The Court of Justice of the EU reaffirms the primacy of the GDPR in employment relation-ships: company agreements that authorise excess processing or unlawful transfers to third countries are invalid.

The Court of Justice of the European Union (judgment in case C-65/23), has addressed a particularly important issue in the field of the protection of personal data in the context of the employment relationship, ruling on the limits of lawfulness of processing within the framework of a company trade union agreement and on the conditions of validity of the international transfer of employee data. The case originates from a dispute initiated by an employee of a German company, who had challenged the transfer of his personal data from an SAP management system to an external cloud infrastructure, located in the United States, as part of a pilot project aimed at implementing Workday software. The transfer had taken place in the test phase and in violation of what was expressly established in a trade union agreement that had limited the categories of personal data legitimately transferable to a limited number of identifying attributes, excluding any element relating to remuneration, taxation, marital status or nationality.

Referred to the question referred for a preliminary ruling by the Bundesarbeitsgericht, the Court of Justice firmly reiterated that Article 88(1) of Regulation (EU) 2016/679 (GDPR), which allows Member States to adopt more specific provisions on data processing in the context of work, does not in any way legitimise a derogation from the general principles of lawfulness,  necessity and proportionality established by Articles 5, 6 and 9 of the Regulation. National regulations or collective agreements, even if formally adopted and shared between employer and employee representatives, must in any case fully comply with the substantive principles of the GDPR. It is therefore not sufficient that a processing complies with a contractual provision in order to consider the burden of compliance validly fulfilled, but it is necessary to verify in practice that the purposes pursued, the categories of data processed, the methods and legal bases are fully compatible with the European regulatory framework.

The Court clarified that, even in the presence of a collective agreement, it is for the national court to exercise full and autonomous control over the lawfulness of the processing, since a deferential or merely formal approach is not admissible. The national court must verify that the contractual provisions comply with the substantive and procedural guarantees provided for by the GDPR, in particular with regard to compliance with the principles of minimisation, purpose limitation, data accuracy and integrity of processing. It has also been ruled out that the simple technical or organizational need, such as that of testing new software, can constitute a legitimate basis for extending the processing to data in excess of those strictly necessary.