CJEU to rule on processing of personal data from employees for videoconferencing

The German court is seeking guidance on whether schoolteachers must be asked for their consent before giving their lessons by online video. As the answer to this query depends on European data protection law, the CJEU’s decision will be of relevance throughout the entire EU.

In the wake of the Covid-19 crisis, home schooling has become a challenge for children, parents and teachers, not to mention the schools themselves. Educational institutions have to adapt their teaching concepts moving to distant learning and virtual classrooms. In doing so, they face legal uncertainties in many ways.

A case about the legitimacy of teachers’ personal data being electronically processed whilst giving online lessons is before the Administrative Court of Wiesbaden. There is no doubt about home schooling on online platforms involves personal data of both teachers and pupils being processed within the meaning of Article 4 No. 2 of the General Data Protection Regulation (GDPR). Accordingly, parents are commonly asked to give consent on behalf of their children.

With regards to teachers the situation is less clear. There might be options other than 'consent' to justify teachers’ personal data being processed. You could argue that the data processing is an essential part of their duty to fulfil their contractual obligations under the teaching contract. This is what the court in Wiesbaden is to decide.

The question concerns the employee data being processed in the context of work. According to Article 88 of the GDPR, member states are allowed to enact domestic provisions in this field. However, the national law must still comply with the overall principles set out in the GDPR. This is why the spectrum of possible justifications listed in Article 6 GDPR is also of relevance for national legislators and courts.

The domestic law to be reviewed against the background of the GDPR is Section 23 of the Hessian Data Protection and Freedom of Information Act (HDSIG). It states that personal data of employees may be processed "for the purposes of the employment relationship". However, this is only the case if the data processing is necessary "after the employment relationship has been established for its implementation, termination or settlement". There is no further specification or guidance on how Sec. 23 HDSIG is to be interpreted or applied. This is why the judges asked the CJEU for further guidance.

The CJEU's decision will be significant for all EU member states with similar data protection regulations. The ruling will not only impact schools - it can also be extended to employment relationships in businesses all across the EU. This is particularly important as the Covid-19 pandemic has made companies more dependent than ever on video conference systems. Therefore, the case brought up to the CJEU will clearly set a precedent for many constellations of similar kind.

The problem rests on the structure of the GDPR and its interplay with domestic privacy laws. In certain areas, and employment relations is one of them, the GDPR leaves room for domestic legislation. National laws such as the German Federal Data Protection Act (BDSG) did not become obsolete when the GDPR came into force. Those laws had to be revised in order to fill the gaps the GDPR has left. In federal states like Germany, there is even a third layer of data privacy legislation. However, these laws must also be in line with the GDPR.

The important question that the CJEU must now address is: what substantive requirements must a domestic provision fulfil in order to be a "specific provision" within the meaning of Articvle 88(1) GDPR? In addition, according to the Wiesbaden Administrative Court, the CJEU must clarify whether a national provision not meeting these requirements may still be applied.

Online teaching is new to many teachers, schools and educational institutions and there is uncertainty about how it should work, and there are concerns about data leaks and misuse. In addition, there are the imponderables that the Schrems II decision of the CJEU has brought with it. This is precisely why it is important to create legal certainty at this point. This includes putting data processing on the 'right' basis. The permissive elements of Article 6 GDPR must be taken into account when processing personal data. The school system is just one among many examples of this.