GIS
Publications

No mandatory co-determination in relation to data protection

Cologne, 05.11.2025

Virtually every IT system collects data which can be linked to a specific person – from electronic access systems to the ever-present office applications. When such systems are deployed in a company as a rule there is a right of co-determination in accordance with Section 87 (1) no. 6 of the German Works Council Constitution Act (Betriebsverfassungsgesetz, BetrVG). Specifics regarding the design of software are then generally laid down in a Works Agreement. Such negotiations typically take months and delay the introduction of innovative technology. It is usually data protection that employers and Works Councils argue about.

The decision

Less internal bureaucracy

The Hesse Regional Labour Court (Landesarbeitsgericht, LAG) has made an important ruling that is extremely helpful for companies and above all may contribute to accelerating negotiations about implementing new IT systems (Hesse LAG, decision dated 05/12/2024, 5 TaBV 4/24). The subject of this dispute was the introduction of the “HCM – People Engine” IT system to manage employees’ master data. A Works Agreement could only be negotiated in a Conciliation Committee with a neutral chairperson. This Works Agreement did not contain any specific provisions on data protection. Shortly afterwards the Works Council contested the outcome of the Conciliation Committee, considering this to be unlawful and an error in judgment on the grounds of the lack of provisions on data protection.

The Hesse LAG confirmed the lawfulness of the Works Agreement and dismissed the Works Council’s request to appeal the decision. The Court held that its findings were based on section 87 (1) BetrVG and there was no mandatory right of co-determination in matters related to data protection. The provisions of the General Data Protection Regulation (GDPR) are conclusive and must be observed. Art. 88 GDPR and section 26 (4) of the German Data Protection Act (BDSG) contain nothing to the contrary. According to these provisions, both parties are indeed entitled to agree specific regulations on data protection (whereby the protective effect of GDPR may not be reduced, cf. CJEU, judgment dated 19/12/2024, C-65/23). Such regulations are, however, voluntary and could therefore not be insisted upon by the Works Council. A Conciliation Committee may, therefore, not agree any independent provisions on data protection.

Practical consequences

(Group) Works Agreements regarding IT systems are frequently overloaded with detailed regulations on data protection. Negotiations between the Works Councils and employers have also become correspondingly difficult. This then leads to bureaucracy which cripples the process and weakens Germany as a business location.

The decision of the Hesse LAG shows that this bureaucracy is unnecessary. If all parties at the negotiating table are aware that data protection is irrelevant here (because legislation has already regulated everything and the parties are not permitted to agree any provisions that are contrary to data protection law) then negotiations will be faster. 

Work Agreements regarding IT systems should be restricted to the measures necessary. Typical areas of regulation are:

  • Description of the system and the type of products used
  • Description of the intended purposes
  • Description of the access/administrator rights
  • Interfaces to other systems
  • Description of potential conduct and performance monitoring

The following are not to be the subject of mandatory codetermination:

  • Structure of the data protection
  • Prohibitions on handling evidence (such as in judicial proceedings)

Regulations on data protection may therefore only be concluded in cases of voluntary co-determination (section 88 BetrVG in conjunction with Art. 88 GDPR)). Such provisions are not mandatory in this respect. If discussions are restricted to these points which require regulation this may accelerate future negotiations. The LAG’s decision is the best supporting argument for this. Worries that workforce rights may be curtailed are completely unfounded. In any case employers must continue to maintain the high level of data protection and Works Councils’ right to information also remains unchanged (section 80 (1) BetrVG).

If you require any further information on this topic please contact us and we will be happy to help.

Downloads

Autoren

Jens Völksen, Portrait

Jens Völksen
Counsel
+49 221 33660 504

 Newsletter Icon

We inform you about current legal developments in the areas relevant to you.

Subscribe to our Newsletter

Hände die etwas in eine Laptop Tastatur eingeben

Privacy settings

We are using Piwik to improve our site by analysing user behaviour. This service can set cookies and will learn about your IP address. It might use this information to follow your activities and identify you on the Web (Tracking). You may withdraw your consent to this at any time. For further information please read our privacy policy.

Privacy policy