the context of both the public service and the private sector. That would be all the more serious since, as the Commission has argued, the concept of public service is not harmonised within the European Union, with the result that, in the event of a different interpretation, the scope of Article 88 of the GDPR would depend on national law.
3. Opening clauses in the GDPR
42. As Advocate General Bobek noted in Fashion ID, (17) with the replacement of Directive 95/46/EC (18) by the GDPR, a fundamental change occurred, above all, in the nature of the legal instrument which lays down the rules on the protection of natural persons with regard to the processing of personal data.
43. That instrument is no longer a directive (that is, a provision which imposes an obligation as to the result while leaving the choice of form and methods to the national authorities) but a regulation. The latter, which is mandatory in all respects and directly applicable in each Member State, does not, as a matter of principle and without express authorisation, permit national provisions to transpose (or replicate) its content. (19)
44. Even though the GDPR has gone further than the harmonisation pursued by Directive 95/46, (20) the near universality of the areas of human activity which create personal data the processing of which must be protected (21) meant that the legislature empowered the Member States to:
— incorporate certain elements of the GDPR into their national law where the GDPR provides for specifications or restrictions of its rules by Member State law;
— maintain or introduce national provisions capable of further specifying the application of some rules of the GDPR. (22)
45. Although the GDPR seeks to ensure consistent and homogeneous application of the rules for the protection of personal data throughout the European Union and to remove obstacles to flows of personal data within the European Union, (23) the EU legislature still had to recognise, as Advocate General Richard de la Tour pointed out, that the truth is more complex: despite its cross-sectoral nature, the GDPR could not have pre-empted all the possible ramifications which the protection of personal data may have in areas such as consumer affairs, competition or employment. (24)
46. That explains why the GDPR makes it possible for Member States to lay down additional, stricter or derogating national rules. The Member States have a margin of discretion as to the manner in which those provisions may be implemented (‘opening clauses’). (25)
47. The relatively widespread use of that type of clause has undermined the full harmonisation of the protection of personal data. (26) As the Commission has acknowledged, the fact that the GDPR requires Member States to legislate in some areas while providing them with the possibility to specify their own rules in others has led to ‘a degree of fragmentation which is notably due to the extensive use of facultative specification clauses’. (27)
48. The clause of particular importance in this case is that in Article 88(1) of the GDPR. However, it is necessary to examine briefly its relationship with the clause in Article 6(1)(b) and (e) of that regulation, which was done at the hearing.
(a) Article 6(2) of the GDPR
49. Included in Chapter II of the GDPR, which lays down the ‘principles’ underpinning the processing of personal data and, therefore, shaping the general scheme of the system, Article 6(1) sets out the conditions for the lawfulness of processing. In particular, Article 6(1)(a) refers to the data subject’s consent, while Article 6(1)(b) refers to the situation where processing is necessary for the performance of a contract to which the data subject is party.
50. Those conditions are additional to the conditions flowing from the general principles laid down in Article 5 of the GDPR, (28) which are specified in more detail in Articles 7 to 11 of the GDPR as regards consent (Article 7 and, in relation to children’s consent, Article 8), the processing of special categories of personal data (Article 9) or personal data relating to criminal convictions and offences (Article 10) and processing which does not require identification (Article 11).
51. To that set of principles and rules can be added the ‘more specific provisions’ adopted (or maintained) by Member States, in accordance with Article 6(2) of the GDPR, ‘to adapt the application of the rules’ of the GDPR with regard to two particular types of processing, where these are necessary for:
— compliance with a legal obligation (Article 6(1)(c));
— the performance of a task carried out in the public interest or in the exercise of official authority (Article 6(1)(e)). (29)
52. The provision goes on to stipulate that such ‘adaptation’ of the application of the rules of the regulation is to consist of ‘determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing’, including ‘other specific processing situations as provided for in Chapter IX’.
53. That final phrase of the provision does not have the desired clarity because it is difficult to deduce whether it permits – for the purposes, it must be stressed, of the processing referred to in Article 6(1)(c) and (e) – the adoption of rules governing specific situations other than those already referred to in Chapter IX or whether the latter are the only situations which the GDPR permits for those two types of processing.
(b) Article 88(1) of the GDPR
54. In any event, the opening clause that is relevant here is, I repeat, the clause in Article 88(1) of the GDPR because that is the clause on which the national court focuses. It should be recalled that, in accordance with the wording of that clause, ‘Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context’.
55. Those personal data may be processed, in particular, for the purposes of:
— recruitment, the performance of the contract of employment, (30) management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employers’ or customers’ property;
— the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment; and
— the termination of the employment relationship.
56. The authorisation to adopt those provisions has a certain ‘disharmonising’ effect. The national provisions permitted by Article 88(1) of the GDPR may involve, for one or more Member States, the introduction of differences in the general scheme of the GDPR which go further than the mere function of ‘adaptation’ permitted by Article 6(2) of the GDPR:
— Article 6(2) of the GDPR authorises Member States to adapt the application of certain provisions of the GDPR;
— however, Article 88(1) of the GDPR permits Member States to provide for more specific rules to ensure protection. That relates, therefore, to a greater level of legislative activity which does not occur in the case of the mere adaptation or adjustment of the application of provisions of the GDPR the content and scope of which must be treated as definitive. (31)
4. Paragraph 23 of the HDSIG in conjunction with the GDPR
57. In accordance with Article 88(3) of the GDPR, the Federal Republic of Germany notified the Commission that Paragraph 23 of the HDSIG was one of the legal provisions adopted by that Member State pursuant to Article 88(1) of the GDPR.
58. In my view, which is the same in this respect as that of the referring court and the Commission, Paragraph 23 of the HDSIG does not satisfy the requirement to ‘provide for more specific rules’ for the protection of the rights related to the processing of personal data in the employment context, as established by Article 88(1) of the GDPR.
59. Both the first sentence of Paragraph 23(1) of the HDSIG and the first sentence of Paragraph 86(4) of the HBG merely provide that employees’ and civil servants’ personal data may be processed for the purposes of the employment relationship if that is ‘necessary’ for one of the following purposes:
— the decision on the establishment of the employment relationship or, after the establishment of that relationship, for its implementation, termination or administration; or
— the implementation of internal planning, organisational, personnel and social measures.
60. Strictly speaking, both provisions make the processing of workers’ personal data conditional on this simply being necessary for certain purposes.
61. That requirement is not, therefore, very different from the requirement laid down in Article 6(1)(b) of the GDPR (‘Processing shall be lawful only if … [it] is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’). (32)
62. Paragraph 23 of the HDSIG thus repeats a condition already stipulated by Article 6(1)(b) of the GDPR for the general lawfulness of processing. It does not, however, insert any specific rule to protect rights related to the processing of personal data in the employment context. (33)
63. The same outcome would be reached if the teaching activity at issue had to come under Article 6(1)(e) of the GDPR (that is, if the processing at issue were necessary for the performance of a task carried out in the public interest or in the exercise of official authority). (34)
64. In the cases in points (c) and (e) of Article 6(1) of the GDPR, Article 6(2) thereof, as I indicated above, provides that Member States may maintain or introduce ‘more specific provisions … by determining more precisely specific requirements for the processing …’
65. I would stress that Paragraph 23 of the HDSIG is not a ‘more specific rule’ and that instead it simply permits the processing of employees’ data where this is necessary. It does not go so far as to specify the conditions and terms of any processing in that connection.
66. The German Government counters that view by arguing that it would be ‘impossible and unfeasible’ to reflect in detail the variety of ways in which data are processed in the context of employment. In the German Government’s submission, a legislative provision that provides a basis for processing which, as the case may be, does not require a more specific legal basis should be sufficient. (35)
67. Suffice it to say in response to the foregoing that, however difficult an undertaking it may be, Article 88(3) of the GDPR specifically provides that Member States are to notify to the Commission ‘those provisions of [their] law which [they adopt] pursuant to paragraph 1’ of that article; in other words, not the (basic) provisions on which the provisions laying down more specific rules are founded but those rules themselves. The notification must be individual and explicit. (36)
68. In short, what Paragraph 23 of the HDSIG does is repeat the authorisation already included in Article 88(1) of the GDPR or, to put it another way, it opens the door which enables the subsequent creation (or maintenance) of more specific rules.
69. In addition to not providing per se for ‘more specific rules’ within the meaning of Article 88(1) of the GDPR, Paragraph 23 of the HDSIG does not include ‘suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights’ either.
70. By omitting measures of that kind, Paragraph 23 of the HDSIG fails to fulfil the condition laid down in Article 88(2) of the GDPR in order for differentiating legislation of Member States in the context of employment relationships to be permitted.
71. Since the reference for a preliminary ruling is confined to the scrutiny of legislative provisions and not of collective agreements, I shall not examine the latter (37) and shall instead focus solely on the former.
72. As regards those provisions, the national legislature may not restrict itself, as Paragraph 23(5) of the HDSIG does, to providing that the data controller must take appropriate measures to ensure that ‘the principles for the processing of personal data set out in Article 5 [of the GDPR] are complied with’. That stipulation is superfluous because any data processing must, as a matter of principle and as a minimum, satisfy the conditions laid down in Article 5 of the GDPR.
73. What Article 88(2) of the GDPR governs is the adoption of measures which ensure, in the area of safeguarding, that the specific nature of measures adopted under Article 88(1) of the GDPR is properly reflected. It aims, in short, to ensure that the specific nature of the rules permitted by the latter provision is properly reflected, where appropriate, by the required specificity of the protections to which it refers.
74. If it were accepted that Paragraph 23 of the HDSIG includes a specific rule for the purposes of Article 88(1) of the GDPR, that provision repeats, as far as the protections required by Article 88(2) are concerned, the general protections laid down in Article 5 of the GDPR. Ultimately, it would upset the necessary balance between the specificity of the rules permitted by Article 88(1) of the GDPR and the specificity of the ‘safeguarding’ measures required under Article 88(2) thereof.
75. In short, I believe that Article 88 of the GDPR cannot provide a basis for Paragraph 23 of the HDSIG. The reason is, first, because it does not lay down more specific rules, and, second, because it simply repeats the general protections laid down in Article 5 of the GDPR.
5. Does Paragraph 23 of the HDSIG apply notwithstanding?
76. It remains to be seen whether, notwithstanding the foregoing considerations, Paragraph 23 of the HDSIG may be applicable in the national legal system. That, as I stated above, appears to be what the referring court is ultimately asking.
77. In summary, the question seeks to ascertain whether rules adopted by Member States under the opening clause of Article 88(1) of the GDPR which do not satisfy the requirements of Article 88(2) thereof may be applicable pursuant to other provisions of that regulation.
78. The reply, which assumes that Paragraph 23 of the HDSIG does not include any ‘more specific rules’ within the meaning of Article 88 of the GDPR, (38) can be expressed in two ways:
— Paragraph 23 of the HDSIG becomes irrelevant or superfluous in so far as it does not, strictly speaking, lay down specific measures which safeguard the right of employees to the protection of their personal data in the employment context;
— in that context (employment relationships), the common provisions of the GDPR must be applied directly and principally.
79. A separate matter is the fact that, as the Austrian and Romanian Governments and the Commission have claimed, and as all parties acknowledged at the hearing, there is nothing to prevent a Member State from applying either other provisions of the GDPR or, pursuant to Article 6(2) of that regulation, national provisions which govern the processing of employees’ data in terms which contribute to ‘adapt[ing] the application’ of the GDPR.
V. Conclusion
80. In the light of the foregoing considerations, I propose that the Court of Justice reply as follows to the Verwaltungsgericht Frankfurt am Main (Administrative Court, Frankfurt am Main, Germany):
‘Article 88(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) is to be interpreted as meaning that:
A legislative provision adopted by a Member State is a more specific rule for ensuring the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context only if it meets the requirements laid down by Article 88(2) of Regulation 2016/679.
If that legislative provision does not meet the requirements laid down by Article 88(2) of Regulation 2016/679, it is applicable, where appropriate, only in so far as it may be based on other provisions of that regulation or on national adaptation provisions, as referred to in Article 6(2) thereof.’