The question of the transfer of employee data (employee data) within the group of companies arises very often. In Switzerland Art. 328b OR relevant (workplace reference of the data). According to the current case law of the Federal Supreme Court However, Art. 328b CO is not to be understood as a prohibition rule, but rather as an employment contract concretization of the data protection processing principles of purpose limitation and proportionality. Art. 328b OR can therefore not a priori prevent a disclosure, but requires – via data protection law – a Weighing of interests in individual cases.
According to the GDPR, the disclosure of employee data within the group requires a legal basis like any other form of processing (i.e., the disclosure and also the subsequent processing require a legal basis, whereby the disclosure by the employer is also subject to employee data protection law and the subsequent processing by the receiving third-party company is only subject to general data protection law). Art. 6 para. 1 lit. f DSGVO, the legitimate interest, comes into question. This is also indicated by recital 48, which mentions, among other things, internal administration within the group as a possible legitimate interest:
(48) Persons responsible for Part of a group of companies or a group of entities that are assigned to a central body may have a legitimate interest in disclosing personal data to within the group of companies for internal management purposes including the processing of personal data of customers and employees. The basic principles for the transfer of personal data within groups of companies to a company in a third country remain unaffected.
However, this does not mean that every disclosure within the Group is permissible if it serves internal management purposes – there always needs to be a Weighing of interests in individual cases, which must (and not only should) be documented according to the GDPR differently than according to the revDSG.
The The Higher Regional Court ofHamm (OLG Hamm) has now ruledthat a specific disclosure was not compatible with Art. 6(1)(f) of the GDPR, essentially because anonymized or pseudonymized data is also sufficient. had. The case concerned a management contract with a group parent company, which had a veto right for employment contracts with a wage above a certain limit. In order to determine the number of corresponding contracts, the parent company carried out a survey of the group companies, asking, among other things, for the names of the employees concerned.
Also no legal basis was § 26 BDSG, the parallel standard to Art. 328b OR in the German Federal Data Protection Act, which in principle permits the processing of employee data insofar as this is “is necessary for the decision on the establishment of an employment relationship or, after the establishment of the employment relationship, for its implementation or termination or for the exercise or fulfillment of the rights and obligations of the representation of employees’ interests resulting from a law or a collective agreement, a works agreement or a service agreement (collective agreement)”. § Section 26 of the BDSG takes precedence over the GDPR on the basis of Article 88 of the GDPR, but disclosure was not necessary in the present case.
The decision of the OLG is not surprising. Above all, it shows that alternatives must be seriously considered in the always necessary proportionality test – the often somewhat sweeping objection of “business” that a processing purpose cannot be achieved with anonymous data should therefore often be questioned.