Judgment of the Court (Eighth Chamber) of 19 December 2024. MK v K GmbH.
• 62023CJ0065 • ECLI:EU:C:2024:1051
- Inbound citations: 0
- •
- Cited paragraphs: 0
- •
- Outbound citations: 7
Provisional text
JUDGMENT OF THE COURT (Eighth Chamber)
19 December 2024 ( * )
( Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 88(1) and (2) – Processing in the context of employment – Employees’ personal data – More specific rules provided for by a Member State pursuant to that Article 88 – Obligation to comply with Article 5, Article 6(1) and Article 9(1) and (2) of that regulation – Processing on the basis of a collective agreement – Margin of discretion of the parties to the collective agreement as regards the necessity of the processing of personal data provided for by that agreement – Scope of judicial review )
In Case C‑65/23,
REQUEST for a preliminary ruling under Article 267 TFEU from the Bundesarbeitsgericht (Federal Labour Court, Germany), made by decision of 22 September 2022, received at the Court on 8 February 2023, in the proceedings
MK
v
K GmbH,
THE COURT (Eighth Chamber),
composed of N. Jääskinen (Rapporteur), President of the Ninth Chamber, acting as President of the Eighth Chamber, M. Gavalec and I. Ziemele, Judges,
Advocate General: L. Medina,
Registrar: A. Calot Escobar,
having regard to the written procedure,
after considering the observations submitted on behalf of:
– MK, by J. Zäh, Rechtsanwalt,
– K GmbH, by B. Geck, Rechtsanwältin,
– Ireland, by M. Browne, Chief State Solicitor, A. Joyce and M. Tierney, acting as Agents, and by D. Fennelly, Barrister-at-Law,
– the Italian Government, by G. Palmieri, acting as Agent, and by G. Natale, avvocato dello Stato,
– the European Commission, by A. Bouchagiar, M. Heller and H. Kranenborg, acting as Agents,
having decided, after hearing the Advocate General, to proceed to judgment without an Opinion,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation of Article 82(1) and of Article 88(1) and (2), read in conjunction with Article 5, Article 6(1) and Article 9(1) and (2), of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).
2 The request has been made in proceedings between MK, a natural person, and K GmbH, his employer, concerning compensation for the non-material damage which that person claims to have suffered on account of the processing of his personal data by that company on the basis of a works agreement.
Legal context
European Union law
3 Recitals 8, 10 and 155 of the GDPR are worded as follows:
‘(8) Where this Regulation provides for specifications or restrictions of its rules by Member State law, Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of this Regulation into their national law.
…
(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the [European] Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. … This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (“sensitive data”). To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful.
…
(155) Member State law or collective agreements, including ‘works agreements’, may provide for specific rules on the processing of employees’ personal data in the employment context, in particular for the conditions under which personal data in the employment context may be processed on the basis of the consent of the employee, the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.’
4 Article 4 of that regulation, entitled ‘Definitions’, provides:
‘For the purposes of this Regulation:
(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); …
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means …
…
(7) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; …
…’.
5 Chapter II of the GDPR, entitled ‘Principles’, comprises Articles 5 to 11 of that regulation.
6 Article 5 of that regulation, entitled ‘Principles relating to processing of personal data’, provides:
‘1. Personal data shall be:
…
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
…
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’
7 Article 6 of the GDPR, entitled ‘Lawfulness of processing’, provides:
‘1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
(a) Union law; or
(b) Member State law to which the controller is subject.
… That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. …
…’.
8 Article 9 of that regulation, entitled ‘Processing of special categories of personal data’, is worded as follows:
‘1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
…’.
9 In Chapter VIII of the GDPR, entitled ‘Remedies, liability and penalties’, Article 82 of that regulation, itself entitled ‘Right to compensation and liability’, provides, in paragraph 1:
‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’
10 In Chapter IX of the GDPR, entitled ‘Provisions relating to specific processing situations’, Article 88 of that regulation, itself entitled ‘Processing in the context of employment’, provides, in paragraphs 1 and 2:
‘1. Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
2. Those rules shall include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.’
11 Article 99 of the GDPR, entitled ‘Entry into force and application’, is worded as follows:
‘1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union .
2. It shall apply from 25 May 2018.’
German law
12 Paragraph 26 of the Bundesdatenschutzgesetz (Federal Law on data protection) of 30 June 2017 (BGBl. 2017 I, p. 2097; ‘the BDSG’), entitled ‘Data processing for the purposes of the employment relationship’, provides, in subparagraphs 1 and 4:
‘(1) Employees’ personal data may be processed for the purposes of an employment relationship where this is necessary for the decision on the establishment of an employment relationship or, after the establishment of the employment relationship, for its implementation or termination or for the exercise or discharge of the rights and obligations arising from the representation of employees’ interests and laid down by law or a collective bargaining agreement or a private or public-sector works agreement concluded with the employer (collective agreement). …
…
(4) The processing of personal data, including special categories of personal data of employees, for the purposes of an employment relationship is permitted on the basis of collective agreements. In this context, the negotiating partners shall comply with Article 88(2) of [the GDPR].’
The dispute in the main proceedings and the questions referred for a preliminary ruling
13 The applicant in the main proceedings is employed by the defendant in the main proceedings, a company governed by German law, and is chairman of the works council set up within that company.
14 Initially, that company processed certain personal data of its employees in the context of the use of software called ‘SAP’ (‘the SAP software’), including for accounting purposes, and it concluded, with its works council, several works agreements in that regard.
15 In 2017, the D group of companies, to which the defendant in the main proceedings belongs (‘the D group’), introduced, throughout that group, the cloud-based software called ‘Workday’ (‘the Workday software’) as a single personnel information management system. In that context, the defendant in the main proceedings transferred various personal data of its employees from the SAP software to a server of the D group’s parent company in the United States.
16 On 3 July 2017, the defendant in the main proceedings and its works council concluded an agreement confirming acquiescence as regards the introduction of the Workday software (‘the works agreement confirming acquiescence’), which prohibited, inter alia, the use of that software for human resources management purposes, such as the appraisal of a worker, during the test phase. According to Annex 2 to that agreement, the only categories of data which could be transferred for the purpose of populating the Workday software were the personal identification number allocated to the worker within the D group, his or her surname, his or her first name, his or her telephone number, the date on which he or she took up his or her post in the company concerned, the date on which he or she took up his or her post in the D group, his or her place of work, the name of the company concerned as well as his or her work telephone number and work email address. The effects of that agreement were extended until the entry into force of a final works agreement, concluded on 23 January 2019.
17 In that context, the applicant in the main proceedings brought, before the Arbeitsgericht (Labour Court, Germany) and then before the Landesarbeitsgericht (Higher Labour Court, Germany) – which have territorial jurisdiction – applications for access to certain information, erasure of data concerning him and the award of compensation. The applicant claimed, inter alia, that the defendant in the main proceedings had transferred, to the parent company’s server, personal data concerning him, some of which were not mentioned in the works agreement confirming acquiescence, in particular his private contact information, contractual and remuneration details, his national insurance and tax identification numbers, his nationality and his marital status.
18 As he did not obtain full satisfaction, the applicant in the main proceedings brought an appeal on a point of law before the Bundesarbeitsgericht (Federal Labour Court, Germany), which is the referring court. Only that applicant’s claim for compensation, on the basis of the GDPR, for the non-material damage that he allegedly suffered as a result of the unlawful processing of his personal data by means of the Workday software, during the period from the first day on which that regulation became applicable, namely 25 May 2018, until the end of the first quarter of 2019, is still pending.
19 As regards the unlawfulness of that processing, the applicant in the main proceedings claims, first, that that processing was not necessary for the purposes of the employment relationship, for which the defendant in the main proceedings at the time used the SAP software, or for the purpose of testing the Workday software, since the use of dummy data would have been sufficient for that purpose and would have ensured that no actual data would be made accessible within the D group. Secondly, even if the works agreement confirming acquiescence could constitute a valid basis for that processing, the authorisation contained therein was exceeded, since that defendant transmitted data other than those provided for in Annex 2 to that agreement. Lastly, the burden of proving that that defendant’s actions comply with the GDPR lies with that defendant.
20 The defendant in the main proceedings contends that the processing at issue complies with the requirements of the GDPR, that the burden of proof lies with the applicant in the main proceedings and that he has not demonstrated either the existence of non-material damage or a causal link between a possible infringement of that regulation and the alleged damage.
21 The referring court takes the view that the operations challenged by the applicant in the main proceedings fall within the material scope of the GDPR, since they constitute ‘processing’ of ‘personal data’ of that ‘data subject’, within the meaning of Article 4(1) and (2) of that regulation. In addition, it states that the defendant in the main proceedings is a ‘controller’, within the meaning of Article 4(7) of that regulation. As regards the temporal scope of that regulation, it observes that while processing did start before the date on which that instrument became applicable, it nevertheless continued after that date, on account of several extensions of the initial effects of the works agreement confirming acquiescence.
22 In that context, the referring court asks, in the first place, whether a provision of national law governing the processing of personal data for the purposes of employment relationships which provides, in essence, that such processing carried out on the basis of collective agreements is lawful subject to compliance with Article 88(2) of the GDPR, such as Paragraph 26(4) of the BDSG, is compatible with that regulation or whether, for that purpose, the processing concerned must also comply with other provisions of that regulation. That court is inclined to take the view that, where the processing of employees’ personal data is governed by a ‘collective agreement’, within the meaning of Article 88 of the GDPR, that processing cannot depart from the requirements arising not only from that Article 88, but also from Article 5, Article 6(1) and Article 9(1) and (2) of that regulation, in particular as regards the criterion of the necessity of processing laid down in those three latter provisions.
23 In the second place, if its first question is answered in the affirmative, the referring court asks whether the parties to such a collective agreement are entitled to a margin of discretion which should be subject only to limited judicial review as regards the assessment of the necessity of the processing concerned, within the meaning of Article 5, Article 6(1) and Article 9(1) and (2) of the GDPR. In its opinion, that view may find support in the argument that those parties are very close to the day-to-day running of the company and, as a rule, will have achieved an appropriate balance between the interests involved. Nevertheless, the Court’s case-law relating to other acts of EU law, in particular the judgments of 7 February 1991 in Nimz (C‑184/89, EU:C:1991:50), and of 20 March 2003 in Kutz-Bauer (C‑187/00, EU:C:2003:168), suggests rather that the provisions of a collective agreement falling within the scope of EU law cannot be contrary to EU law and that, if necessary, such provisions should be disregarded.
24 In the third place, if the answer to its second question is in the affirmative, the referring court wishes to know the assessment criteria to which it should, where appropriate, limit its judicial review.
25 Lastly, the fourth to sixth questions initially submitted by that court, before being withdrawn by it, concerned, in essence, the right to compensation for non-material damage under Article 82(1) of the GDPR.
26 In those circumstances, the Bundesarbeitsgericht (Federal Labour Court) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Is a national legal provision that has been adopted pursuant to Article 88(1) of [the GDPR] – such as Paragraph 26(4) of the [BDSG] – and which provides that the processing of personal data, including special categories of personal data, of employees for the purposes of the employment relationship is permissible on the basis of collective agreements subject to compliance with Article 88(2) of the GDPR, to be interpreted as meaning that the other requirements of [the GDPR] – such as Article 5, Article 6(1) and Article 9(1) and (2) of [the GDPR] – must always also be complied with?
(2) If the answer to Question 1 is in the affirmative:
May a national legal provision adopted pursuant to Article 88(1) of [the GDPR] – such as Paragraph 26(4) of the BDSG – be interpreted as meaning that the parties to a collective agreement (in this case, the parties to a works agreement) are entitled to a margin of discretion in assessing the necessity of data processing within the meaning of Article 5, Article 6(1) and Article 9(1) and (2) of [the GDPR] that is subject to only limited judicial review?
(3) If the answer to Question 2 is in the affirmative:
In such a case, to what is the judicial review to be limited?
(4) Is Article 82(1) of [the GDPR] to be interpreted as meaning that a person is entitled to compensation for non-material damage when his or her personal data have been processed contrary to the requirements of [the GDPR], or does the right to compensation for non-material damage additionally require that the data subject demonstrate non-material damage – of some weight – suffered by him or her?
(5) Does Article 82(1) of [the GDPR] have a specific or general preventive character, and must that be taken into account in the assessment of the amount of non-material damage to be compensated at the expense of the controller or processor on the basis of Article 82(1) of [the GDPR]?
(6) Is the degree of fault on the part of the controller or processor a decisive factor in the assessment of the amount of non-material damage to be compensated on the basis of Article 82(1) of [the GDPR]? In particular, can non-existent or minor fault on the part of the controller or processor be taken into account in their favour?’
Procedure before the Court
27 By decision of the President of the Court of 24 January 2024, the judgments of 4 May 2023, Österreichische Post (Non-material damage in connection with the processing of personal data) (C‑300/21, EU:C:2023:370); of 14 December 2023, Natsionalna agentsia za prihodite (C‑340/21, EU:C:2023:986); of 14 December 2023, Gemeinde Ummendorf (C‑456/22, EU:C:2023:988); of 21 December 2023, Krankenversicherung Nordrhein (C‑667/21, EU:C:2023:1022); and of 25 January 2024, MediaMarktSaturn (C‑687/21, EU:C:2024:72), were notified to the referring court in order for it to clarify whether, in the light of those judgments, it wished to maintain its request for a preliminary ruling, specifically as regards the fourth to sixth questions.
28 By decision of the President of the Court of 15 March 2024, the proceedings were stayed, pursuant to Article 55(1)(b) of the Rules of Procedure of the Court of Justice, pending receipt of the reply to the question thus raised.
29 By written communication received at the Court on 8 May 2024, the referring court informed the Court that it was withdrawing its fourth to sixth questions, but was maintaining its first to third questions.
Admissibility of the request for a preliminary ruling
30 The defendant in the main proceedings contends that the first to third questions are inadmissible on the ground that they are not relevant to the outcome of the dispute before the referring court. In essence, it claims that the applicant in the main proceedings does not challenge the content of the works agreement applicable in the case at hand, rather it complains that the limits of that agreement have been exceeded by the data processing at issue, with the result that that dispute does not concern an infringement of the requirements of Article 88 of the GDPR relating to such an agreement. Moreover, those questions are hypothetical in that they are intended to enable that court to review the lawfulness of that processing as a whole, and not solely in relation to the aspects challenged by the applicant in the main proceedings.
31 In that connection, according to settled case-law, it is solely for the national court before which the dispute has been brought, and which must assume responsibility for the subsequent judicial decision, to determine, in the light of the particular circumstances of the case, both the need for a preliminary ruling in order to enable it to deliver judgment and the relevance of the questions which it submits to the Court, which enjoy a presumption of relevance. If, therefore, the question referred concerns the interpretation or validity of a rule of EU law, the Court is, in principle, required to give a ruling, unless it is quite obvious that the interpretation sought bears no relation to the actual facts of the main action or to its purposes or where the problem is hypothetical or the Court does not have before it the factual or legal material necessary to give a useful answer to the question submitted to it (judgment of 20 June 2024, Scalable Capital , C‑182/22 and C‑189/22, EU:C:2024:531, paragraph 18 and the case-law cited).
32 In the present case, the first to third questions concern the interpretation of several provisions of EU law, specifically Article 88 of the GDPR, read in conjunction with Articles 5, 6 and 9 thereof. In addition, the referring court takes the view that the limits laid down by the works agreement applicable in the case at hand, which it refers to as a ‘collective agreement’ within the meaning of that regulation, have been exceeded and that the processing of personal data at issue in the main proceedings must be examined as a whole, since it may be unlawful both in the light of subparagraph 1 of Paragraph 26 of the BDSG and of subparagraph 4 thereof, which expressly refers to Article 88 of the GDPR.
33 It follows that the request for a preliminary ruling is admissible.
Consideration of the questions referred
The first question
34 By its first question, the referring court asks, in essence, whether Article 88(1) and (2) of the GDPR must be interpreted as meaning that a provision of national law which concerns the processing of personal data for the purposes of employment relationships and has been adopted pursuant to Article 88(1) of that regulation must have the effect of requiring its addressees to comply not only with the requirements arising from Article 88(2) of that regulation, but also with those arising from Article 5, Article 6(1) and Article 9(1) and (2) thereof.
35 In that regard, it should be recalled that the GDPR seeks to ensure the harmonisation of national legislation on the protection of personal data which is, in principle, complete. However, certain provisions of that regulation make it possible for Member States to lay down additional, stricter or derogating national rules and leave them a margin of discretion as to the manner in which those provisions may be implemented (‘opening clauses’) (see, to that effect, judgment of 30 March 2023, Hauptpersonalrat der Lehrerinnen und Lehrer , C‑34/21, EU:C:2023:270, paragraph 51 and the case-law cited).
36 Article 88 of the GDPR, on the processing of personal data in the context of employment, determines the conditions under which Member States may provide for ‘more specific rules’, by law or by collective agreements, to ensure the protection of the rights and freedoms of employees concerned by such processing. Recital 155 of that regulation states, inter alia, that the concept of ‘collective agreement’, within the meaning of that Article 88, includes ‘works agreements’, such as that at issue in the main proceedings. Furthermore, Articles 5, 6 and 9 of the GDPR set out, respectively, the principles relating to processing of personal data, the criteria for processing to be lawful and the rules relating to processing of special categories of such data.
37 According to settled case-law, the terms of a provision of EU law, such as Article 88 of the GDPR, which makes no express reference to the law of the Member States for the purposes of determining its meaning and scope must normally be given an autonomous and uniform interpretation throughout the European Union, having regard, inter alia, to the wording of the provision concerned, to the objectives pursued by that provision and to its context (see, by analogy, judgment of 14 December 2023, Natsionalna agentsia za prihodite , C‑340/21, EU:C:2023:986, paragraph 23 and the case-law cited).
38 First, it is apparent from the wording of Article 88 of the GDPR that paragraph 1 of that article requires that the ‘more specific rules’ permitted by that provision have a normative content specific to the area regulated, which is distinct from the general rules of that regulation, while paragraph 2 of that article circumscribes, in accordance with the objective of harmonisation pursued by that regulation, the discretion of the Member States which intend to adopt national legislation on the basis of that paragraph 1 (see, to that effect, judgment of 30 March 2023, Hauptpersonalrat der Lehrerinnen und Lehrer , C‑34/21, EU:C:2023:270, paragraphs 61, 65, 72 and 75).
39 However, that wording does not provide any express indication as to whether the ‘more specific rules’ that the Member States thus have the possibility of adopting must seek to ensure compliance only with the requirements laid down in Article 88(2) of the GDPR or also with those of other provisions of that regulation, so that the processing of personal data carried out pursuant to such rules should also comply with those latter provisions.
40 Secondly, as regards the objectives of Article 88 of the GDPR, the Court has previously held that that article constitutes an ‘opening clause’ and that the option given to Member States by paragraph 1 thereof, in the light of the specific features of such processing, is explained, in particular, by the existence of a relationship of subordination between the employee and the employer. The Court has stated that the conditions laid down in Article 88(2) of that regulation reflect the limits of the discretion left to the Member States, in that the lack of harmonisation connected with that discretion may be accepted only where the differences that remain are accompanied by specific and suitable safeguards intended to protect employees’ rights and freedoms with regard to the processing of their personal data in the employment context (see, to that effect, judgment of 30 March 2023, Hauptpersonalrat der Lehrerinnen und Lehrer , C‑34/21, EU:C:2023:270, paragraphs 52, 53 and 73).
41 In addition, the Court has stated that, when the Member States exercise the option granted to them by Article 88 of the GDPR, they must use their discretion under the conditions and within the limits laid down by the provisions of that regulation and must therefore legislate in such a way as not to undermine the content and objectives of that regulation, which is intended in particular to ensure a high level of protection of the rights and freedoms of the data subjects concerned by such processing, as is apparent from recital 10 thereof. Consequently, the rules adopted by a Member State on the basis of Article 88 must have the objective of protecting the rights and freedoms of employees with respect to the processing of their personal data (see, to that effect, judgment of 30 March 2023, Hauptpersonalrat der Lehrerinnen und Lehrer , C‑34/21, EU:C:2023:270, paragraphs 54, 59, 62 and 74).
42 However, in order not to undermine all of those objectives, and in particular that of ensuring a high level of protection for employees where their personal data are processed in the employment context, Article 88 of the GDPR cannot be interpreted as meaning that the ‘more specific rules’ which the Member States have the option of adopting pursuant to that article could have the purpose or effect of circumventing the obligations of the controller or processor resulting from other provisions of that regulation.
43 It follows that Article 88(1) and (2) of the GDPR must be interpreted as meaning that, even where Member States rely on that article in order to introduce, into their respective national legal systems, ‘more specific rules’, by law or by collective agreements, the requirements arising from the other provisions that are specifically referred to in the present question, namely Article 5, Article 6(1) and Article 9(1) and (2) of that regulation, must also be satisfied. That applies, in particular, to compliance with the criterion of the necessity of processing laid down in those provisions, on which the referring court specifically seeks clarification.
44 Thirdly, the context of Article 88 of the GDPR supports that interpretation.
45 Article 88 of the GDPR appears in Chapter IX thereof, entitled ‘Provisions relating to specific processing situations’, while Articles 5, 6 and 9 of that regulation appear in Chapter II thereof, entitled ‘Principles’, which is therefore more general in scope. Furthermore, it is clear from the wording of that Article 6, which expressly refers, in paragraphs 2 and 3 thereof, to the provisions of that Chapter IX, that the conditions of lawfulness laid down in that Article 6 are binding, including in the ‘specific … situations’ governed by the provisions of that Chapter IX.
46 In addition, it is settled case-law that any processing of personal data must observe the principles governing the processing of such data and the rights of the data subject set out, respectively, in Chapters II and III of the GDPR. In particular, it must comply with the principles relating to the processing of those data provided for in Article 5 of that regulation and satisfy the conditions for lawful processing listed in Article 6 thereof (see, to that effect, judgments of 2 March 2023, Norra Stockholm Bygg , C‑268/21, EU:C:2023:145, paragraph 43, and of 11 July 2024, Meta Platforms Ireland (Representative action) , C‑757/22, EU:C:2024:598, paragraph 49 and the case-law cited).
47 As regards, specifically, the relationship between Article 88 of the GDPR and other provisions of that regulation, the Court has stated, in particular in the light of recital 8 thereof, that, notwithstanding the possible existence of ‘more specific rules’ adopted by the Member States on the basis of Article 88(1) of that regulation, all processing of personal data must comply with the obligations arising from the provisions of Chapters II and III of that regulation and, in particular, from Articles 5 and 6 thereof (see, to that effect, judgment of 30 March 2023, Hauptpersonalrat der Lehrerinnen und Lehrer , C‑34/21, EU:C:2023:270, paragraphs 67 to 71).
48 Similarly, the obligations resulting from Article 9 of the GDPR must be complied with when any processing of personal data covered by that regulation is carried out, including where there are ‘more specific rules’ adopted pursuant to Article 88(1) thereof. That Article 9, which governs the processing of special categories of personal data listed therein, appears in Chapter II of that regulation, as is the case with Articles 5 and 6 thereof, the requirements of which can, moreover, be applied concurrently with those arising from that Article 9 (see, to that effect, judgment of 21 December 2023, Krankenversicherung Nordrhein , C‑667/21, EU:C:2023:1022, paragraphs 73, 77 to 79). Furthermore, that interpretation is consistent with the purpose of that Article 9, namely to ensure enhanced protection against processing which, because of the particular sensitivity of the data processed, is liable to constitute a particularly serious interference with the fundamental rights of data subjects (see, to that effect, judgment of 4 October 2024, Lindenapotheke , C‑21/23, EU:C:2024:846, paragraph 89 and the case-law cited).
49 Thus, where the law of a Member State contains ‘more specific rules’, within the meaning of Article 88(1) of the GDPR, the processing of personal data covered by those rules must comply not only with the conditions laid down in paragraphs 1 and 2 of that article, but also with those laid down in Articles 5, 6 and 9 of that regulation, as interpreted by the case-law of the Court.
50 In the light of the foregoing, the answer to the first question is that Article 88(1) and (2) of the GDPR must be interpreted as meaning that a provision of national law which concerns the processing of personal data for the purposes of employment relationships and has been adopted pursuant to Article 88(1) of that regulation must have the effect of requiring its addressees to comply not only with the requirements arising from Article 88(2) of that regulation, but also with those arising from Article 5, Article 6(1) and Article 9(1) and (2) thereof.
The second question
51 By its second question, the referring court asks, in essence, whether Article 88(1) of the GDPR must be interpreted as meaning that, where a collective agreement falls within the scope of that provision, the margin of discretion that the parties to that agreement have to determine whether the processing of personal data is ‘necessary’, within the meaning of Article 5, Article 6(1) and Article 9(1) and (2) of that regulation, has the effect of preventing the national court from carrying out a full judicial review in that regard.
52 First of all, it must be recalled that, as has been stated in paragraph 41 above, the Member States exercising the option granted to them by Article 88 of the GDPR must use their discretion under the conditions and within the limits laid down by the provisions of that regulation, thereby ensuring that the ‘more specific rules’ that they introduce into their national legal systems do not undermine the content and objectives of that regulation. Those rules must seek, in particular, to ensure a high level of protection of employees’ freedoms and fundamental rights with regard to the processing of their personal data in the employment context.
53 As regards the scope of the judicial review that may be carried out with regard to such specific rules, the Court has already held that it is for the national court seised, which alone has jurisdiction to interpret national law, to assess whether those rules do indeed comply with the conditions and limits laid down, in particular, in Article 88 of the GDPR. In accordance with the principle of the primacy of EU law, if that court finds that the provisions of national law concerned do not comply with those conditions and limits, it must then disregard those provisions. In the absence of more specific rules that comply with the requirements of that Article 88, the processing of personal data in the employment context is directly governed by that regulation (see, to that effect, judgment of 30 March 2023, Hauptpersonalrat der Lehrerinnen und Lehrer , C‑34/21, EU:C:2023:270, paragraphs 80, 82 to 84 and 89).
54 Those considerations also apply to the parties to a collective agreement referred to in Article 88 of the GDPR, such as that at issue in the main proceedings. As the European Commission stated, in essence, in its written observations, the parties to a collective agreement are to be entitled to a margin of discretion equivalent, in particular as regards its limits, to that afforded to the Member States, since the ‘more specific rules’ referred to in paragraph 1 of that Article 88 may result, inter alia, from collective agreements. Recital 155 of that regulation also states that such rules may be provided for in Member State law or in collective agreements, including ‘works agreements’.
55 Thus, notwithstanding the margin of discretion that Article 88 of the GDPR leaves to the parties to a collective agreement, the judicial review carried out with regard to such an agreement must, like that relating to a rule of national law adopted pursuant to that provision, be able to cover without any restriction compliance with all of the conditions and limits laid down by the provisions of that regulation for the processing of personal data.
56 Next, it should be stated that such judicial review must, specifically, seek to verify whether the processing of such data is necessary, within the meaning of Articles 5, 6 and 9 of the GDPR. In other words, Article 88 of that regulation cannot be interpreted as meaning that the parties to a collective agreement have a margin of discretion which would allow them to introduce ‘more specific rules’ resulting in that requirement of necessity being applied less strictly or even disregarded.
57 It is true, as the referring court and Ireland have observed in essence, that the parties to a collective agreement are generally well placed to assess whether data processing is necessary in a given professional context, since those parties usually have extensive knowledge of the specific needs arising in the field of employment and in the sector of activity concerned. However, such an assessment process must not lead to those parties reaching compromises, on the basis of economic or practical considerations, which would be liable improperly to undermine the GDPR’s objective of ensuring a high level of protection of employees’ freedoms and fundamental rights with regard to the processing of their personal data.
58 Therefore, an interpretation of Article 88 of the GDPR according to which national courts could not carry out a full judicial review with regard to a collective agreement, in particular in order to ascertain whether the justifications put forward by the parties to that agreement establish that the processing of personal data under that agreement is necessary, would not be compatible with that regulation, having regard to the objective of protection referred to in the preceding paragraph of the present judgment.
59 Lastly, it must be stated that, if the national court seised were to find, following its review, that certain provisions of the collective agreement concerned do not comply with the conditions and limits laid down by the GDPR, it would then be required to disregard those provisions, in accordance with the case-law referred to in paragraph 53 above.
60 In the light of the foregoing considerations, the answer to the second question is that Article 88(1) of the GDPR must be interpreted as meaning that, where a collective agreement falls within the scope of that provision, the margin of discretion that the parties to that agreement have to determine whether the processing of personal data is ‘necessary’, within the meaning of Article 5, Article 6(1) and Article 9(1) and (2) of that regulation, does not prevent the national court from carrying out a full judicial review in that regard.
The third question
61 In view of the answer to the second question, there is no need to answer the third question.
Costs
62 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Eighth Chamber) hereby rules:
1. Article 88(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
must be interpreted as meaning that a provision of national law which concerns the processing of personal data for the purposes of employment relationships and has been adopted pursuant to Article 88(1) of that regulation must have the effect of requiring its addressees to comply not only with the requirements arising from Article 88(2) of that regulation, but also with those arising from Article 5, Article 6(1) and Article 9(1) and (2) thereof.
2. Article 88(1) of Regulation 2016/679
must be interpreted as meaning that, where a collective agreement falls within the scope of that provision, the margin of discretion that the parties to that agreement have to determine whether the processing of personal data is ‘necessary’, within the meaning of Article 5, Article 6(1) and Article 9(1) and (2) of that regulation, does not prevent the national court from carrying out a full judicial review in that regard.
[Signatures]
* Language of the case: German.