Germany: Collective agreements cannot deviate from GDPR

CJEU rules German collective agreements cannot bypass GDPR. Data processing must comply fully with EU standards despite previous local flexibility. Trans-Atlantic data transfers remain contentious.

The Key Points: The CJEU has ruled that German collective agreements cannot override GDPR, meaning all data processing in the workplace must fully comply with EU standards. This reverses earlier national courts’ flexibility.

Why This Matters: Data privacy compliance in employment agreements is now strictly regulated at EU, not national, level. German companies must now ensure works agreements do not introduce unlawful data processing provisions.

What Might Happen Next: Companies and works councils will need to revise or renegotiate any agreements containing data practices that conflict with GDPR. Trans-Atlantic data transfers remain precarious and subject to ongoing legal challenge.

What You Should Be Doing: Audit workplace data processes for GDPR compliance and ensure all new works agreements avoid provisions that may contravene EU law.

ADDITIONAL INFORMATION:

You can read the details of the case and the decision of the CJEU in this CMS article