It is virtually impossible to examine the data protection aspects of a project without taking into account the company's works council. Legal interpretations as to whether works councils have the right to participate in decisions or must only be informed can vary greatly.
One aspect must be considered however: The German Federal Data Protection Act applies as soon as paper is replaced by digital data or digital documents, or when processes are represented in a digital form.
Therefore the requirement under data protection legislation, namely that the consent of all company employees is required to continue processing personal data in a digital form, is of legal relevance in this context. This consent may be provided individually or on the basis of a works council agreement in the case of larger companies. And this is where the works council gets involved. In addition to the data protection representative, it plays an important role in ensuring compliance with the data protection requirements.
These include serious errors with regard to controlling access to personal data or documents. Described in detail in the Federal Data Protection Act in the schedule for sec. 9, this area includes provisions on access, data carrier or transmission control. In this case, it would be wise to choose an experienced software provider with a contractual agreement for contract data processing, in order to e.g. set out the maintenance of the software. It is also recommended that a data protection representative is involved (externally or internally) to verify general compliance with the provisions under data protection legislation. Another tripping point in this context may be the already mentioned lack of a works council agreement, which can significantly slow down the progress of the project.
The works council and the issue of data protection are closely linked, since the works council often has more of a presence in the company than the data protection representative, who may be an external appointment.
Therefore the success of a digitisation project in the HR segment requires that the works council and data protection representative are involved in the project at a very early stage. A refusal to get involved on the part of the works council is often due to a lack of knowledge and lack of transparency. On the other hand, if the employees in charge were involved early on and are convinced with a detailed security concept, most works councils will view the introduction of these new systems with much less suspicion than a few years ago.
The Federal Data Protection Act does not provide for legal deletion periods with regard to digital personal data, but sets out a general reminder regarding data avoidance and data frugality.
The obligation to retain documents, which is found in tax legislation and that stipulates a ten-year period for tax documents and a six-year period for social security documents, offers some guidance in this regard. This has led to the general practice of deleting data that is no longer needed after six and ten years.
I think it is important to ensure that the use-related aspects are communicated to all target groups in a transparent manner. In this context, it is important to clearly define all of the advantages that will create the greatest benefit for the company, and to communicate these accordingly.
In addition, these use-related aspects should be identified in a comprehensive manner for all departments. This includes in particular the aspect of modernity, namely the ability of the company to ensure its future existence and secure workplaces in the company over the long term. This is of course also of great interest to the works council.
We will be happy to tell you more about data protection in a personal meeting.