The domestic law to be reviewed against the background of the GDPR is Section 23 of the Hessian Data Protection and Freedom of Information Act (HDSIG). It states that personal data of employees may be processed "for the purposes of the employment relationship". However, this is only the case if the data processing is necessary "after the employment relationship has been established for its implementation, termination or settlement". There is no further specification or guidance on how Sec. 23 HDSIG is to be interpreted or applied. This is why the judges asked the CJEU for further guidance.
The CJEU's decision will be significant for all EU member states with similar data protection regulations. The ruling will not only impact schools - it can also be extended to employment relationships in businesses all across the EU. This is particularly important as the Covid-19 pandemic has made companies more dependent than ever on video conference systems. Therefore, the case brought up to the CJEU will clearly set a precedent for many constellations of similar kind.
The problem rests on the structure of the GDPR and its interplay with domestic privacy laws. In certain areas, and employment relations is one of them, the GDPR leaves room for domestic legislation. National laws such as the German Federal Data Protection Act (BDSG) did not become obsolete when the GDPR came into force. Those laws had to be revised in order to fill the gaps the GDPR has left. In federal states like Germany, there is even a third layer of data privacy legislation. However, these laws must also be in line with the GDPR.
The important question that the CJEU must now address is: what substantive requirements must a domestic provision fulfil in order to be a "specific provision" within the meaning of Articvle 88(1) GDPR? In addition, according to the Wiesbaden Administrative Court, the CJEU must clarify whether a national provision not meeting these requirements may still be applied.
Online teaching is new to many teachers, schools and educational institutions and there is uncertainty about how it should work, and there are concerns about data leaks and misuse. In addition, there are the imponderables that the Schrems II decision of the CJEU has brought with it. This is precisely why it is important to create legal certainty at this point. This includes putting data processing on the 'right' basis. The permissive elements of Article 6 GDPR must be taken into account when processing personal data. The school system is just one among many examples of this.