Labor Court of Iserlohn: data breaches may lead to dissolution of the works council
By Order of 14 January 2020 (Case. 2 BV 5/19), the Labor Court of Iserlohn ruled that violations of the GDPR could lead to dissolution of the works council.
In the case, two companies in the automotive supplier industry which are partners in a joint venture petitioned the court to dissolve the works council. The petitioners had resolved to close a subsidiary after unsuccessful attempts at restructuring, upon which a conflict broke out with the company's works council. After all of the joint venture's employees were dismissed for operational reasons, the chairman of the works council sent out a message regarding this matter to multiple law firms and the union's legal services company containing a large quantity (more than 150 MB, or 921 pages) of internal company documents. The documents included copies of e-mails, case briefs, calendar extracts, official notices, invoices, conceptual drawings, requests for vacation time, contractual texts, presentations, product line concepts and much more. The recipients then proceeded to use the data e.g. in legal actions seeking protection against unfair dismissal.
The Labor Court of Iserlohn ruled that this extensive data transfer represented a gross breach of duty on the part of the works council in terms of § 23(1) of the Works Constitution Act (only in german) and therefore granted the employers' petition. It found that not only did the works council commit massive violations of data protection law, but that it had violated the principle of trust-based collaboration by exceeding its authority, and that, in and of itself, the methodical way in which it went about assembling this extensive collection of documents meant that a trust-based relationship between the works council and the employers was no longer possible. The court stated that the works council had no legal basis for collecting, analyzing and categorizing the documents in this way, or for transmitting the documents to third parties and rejected the works council's argument that transmitting the document to its attorneys of record was permissible because the recipients were subject to a professional duty of secrecy. First of all, the court's order points out that employees of the union's legal services company are considered "legal secretaries" and are therefore not subject to an attorney's duty of secrecy. The court also notes that, even insofar as attorneys were the recipients, the message had been sent not to them personally but to the general firm address, which is likewise problematic. Further aggravating matters, in the court's view, is the fact that the link included in the message for downloading the documents was not password-protected. The court therefore found that the group of recipients to whom the documents had ultimately been made available was neither limited nor controllable, and that this is particularly true for employees of the cloud provider and uninvolved third parties who may have come across the link by random chance. Because the data transfer had no basis in the Works Constitution Act, the court also found that the transmission violated the GDPR and stated that the works council had no legal basis whatsoever for processing the data in question, particularly for the transmission of customer data. The Labor Court of Iserlohn went on to state that the lack of judgment exhibited by the works council means that there is a continuing risk that sensitive documents will be disclosed to third parties. The court noted that the works council was "capable of anything" and that it had exhausted "all means, massively exceeding its authority."
In conclusion, the ruling impressively demonstrates that the works council is not entitled to resort to any means which it finds to be sensible and justified in its handling of personal data, whether the data in question is customer data or the data of its own employees. Rather, the Works Constitution Act sets very narrow limits, particularly for the collection and transmission of internal company documents. Accordingly, compliance with data protection law is of increasing importance for both works councils and employers.