Employee data protection plays a major role in companies. At the latest since the General Data Protection Regulation (GDPR), but also already through the Federal Data Protection Act (BDSG), employee data must be protected under certain regulations. This article explains what rights employees have and how to comply with them.

The rights of employees with regard to data protection

In addition to the BDSG, as already mentioned, the DSGVO specifies how data is to be handled. Employee data protection is largely regulated by the BDSG. However, the requirements of the DSGVO supplement these.

Data protection for employee data is subject to the same claim to protection as for any other person. In a company, it is impossible to prevent data from being collected and processed. This basically starts with the application documents.

Basically, employee data protection is all about transparent information about how the data is processed and used. In addition, this data should of course be stored in such a way that not everyone has access to it.

It is important to note that only data that is really necessary for the employment relationship should be collected. This should be done with cards on the table. Employers can directly convey to employees

what data is being collected
the purpose for which this data is collected
under what circumstances this data will be deleted again

There must always be written consent from employees for the collection of data.

These data are processed by employers

Employers are allowed to collect and process the following data without facing problems with employee data protection:

  • General personal data (name, address, date of birth).
  • Account data
  • social and health insurance number
  • Tax ID
  • Religion

For these data, the purposes are clear: registrations for insurance, salary payment, payroll and church tax.

The following data may not be collected because it does not serve any purpose related to the employment relationship or may even have a discriminatory background:

  • racial or ethnic origin
  • political views
  • health data
  • sexual orientation
  • genetic or biometric data

However, in the case of biometric data, it may be requested for access control purposes, for example. For example, if areas in companies can only be accessed using fingerprints. However, this requires the consent of the employee.

Health data is permitted in some industries. However, there must be a justification for this. With an allergy to animal hair, a job in a veterinary practice simply doesn’t make much sense.

Furthermore, the collection of personal data such as chat histories or email traffic is not legal. The same applies to monitoring Internet use. Here, the principle for the exclusive collection of data that is necessary for the purpose applies. This does not include the pages on which the employee surfs, nor the conversations in chats. In general, it is easy to remember: private data has no place here.

What happens in the event of a data breach?

A data breach is not the end of the world. It depends on how serious the data breach is and how it occurred.

In principle, serious data breaches must be reported to the supervisory authority within 72 hours. And the relevant employee should also be notified.

It is important that proof can be provided that the data breach occurred even though data protection regulations were adhered to. If it is a deliberate data protection violation, a fine may be imposed.

If the employee suffers damage, for example in the form of damage to his or her reputation, discrimination or psychological stress, this may also result in a claim for damages.


Employee data privacy is a serious issue and can be costly if violated. Fortunately, it is not very difficult to comply. Careful handling of personal data and limiting it to necessary information will keep things tidy and low risk.