German privacy laws – a case of hyperdontia?

Article by Dr. Michael Schmidl, LL.M. Eur. (Rechtsanwalt/Maître en Droit), published by BNA International in World Data Protection Report 02/08, p. 3 - 5.

International groups of companies need international employee data transfers. The principles of the European Data Protection Directive of October 24, 1995 (95/46/EC) as implemented in the various Member States’ privacy acts, such as the German Federal Data Protection Act (“FDPA”), require that any data transfer must pass a two-step test.

The first step aims at the national part of the transfer, i.e. it shall make sure that all national data processing requirements contained in the FDPA are respected. At this stage the planned transfer is analysed as if it took place solely in Germany. In other words, the transfer itself must be legitimate. The second step aims at the international part of the transfer, since according to the European Data Protection Directive and correspondingly the FDPA it is unlawful to transfer personal data to non-European Union (“E.U.”)/non-European Economic Area (“E.E.A.”) nations that do not meet the European “adequacy” standards for privacy protection. Such transfers can be legalised on a case-by-case basis (i.e. the fact that the recipient does not provide for an adequate level of data protection remains unchanged). International companies, however, require a framework of rules, such as Model Contracts (i.e. standard contractual clauses), within which the recipients are generally regarded as providing for an adequate level of data protection. In its Decision of December 27, 2004 (2004/915/EC), amending its Decision of June 15, 2001 (2001/497/EC) – now referred to as Set I (“Set I”) – the Commission approved an alternative set of standard contractual clauses for the transfer of personal data to non-E.U./non E.E.A. countries (“Set II”).

In April 2007 the German Düsseldorfer Kreis (“GDK”), a panel in which the German Federal States’ data protection authorities reach agreement on the uniform application of the FDPA, decided inter alia that the alternative set of standard contractual clauses, i.e. Set II, is not adequate for employee data and might therefore have to be amended, since it limits the liability and information obligations of the data exporter, i.e. the employer, compared with his obligations under Set I.

The first part of the following article explains the GDK’s decision regarding the inadequacy of Set II for employee data and comments on why the GDK’s suggestion to modify Set II is problematic and further increases the complexity of German privacy laws. In its second part, it suggests an approach, of how international groups of companies can use Set II without having to modify its clauses.

The transfer of employee data on the basis of Set II

Inadequacy of Set II for employee data

In its aforementioned decision, the GDK made the criticism that Set II does not adequately secure the employees’ rights in cases of international transfers of their data. According to an earlier decision by the GDK the employer (i.e. the data exporter) has to remain the overall point of contact for his employees in addition to the company receiving such data (i.e. the data importer). This “principle of lasting responsibility” is presented as the compensation for the “diversification of responsibilities” entailed by the transfers. According to the GDK such compensation requires inter alia that

1. the employer (i.e. the data exporter) remains obliged to fulfil the employees’ rights to claim information, deletion, correction, blocking and – as a rule – also damages even if the processing with regard to which information, deletion, correction and blocking is claimed was carried out or the damages were caused by the data importer (“Direct Claims”) and
2. b. the data exporter and the data importer agree contractually or in binding company rules (both in identifying the employees as third-party beneficiaries) that the Direct Claims can be raised vis-à-vis the data exporter and that the data exporter has the right to ask support from the data importer regarding the fulfilment of the Direct Claims (“Back-up Agreement”).

In the GDK’s opinion Set II does not provide for such compensations and, more precisely, the deficiency of Set II resides in its Sec. I (d) and III (b), which state the following:

“I. Obligations of the data exporter … (d) It will respond to enquiries from data subjects and the authority concerning processing of the personal data by the data importer, unless the parties have agreed that the data importer will so respond, in which case the data exporter will still respond to the extent reasonably possible and with the information reasonably available to it if the data importer is unwilling or unable to respond. Responses will be made within a reasonable time. …

III. Liability and third party rights … (b) The parties agree that a data subject shall have the right to enforce as a third party beneficiary this clause and clauses I(b), I(d), I(e), II(a), II(c), II(d), II(e), II(h), II(i), III(a), V, VI(d) and VII against the data importer or the data exporter, for their respective breach of their contractual obligations, with regard to his personal data, and accept jurisdiction for this purpose in the data exporter’s country of establishment. In cases involving allegations of breach by the data importer, the data subject must first request the data exporter to take appropriate action to enforce his rights against the data importer; if the data exporter does not take such action within a reasonable period (which under normal circumstances would be one month), the data subject may then enforce his rights against the data importer directly. A data subject is entitled to proceed directly against a data exporter that has failed to use reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses (the data exporter shall have the burden to prove that it took reasonable efforts).”

The mechanism provided for in Sec. I (d) of Set II allows the data exporter and the data importer to agree on the data importer’s competence to respond to enquiries from data subjects and the authority and the data exporter only needs to reply if the data importer is unwilling or unable to respond and even then only to the extent reasonably possible and with the information reasonably available to the data exporter. This mechanism renders claims for information and potential follow-up claims for deletion, correction and blocking (if and to the extent they are related to the data importer’s processing activities, i.e. Direct Claims) more difficult (e.g due to the data importer being abroad or due to language barriers). Moreover Sec. III (b) does as a rule – liability for insufficient due diligence on the data importer’s adequacy to receive data would have to be regarded as the data exporter’s fault, even if the damage was then caused by the data importer – not provide for the data exporter’s liability for damages caused by the data importer unlike the mechanism provided for in Clause 6 of Set I, which creates joint liability (i.e. allows direct claims). Therefore, also from a liability point of view, Set II impedes Direct Claims.

Set II does not constitute a Back-up Agreement either, on the basis of which the employer could claim the data importer’s support when it comes to fulfilling his employees’ claims for information and potential follow-up claims for deletion, correction and blocking if and to the extent they are related to the data importer’s processing activities, i.e. Direct Claims. This is not only a logical consequence of the fact that the data exporter does not have the unconditional (see above) obligation to fulfil Direct Claims but is also due to the conception of Set II, which at least from its basic approach tries to limit the responsibility of the parties to their respective spheres of influence. As a result the GDK requires that Set II, when used for employee data, be modified in a way as to allow Direct Claims and that the parties agree that the data importer is obliged vis-à-vis the data exporter to provide the latter with all information needed to fulfil these Direct Claims.

Disadvantages of modifying Set II

This solution especially has the following disadvantages: First, it is difficult to negotiate in practice that on the one hand the standard contractual clauses must never be changed in order not to lose their effect of creating an adequate level of data protection (this is also a powerful argument for the European affiliates vis-à-vis its extra-European Parent Company when it comes to concluding a Model Contract) but on the other hand certain types of changes should nevertheless be possible. It is even likely that such changes will trigger further discussions about additional changes, e.g. by one party stating on the occasion of introducing the changes the GDK required “Why not also ‘improve’ other parts of Set II?”.

Secondly, the degree of security for the parties involved to have established a compliant mechanism is reduced. The GDK has not provided a standard language by means of which the deficiencies of Set II could be cured. As a consequence of the attempt to cure the said deficiencies by more or less free drafting of the involved parties, various different versions of Set II will emerge and will eventually be presented to the competent data protection authorities in order to be checked for compliance. This kind of diversity would eventually impede the creation of a uniform European standard in the form of standard contractual clauses, in which parties can trust without knowing the specific changes which the various Member States may require for international transfers of personal data.

Furthermore, should the data exporter be a stock corporation, any commitment to assume liabilities on the part of a German stock corporation for any action taken by the parent company or its (direct or “indirect”) subsidiaries that leads to a liability for damages would qualify as a prohibited repayment of contributions under Sec. 57 German Stock Corporation Act (AktG) and would hence be inadmissible.

Eventually, the requirement to conclude a Back-up Agreement is hardly justified. De lege lata the FDPA does not provide for the need to protect claims against a German company (in this case the employer) under applicable data protection law established by means of a contractual self-commitment enabling the Direct Claims with the help of a back-up guarantee on the part of the data exporter’s parent company. The same applies to any other claims against the employer, whether statutory (claims for the payment of taxes) or contractual (claims for the payment of remuneration) in nature.

Compensation for inadequacy of Set II for employee data and its advantages

Suggested measures to cure the inadequacies of Set II

After having concluded Set II to create an adequate level of data protection at the recipient of the employee data, a possible compensation for the diversification of responsibilities may lie in taking the following measures, not including the Back-up Agreement for the reasons indicated above:

• the employer can promise his existing employees in writing to fulfil their claims for information, correction, blocking and erasure and damages, even if and to the extent such claims are due to the data importer’s processing activities (“Promise”), e.g. by means of the distribution of a corresponding policy and
• the employer can modify the employment contracts for new employees by including the Promise into the employment contract.

The wording for both, the Promise and the suggested clause for the employment contract, is rather similar and could approximately have the following structure and content:

“Information about collection, processing and use of personal data and related claims

1. Collection, processing and use by the employer; purposes

For the purpose of carrying out the employment relationship and especially in order to be able to implement and administrate [•] and [•], for reasons of bookkeeping and [•] (hereinafter collectively referred to as “Purposes”), the employer as controller (“Employer”) in an automated manner collects, processes and uses personal data of the employee at the beginning of and during the employment relationship. The employee’s personal data (hereinafter “Employee Data”) concerned are the following: name, address, date of birth, [•].

2. Transfer of the Employee Data to third parties

The Employer transfers Employee Data to the following third parties with an adequate level of data protection (“Third Parties”): (i) Parent Company Inc., Affiliates of Parent Company Inc. in States inside or outside the E.U./E.E.A., where only persons have access who need to know the Employee Data (e.g. superiors within the Parent Company Inc. or in other group companies for reporting purposes) or who need the access for other reasons (e.g. for IT-administration purposes) and (ii) data processors which assist the Employer in reaching the Purposes described above (e.g. regarding payroll, bonus or stock option plan administration).

3. Claims for information, correction, deletion and blocking (and claims for damages)

The employee has the right to raise claims for information, correction, deletion and blocking (and the right to claim damages) directly against the Employer even if and to the extent such claims are related to the processing of the Employee Data by one of the Third Parties.”

On the basis of such clause, be it in the Promise or in the employment contract, the deficiencies of Set II as identified by the GDK can be cured. Moreover, the Bavarian data protection authority has already acknowledged this point of view and more specifically agreed that no Back-up Agreement is required and that the modification of Set II is not necessary anymore, if the Direct Claims are rendered possible otherwise (i.e. by means of the Promise or the modified employment contract).

Positive side effects of complete information

The suggested steps also have positive side effects. The information in the Promise or the employment contract, as the case may be, fulfils the employer’s notification obligations according to Sec. 4 (3) FDPA and the recipient’s potential, if any, notification obligations according to Sec. 33 FDPA or its equivalent in the laws applicable to the recipient. Even though the employer is not the “receiving controller” as referred to in Sec. 33 FDPA, and Sec. 33 FDPA or an equivalent to it according to the law applicable to the recipient may not have a binding effect for the recipient or may not even exist, it may nevertheless be regarded as the prevailing opinion in Germany and correspondingly as the current practice that exporters (i.e. the German employer) notify the data subjects concerned. It may also be possible to take such notification into consideration (by attributing a positive value to it) in the context of the weighing of interests required according to Sec. 28 (1) first sentence no. 2 FDPA for pre-existing employees (i.e. those who “only” received the information in the Promise in the form of a Policy) or in the context of defining what is required for the fulfilment of the modified (!) employment contract when analysing Sec. 28 (1) first sentence no. 1 FDPA for new employees (i.e. those who already signed the modified employment contract).

If one were to follow this approach the correct fulfilment of information obligations also comes to bear within the analysis of the existence of statutory permissions for data transfers (i.e. the analysis of the first step).

For existing employees the transfers could then be based on Sec. 28 (1) first sentence no. 2, (3) first sentence no. 1 FDPA. For these employees there is a “subsequent matrix” i.e the fact that the employment relationship is group-related has not (yet) been agreed within the scope of the employment contract. The legitimate interests of the employer and the parent company typically are to centralise the administration of staff data and to realise the resulting savings potential by establishing central functions. For the balancing of interests, the Promise will have a positive effect that can even be increased if the Promise provides for information about the specific purposes (e.g. providing access to contact data, staff administration etc.), for the limitation of use to specific purposes and for a list of precisely defined recipients.

As regards new employees, the admissibility of the transfers can be derived from Sec. 28 (1) first sentence no. 1 FDPA because, for reasons of the inclusion of the Promise and the information it contains in the employment contracts for new employees as described above, there is an “initial matrix” and hence an employment relationship that, at least under data protection laws, qualifies as “group-related”. Such employees are being informed about the centralised administration of the employee data even before the conclusion of their employment contracts and provided with detailed information about the data concerned, the purpose of the processing thereof and the recipients. As a consequence the transfer to the parent company as well as the granting of the corresponding access rights serve the purpose of fulfilling the employment contract because some persons holding certain positions within the parent company fulfil tasks (e.g. ensuring availability and “reachability” across the group, efficient and fair global staff administration etc.) on behalf of the employer that must be performed by the latter vis-à-vis (both) his (existing and his new) employees.

Summary and conclusion

The decisions of the GDK have a great impact on how the Federal States’ data protection authorities decide on specific issues. With its decisions as regards intra-group data transfers and the deficiencies of Set II the GDK has made it more difficult for companies to use Set II. The GDK’s suggestion, however, to cure these deficiencies by changing Set II is complicated and potentially disadvantageous to implement.

Instead it is preferable to promise directly vis-à-vis the employees to remain responsible for their claims to correction, deletion, information or blocking and, as long as the employer is not a stock corporation, also their claims for damages (if and to the extent such claims are related to the data importer’s processing activities). Such Promise can be made by means of a Policy for existing employees and, for new employees, by means of a provision in the employment contract.

The positive effect of such Promise, either in a policy or in the contract, also lies in the potentially positive effect of a thorough information fulfilment in the employment contract on later notification obligations according to Sec. 33 FDPA or its equivalent under foreign law, if applicable, which are subject to the data subject not having obtained knowledge of the storage or transfer of the data by other means.

Moreover the full information also has positive effects on the admissibility of transfers of employee data, both as regards pre-existing employees and new employees. In the case of the former because the information contained in the Promise most likely has a positive effect on the weighing of interests according to Sec. 28 (1) first sentence no. 2 FDPA. In the case of the latter because the information contained in the modified employment contract creates – at least from a privacy law point of view – a group-related employment relationship which leads to the admissibility of correspondingly required international transfers of employee data on the basis of Sec. 28 (1) first sentence no. 1 FDPA.