The general principle already applying under current data protection law remains unchanged under the new GDPR: collecting, using and transmitting personal data is prohibited unless expressly permitted by law, a works agreement or a collective bargaining agreement. Furthermore, it will still be possible for an employee to give his/her consent to the collection, use or transfer of his/her personal data.
However, please note that consent given under the current BDSG will only remain valid under the new GDPR insofar as such consent already meets the requirement of the GDPR. Unlike the current BDSG, the GDPR contains concrete requirements that need to be fulfilled on order for such consent given by the employee to be valid. These requirements will be incorporated into the new BDSG. In particular, the employer has to explain the purpose of the consent to the employee and inform him/her about his/her right to revoke said consent. Both needs to be done in text form. Due to these changes, existing declarations of consent submitted by employees should be reviewed for compliance with the GDPR and the new BDSG as of 25 May 2018.
Companies should further note that infringements of data protection provisions will be punished more severely under the GDPR and the new BSDG. The scope for setting fines will be increased to fines of up to EUR 20,000,000, for companies with worldwide revenue of at least EUR 500,000,000 the fine may even amount to 4 % of their worldwide revenue.
The employee’s right to information will also be significantly extended. Employees may request information from their employer as to whether personal data on him/her is being processed and if so, which data exactly. It is, therefore, highly recommended to evaluate whether the current company data processing is in accordance with the new regulations.