- The Zurich Labor Court prohibits the transfer of data to the USA as inadmissible under employment law and affirms its jurisdiction.
- Art. 328b CO is understood as a clear, restrictive offense: Data processing only in the case of suitability or performance of the employment contract.
- Any processing of employee data without reference to the workplace is considered prohibited and remains unlawful even if permitted under data protection law.
- The standard restricts both which data and the type of processing; even obviously work-related personnel data may not be provided.
Update 20 June 2017The OGer ZH ruled to the contrary in December 2016 (judgement LA160028).
Update 23 May 2017The judgment was not appealed and has become final.
The Zurich Labor Court has ruled in a Decision of January 22, 2016 prohibits the transfer of data to U.S. authorities. In doing so, it first maintains the jurisdiction of the labor court:
In the present case, the dispute is inextricably linked to the former employment relationship. Without an employment relationship between the parties, the delivery of the data in question to the USA would not be at issue. Therefore, a dispute under employment law can be assumed without further ado. The subject-matter jurisdiction is to be affirmed.
The ArG then assesses the question of the legal nature of OR 328b. In doing so, the ArG states:
In contrast, Streiff/von Kaenel/Rudolph point out that Art. 328b CO has a far-reaching regulatory content of its own. It restricts the permissible processing of data in the employment relationship to cases relating to the workplace. Viewed correctly, it even breaks an elementary principle of the Data Protection Act, in that data processing is no longer permissible in principle, but is inadmissible in principle, unless it is justified by reference to the suitability of the employee or the performance of the employment contract. Any processing of employee data that does not have a sufficient connection to the workplace is therefore inadmissible. It is therefore not permissible even if it were permitted under the Data Protection Act. Unlike in the area of the Data Protection Act, the existence of a justification does not eliminate the unlawfulness. (STREIFF/VON KAENEL/ RUDOLPH, op. cit, N 3 on Art. 328b CO, in particular with reference to STAEHELIN, Zürcher Kommentar zum Schweizerischen Zivilrecht, N 1 on Art. 328b CO; same opinion OFK-MICHEL PELLASCIO, Zurich 2009, Art. 328b N 2, and PHILIPPE CARRUZZO, Le contrat individuel de travail, Commentaire des articles 319 à 341 du Code des obligations, 2009, Art. 328b CO).
This second view is convincing. The wording of Art. 328b CO is clear and unambiguous. There is nothing at all to interpret about it. The first sentence permits data processing only to the extent that the data about the employee concern his/her suitability for the employment relationship or are necessary for the performance of the employment contract. Any other processing of the data about the employee is thus prohibited and unlawful.
The fact that the legislator may not have been clear about the scope of this standard does not change the fact that the wording is unambiguous. It may also be true that the standard leads to unsatisfactory results in certain cases. However, neither the one nor the other justifies an interpretation past the clear and unambiguous wording of the provision.
From this extraordinarily narrow view – which does not even recognize the need for interpretation, and this despite the fact that the norm is controversial and leads to unsatisfactory results – it would thus have to be concluded that OR 328b represents an independent and absolutely mandatory prohibition norm. However, the ArG apparently does not trust its own result and, to a certain extent for the sake of completeness, also examines the application of DPA 13, but denies the existence of an overriding interest. With reference to DSG 6, it follows that the data transfer is also inadmissible under this provision.
In addition, it follows from the ruling, albeit less clearly, that OR 328b not only limits the circle of employee data to be lawfully processed, but also the manner of their processing, i.e. that the prohibitive effect of this norm refers not only to data, but also to data processing. In this case, therefore, the provision of name, residential address, date of birth, place of origin and the like in particular was prohibited, i.e. data that is in principle undoubtedly related to the workplace.