An article by Kostas Fatsis (Partner) and Sofia Feizidou (Associate)
On 30th March 2023 the highly anticipated judgement of the Court of Justice of European Union in the Case Hauptpersonalrat der Lehrerinnen und Lehrer beim Hessischen Kultusministerium v. Minister des Hessischen Kultusministeriums (C-34/21) was published. The CJUE was invited to respond to a reference for a preliminary ruling made by the German administrative court concerning the application of Article 88 of the General Data Protection Regulation (GDPR) in the context of introduction of additional, stricter or even derogating national rules by Member States aiming to ensure the protection of employees’ rights and freedoms with regard to the processing of their personal data, i.e., concerning, essentially, the interpretation of the level of discretion left to Member States by said Article. The key question was whether a national provision -in this case, Article 23 of Law on Data Protection and Freedom of Information (HDSIG) of the Land of Hessen- could qualify as a “more specific” rule within the meaning of Article 88(1) of the GDPR even though it was evidently incompatible with the conditions and limits laid down in the second paragraph of the same Article.
Article 88(1) of the GDPR constitutes an “opening clause”, allowing Member States a margin of discretion as regards the adoption of stricter and “more specific” national rules or the introduction of derogations, so as to ensure higher protection for the rights of employees when their personal data are subject to processing in the employment context. Such discretion is limited by the provision of the second paragraph of Article 88, which requires such rules to include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the intragroup personal data transfers and the surveillance systems at the workplace. As follows from the wording and the interpretation of Αrticle 88 the national provisions must have a normative content specific to the area regulated and distinguishable from the general rules of the GDPR, that is to say it must not be limited to a simple verbatim reproduction or reference to the conditions of lawfulness and the principles relating to processing of personal data laid down in the GDPR, unless this is strictly necessary for coherence and making the national provisions comprehensible to the persons to whom they may apply. The CJEU ruled that national legislation cannot constitute a “more specific” rule, within the meaning of paragraph 1 of Article 88, where it does not satisfy the conditions laid down in paragraph 2 of that article, and its application must therefore be disregarded.
This recently published CJEU judgement raises concerns for the validity of Article 27 of the Greek Law No. 4624/2019, which seems to include similar provisions to those of the German legislation. Said Article has already been criticized by the Greek Data Protection Authority (the HDPA) since January 2020. More particularly, the HDPA pointed out in its relevant Opinion that the provisions of Article 27 are not compatible with the GDPR, namely because the first and the third paragraph repeat the legal basis of Article 6(1)(b) and Article 9(2)(b) of the GDPR while the fourth paragraph is merely referred to Article 88(2) instead of specifying the criteria and the measures laid down therein. Therefore, the judgement of the CJEU should be taken into account by the Greek courts when assessing the application of Article 27 of Law 4624/2019.