The Federal Labour Court (BAG) clarified this in its ruling of 8 May 2025 (Ref. 8 AZR 209/21): Company agreements alone do not justify data processing if they do not meet the requirements of the GDPR.
In the case, a company had transferred more personal employee data than provided for in the works agreement with the works council as part of the introduction of HR software (‘Workday’) - including sensitive information such as salary data and tax IDs. This data was forwarded to the parent company without a sufficient legal basis.
The affected employee sued for damages under Art. 82 GDPR. The BAG ruled in his favour: the works agreement only permitted certain data, but not the sensitive information transmitted. A works agreement can only constitute a permissible basis for processing if the processing operations regulated therein can also be based independently on a valid GDPR legal basis, such as Art. 6 I GDPR or Art. 9 II GDPR.
The European Court of Justice had previously emphasised that provisions in works agreements must be fully GDPR-compliant. In particular, the principles of purpose limitation and data minimisation must be observed.
Conclusion:
Company parties cannot legitimise data processing ‘by agreement’.A valid legal basis in accordance with the GDPR is always required, which can also be concretised, but not replaced, by the works agreement.