Wird diese Nachricht nicht richtig dargestellt, klicken Sie bitte hier.

Heuking Kühn Lüer Wojtek

Update Data Protection
IP, Media & Technology

No. 70 | 2019-12-13

Data Breach Notifications Only With Works Council Approval?
Dr. Philip Kempermann, LL.M., Astrid Luedtke and Bernd Weller

Even though the German Datenschutzkonferenz, the group of the 17 data protection authorities in Germany, provides many guidelines on interpretation, it is ultimately the courts that decide on the binding interpretation of the GDPR provisions. The labor courts are particularly active in this regard, including in a current decision of the state labor court (Landesarbeitsgericht – LAG) Schleswig-Holstein.

LAG Schleswig-Holstein, decision dated August 6, 2019 – 2 TaBV 9/19

According to this decision, the works council shall be involved in determining how, to whom and in what form employees shall report a data breach they have discovered within the meaning of GDPR within the company. The local works council is responsible for exercising this right of co-determination.

Facts of the case

A call center company with several branches has local works councils and one general works council. The employer issued a work instruction with regard to Articles 33 and 34 GDPR to install a system for reporting and dealing with any data breaches according to the requirements of the GDPR. According to the instruction, employees were required, among other things, to use a standardized mechanism for reporting breaches by sending an email containing specific minimum information to an e-mail address of the company headquarters. The instruction also stated that the person reporting the data breach would have to be available at short notice during the entire clarification process and would be obliged to further assist and support the key measures. Furthermore, periods of absence should be reported in advance to the central data protection team. From a GDPR perspective, these are standard and also useful stipulations for the reporting mechanism. However, one local works council was of the opinion that this work instruction would violate its co-determination rights and initiated decision-making proceedings at the labor court.


Both the labor court in Kiel and the LAG Schleswig-Holstein affirmed the works council’s co-determination right according to Sec. 87 (1) No. 1 Works Constitution Act (BetrVG). According to settled case law of the Federal Labor Court (Bundesarbeitsgericht – BAG; see only BAG, decision dated June 11, 2002 – 1 ABR 46/01) this co-determination right only exists if a measure implemented by an employer “aims to structure collective cooperation or ensure and maintain the given rules of operation at the company.” Stipulations on employee conduct, however, are not subject to co-determination. Employee conduct is always considered such if the employer specifies what work is to be performed by the employee as part of the employer’s right to issue instructions under the employment contract. The LAG Schleswig-Holstein is of the opinion that reporting a data breach is not an obligation of the employee under the employment contract; due to the restriction of the reporting mechanism, this would constitute a company rule on conduct that limits the employees’ freedom to make decisions. The LAG Schleswig-Holstein also states that it is not clear why this restriction to report breaches by email is necessary and that reporting the breach verbally would also be adequate.

Furthermore, according to the LAG Schleswig-Holstein, this matter is subject to co-determination by the local works council. It sees no adequate reason why it is objectively or subjectively impossible for co-determination to lie with the general works council.


According to Art. 24 GDPR, the employer is obliged to implement efficient technical and organizational GDPR measures to ensure reporting according to Art. 33, 34 GDPR. Accountability and the documentation obligation according to Art. 5 (2) GDPR requires the employer to be able to demonstrate the implemented measures. Therefore, the mechanisms must be based on market standards in order to avoid criticism from the data protection supervisory authorities. The decision handed down by the LAG Schleswig-Holstein does not address these obligations under the GDPR. In our opinion, it also ignores the settled case law of BAG. Determining a mechanism for reporting a breach according to GDPR is an incidental contractual obligation of any employee and therefore falls under employee conduct that is not subject to co-determination. Even if this opinion is not shared, the rules of operation would still have to be checked in each case. According to settled case law of the BAG, rules of operation and employee conduct is not an either-or matter. Conversely, the BAG has also recognized cases in which neither rules of operation nor employee conduct were affected (so-called sui generis directive – BAG, decision dated April 14, 2014 – 1 ABR 85/12). It would have to be determined whether a measure affects the rules of operation. Such a subsumption cannot be taken from the decision of the LAG Schleswig-Holstein. Simply specifying a work action or a work method is not enough to constitute a rule of operation. If the employer states which employees must report to whom, this is not a matter of cooperation at the company, but a matter of work organization that is not subject to co-determination and must be based on the requirements of the GDPR. In this respect, the decision of the LAG Schleswig-Holstein is not convincing.

It remains to be seen whether the BAG is given the opportunity to straighten out the decision made by the LAG Schleswig-Holstein. If not, the effects could be far-reaching: the data protection compliance of the employer would be dependent on the findings of conciliation proceedings and the protection of the data subjects offered by the GDPR would be severely limited in some cases.


Dr. Philip Kempermann, LL.M., is a lawyer at Heuking Kühn Lüer Wojtek and member of the practice group IP, Media & Technology.

Astrid Luedtke is a lawyer at Heuking Kühn Lüer Wojtek and member of the practice group IP, Media & Technology.

Bernd Weller is a lawyer at Heuking Kühn Lüer Wojtek and member of the practice group Employment.


T +49 211 600 55-168
F +49 211 600 55-160
E datenschutz@heuking.de

Visit our Website with focus on Data Protection Law:
Microsite Data Protection

Task Force Data Protection
Heuking Kühn Lüer Wojtek
Dr. Christian Appelbaum
Heuking Kühn Lüer Wojtek
Dr. Ubbo Aßmus
Heuking Kühn Lüer Wojtek
Dr. Felix Drefs
Heuking Kühn Lüer Wojtek
Alexa Finke, LL.M.
Heuking Kühn Lüer Wojtek
Regina Glaser, LL.M.
Heuking Kühn Lüer Wojtek
Torsten Groß, LL.M.
Heuking Kühn Lüer Wojtek
Maike Katharina Hinz
Heuking Kühn Lüer Wojtek
Britta Hinzpeter, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Thomas Jansen
Heuking Kühn Lüer Wojtek
Dr. Philip Kempermann, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Lutz Martin Keppeler
Heuking Kühn Lüer Wojtek
Dr. Markus Klinger
Heuking Kühn Lüer Wojtek
Michael Kuska, LL.M., LL.M.
Heuking Kühn Lüer Wojtek
Astrid Luedtke
Heuking Kühn Lüer Wojtek
Marcel Maybaum
Heuking Kühn Lüer Wojtek
Antje Münch, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Søren Pietzcker, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Wolfgang G. Renner, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Dirk Stolz
Heuking Kühn Lüer Wojtek
Dr. Frederik Wiemer
Heuking Kühn Lüer Wojtek
Dr. Florian Winzer
Heuking Kühn Lüer Wojtek
Dr. Hans Markus Wulf

I want to


Heuking Kühn Lüer Wojtek
© 2019 Heuking Kühn Lüer Wojtek

PartGmbB von Rechtsanwälten und Steuerberatern*
Georg-Glock-Str. 4, 40474 Düsseldorf

* Data protection information / register details / list of partners: www.heuking.de

Information on how Heuking Kühn Lüer Wojtek handles your personal data,
the purposes for processing your data, the legal basis for processing,
and on your rights can be found at www.heuking.de.