IP case law Court of Justice

of 30 Mar 2023, C-34/21 (Hauptpersonalrat der Lehrerinnen und Lehrer)



JUDGMENT OF THE COURT (First Chamber)

30 March 2023 (*)

(Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Article 88(1) and (2) – Processing of data in the employment context – Regional school system – Teaching by videoconference as a result of the COVID-19 pandemic – Implementation without the express consent of the teachers)

In Case C-34/21,

REQUEST for a preliminary ruling under Article 267 TFEU from the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden, Germany), made by decision of 20 December 2020, received at the Court on 20 January 2021, in the proceedings

Hauptpersonalrat der Lehrerinnen und Lehrer beim Hessischen Kultusministerium

v

Minister des Hessischen Kultusministeriums,

THE COURT (First Chamber),

composed of A. Arabadjiev, President of the Chamber, K. Lenaerts, President of the Court, L. Bay Larsen, Vice-President of the Court, acting as Judges of the First Chamber, A. Kumin and I. Ziemele (Rapporteur), Judges,

Advocate General: M. Campos Sánchez-Bordona,

Registrar: S. Beer, Administrator,

having regard to the written procedure and further to the hearing on 30 June 2022,

after considering the observations submitted on behalf of:

–        the Hauptpersonalrat der Lehrerinnen und Lehrer beim Hessischen Kultusministerium, by J. Kolter, Rechtsanwalt,

–        the Minister des Hessischen Kultusministeriums, by C. Meinert,

–        the German Government, by J. Möller and D. Klebs, acting as Agents,

–        the Austrian Government, by G. Kunnert and J. Schmoll, acting as Agents,

–        the Romanian Government, by E. Gane and A. Wellman, acting as Agents,

–        the European Commission, by F. Erlbacher, H. Kranenborg and D. Nardi, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 22 September 2022,

gives the following

Judgment

1        This request for a preliminary ruling concerns the interpretation of Article 88(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).

2        The request was made in the course of proceedings between the Hauptpersonalrat der Lehrerinnen und Lehrer beim Hessischen Kultusministerium (Principal Staff Committee for Teachers at the Ministry of Education and Culture of the Land Hessen, Germany) and the Minister des Hessischen Kultusministeriums (Minister for Education and Culture of the Land Hessen, Germany), concerning the lawfulness of a system for the live streaming of classes by videoconference introduced in schools in the Land Hessen (Germany) without the prior consent of the teachers concerned.

 Legal context

 European Union law

 Directive 95/46/EC

3        Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31) was repealed by the GDPR, with effect from 25 May 2018. Article 3 of that directive, entitled ‘Scope’, was worded as follows:

‘1.      This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

2.      This Directive shall not apply to the processing of personal data:

–        in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the [EU Treaty, in the version in force prior to the Treaty of Lisbon,] and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,

…’

 The GDPR

4        Recitals 8 to 10, 13, 16, 45 and 155 of the GDPR state:

‘(8)      Where this Regulation provides for specifications or restrictions of its rules by Member State law, Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of this Regulation into their national law.

(9)      The objectives and principles of Directive [95/46] remain sound, but it has not prevented fragmentation in the implementation of data protection across the [European] Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive [95/46].

(10)      In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation. In conjunction with the general and horizontal law on data protection implementing Directive [95/46], Member States have several sector-specific laws in areas that need more specific provisions. This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (“sensitive data”). To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful.

(13)      In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators … to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. …

(16)      This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.

(45)      Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. It should also be for Union or Member State law to determine the purpose of processing. Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal data processing, establish specifications for determining the controller, the type of personal data which are subject to the processing, the data subjects concerned, the entities to which the personal data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing. …

(155)      Member State law or collective agreements, including “works agreements”, may provide for specific rules on the processing of employees’ personal data in the employment context, in particular for the conditions under which personal data in the employment context may be processed on the basis of the consent of the employee, the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.’

5        Article 1 of the GDPR, entitled ‘Subject matter and objectives’, provides:

‘1.      This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

2.      This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

3.      The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.’

6        Article 2 of that regulation, entitled ‘Material scope’, provides in paragraphs 1 and 2:

‘1.      This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

2.      This Regulation does not apply to the processing of personal data:

(a)      in the course of an activity which falls outside the scope of Union law;

(b)      by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the [EU Treaty];

(c)      by a natural person in the course of a purely personal or household activity;

(d)      by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’

7        Article 4 of that regulation, entitled ‘Definitions’, provides:

‘For the purposes of this Regulation:

(1)      “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2)      “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

…’

8        Article 5 of the GDPR, entitled ‘Principles relating to processing of personal data’, states:

‘1.      Personal data shall be:

(a)      processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

(b)      collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);

(c)      adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

(d)      accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);

(e)      kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);

(f)      processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

2.      The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’

9        Article 6 of that regulation, entitled ‘Lawfulness of processing’, provides in paragraphs 1 to 3:

‘1.      Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)      the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b)      processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c)      processing is necessary for compliance with a legal obligation to which the controller is subject;

(e)      processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f)      processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

2.      Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

3.      The basis for the processing referred to in points (c) and (e) of paragraph 1 shall be laid down by:

(a)      Union law; or

(b)      Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.’

10      In Chapter IX of the GDPR, entitled ‘Provisions relating to specific processing situations’, Article 88, relating to ‘processing in the context of employment’, provides:

‘1.      Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

2.      Those rules shall include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.

3.      Each Member State shall notify to the [European] Commission those provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.’

 National law

11      Paragraph 26(1) of the Bundesdatenschutzgesetz (Federal Law on data protection) of 30 June 2017 (BGBl. 2017 I, p. 2097), provides:

‘Personal data of employees may be processed for the purposes of an employment relationship where this is necessary for the decision on the establishment of an employment relationship or, after the establishment of the employment relationship, for the implementation or termination of that relationship, and for the exercise or discharge of the rights and obligations arising, respectively, from the representation of employees’ interests and laid down by a law or a collective labour regulation instrument or a works or service agreement (collective agreement). …’

12      Under Paragraph 23 of the Hessisches Datenschutz- und Informationsfreiheitsgesetz (Law on data protection and freedom of information of the Land Hessen) of 3 May 2018 (‘the HDSIG’):

‘1.      Personal data of employees may be processed for the purposes of an employment relationship where this is necessary for the decision on the establishment of an employment relationship or, after the establishment of the employment relationship, for the implementation, termination or administration of that relationship, and for the implementation of internal planning, organisational, social and personnel measures. …

2.      Where the personal data of employees is processed on the basis of consent, account must be taken, in particular, of the dependency of the employee in the employment relationship and the circumstances in which that consent was given when assessing whether the consent was given freely. The free nature of consent may be established, in particular, if there is a legal or economic advantage for the employee, or if the employer and the employee have convergent interests. Consent must be made in writing unless another form is required because of special circumstances. The employer is required to inform the employee in writing of the purpose of the data processing operation and of his or her right to withdraw consent, as provided for in Article 7(3) of the [GDPR].

3.      By way of derogation from Article 9(1) of [the GDPR], the processing of special categories of personal data within the meaning of Article 9(1) of [the GDPR] shall be permitted for the purposes of the employment relationship where it is necessary for the exercise of rights or for compliance with legal obligations under employment law, or social security and social protection law, and there is no reason to consider that the data subject’s legitimate interest in excluding processing takes precedence. Subparagraph 2 shall also apply to consent to the processing of special categories of personal data. In that regard, the consent must make express reference to those data. …

4.      The processing of personal data, including special categories of personal data of employees, for the purposes of an employment relationship is permitted on the basis of collective agreements. In so doing, the negotiating parties shall comply with Article 88(2) [of the GDPR].

5.      The controller must take appropriate measures to ensure that, in particular, the principles for the processing of personal data set out in Article 5 [of the GDPR] are complied with.

7.      Subparagraphs 1 to 6 shall also apply where personal data, including special categories of personal data, of employees are processed without that data being contained or being intended to be contained in a filing system. The provisions of the Hessisches Beamtengesetz [(HBG) (Law on the civil service of the Land Hessen) of 21 April 2018 (“the HBG”)] applicable to staff cases shall apply mutatis mutandis to public sector workers, unless otherwise provided for in the collective labour regulation instrument.

8.      The following are employees for the purposes of this law:

1.      workers, including temporary agency workers in the relationship with the user;

7.      civil servants subject to the [HBG], senior judges of the Land and persons performing a civil service.

…’

13      Paragraph 86(4) of the HBG provides:

‘The employer may collect personal data on applicants, civil servants and former civil servants only if this is necessary for the establishment, implementation, termination or administration of the employment relationship or for the implementation of organisational, social and personnel measures, in particular for the purposes of human resources planning and deployment, or if it is permitted by a legal provision or a service agreement. …’

 The dispute in the main proceedings and the questions referred for a preliminary ruling

14      As is apparent from the file submitted to the Court, by two measures adopted in 2020, the Minister for Education and Culture of the Land Hessen established the legal and organisational framework for school education during the COVID-19 pandemic. That framework made it possible, inter alia, for pupils who could not be present in a classroom to attend classes live by videoconference. In order to safeguard pupils’ rights in relation to the protection of personal data, it was established that connection to the videoconference service would be authorised only with the consent of the pupils themselves or, for those pupils who were minors, of their parents. However, no provision was made for the consent of the teachers concerned to their participation in that service.

15      The Principal Staff Committee for Teachers at the Ministry of Education and Culture of the Land Hessen brought an action before the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden, Germany), complaining that the live streaming of classes by videoconference was not made conditional on the consent of the teachers concerned.

16      The Minister for Education and Culture of the Land Hessen, for his part, contended that the processing of personal data inherent in the live streaming of classes by videoconference was covered by the first sentence of Paragraph 23(1) of the HDSIG, so that it could be conducted without the consent of the teachers concerned being sought.

17      The Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden) states in that regard that, in accordance with the intention of the legislature of the Land Hessen, Paragraph 23 of the HDSIG and Paragraph 86 of the HBG fall within the category of ‘more specific rules’ for which Member States may make provision, in accordance with Article 88(1) of the GDPR, to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context. However, that court has doubts as to whether the first sentence of Paragraph 23(1) of the HDSIG and Paragraph 86(4) of the HBG are compatible with the requirements laid down in Article 88(2) of the GDPR.

18      In the first place, the first sentence of Paragraph 23(1) of the HDSIG and Paragraph 86(4) of the HBG rely on ‘necessity’ as the legal basis for the processing of employees’ data. However, the insertion of the principle of ‘necessity’ into that law does not constitute a rule specifying the requirements contained in Article 88(2) of the GDPR, since the processing of data necessary in the context of an employment relationship is already governed by point (b) of the first subparagraph of Article 6(1) of the GDPR.

19      In addition, the first sentence of Paragraph 23(1) of the HDSIG applies, beyond the actual contractual relationship, to any processing of employees’ data. It follows from point (f) of the first subparagraph of Article 6(1) of the GDPR that, in the case of personal data processing going beyond processing that is strictly necessary under the employment contract, the fundamental rights and freedoms of the data subject, in the present case the employees and civil servants, must be balanced with the legitimate interest pursued by the controller, in the present case the employer. In so far as the first sentence of Paragraph 23(1) of the HDSIG does not provide for such a balancing exercise, that provision cannot be regarded as a specific sectoral norm after the entry into force of the GDPR.

20      In the second place, the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden) considers that the mere reference in Paragraph 23(5) of the HDSIG to the fact that the controller must, inter alia, comply with the principles set out in Article 5 of the GDPR does not meet the requirements of Article 88(2) of that regulation. The latter provision requires suitable and specific legislative provisions to be adopted in order to protect the data subjects’ human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity, and monitoring systems at the work place, and is not merely a rule which must additionally be complied with by those who apply a national provision. Those who apply the provision are not the addressees of Article 88(2) of the GDPR.

21      In those circumstances, the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      Is Article 88(1) of [the GDPR] to be interpreted as meaning that, in order to be a more specific rule for ensuring the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context within the meaning of Article 88(1) of [the GDPR], a provision must meet the requirements imposed on such rules by Article 88(2) of [the GDPR]?

(2)      If a national rule clearly does not meet the requirements under Article 88(2) of [the GDPR], can it nevertheless remain applicable?’

22      By a communication received at the Court Registry on 30 November 2021, the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden) informed the Court that, as a result of amendments to the national legislation governing the territorial jurisdiction of the administrative courts of the Land Hessen, which was to take effect on 1 December 2021, the dispute in the main proceedings had been transferred to the Verwaltungsgericht Frankfurt am Main (Administrative Court, Frankfurt am Main, Germany). By a communication received at the Court Registry on 21 February 2022, the latter court confirmed that transfer and informed the Court of the new role number assigned to the dispute in the main proceedings.

 Admissibility of the request for a preliminary ruling

23      In its written observations, the German Government submitted that the request for a preliminary ruling was inadmissible in so far as the questions referred for a preliminary ruling were not relevant to the outcome of the dispute in the main proceedings. The Court’s answer would not be useful to the referring court if the processing of the data were authorised by reason of the teacher’s consent. However, the referring court does not explain why it does not take such a possibility into account.

24      When questioned on this point at the hearing before the Court, the German Government nevertheless acknowledged that the questions referred for a preliminary ruling were relevant where the teacher’s consent could not be obtained.

25      In that regard, it should be noted that, according to settled case-law, questions referred for a preliminary ruling by a national court in the legislative and factual context which that court is responsible for defining, and the accuracy of which is not a matter for the Court of Justice to determine, enjoy a presumption of relevance. The Court may refuse to rule on a question referred for a preliminary ruling by a national court only where it is quite obvious that the interpretation of EU law that is sought bears no relation to the actual facts of the main action or its purpose, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it (judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C-184/20, EU:C:2022:601, paragraph 48 and the case-law cited).

26      In the present case, it is apparent from the order for reference that the parties to the main proceedings disagree as to whether the introduction of live streaming of a class by videoconference systems requires, not only the consent of the parents for their children or that of the pupils who have attained majority, but also the consent of the teachers concerned, or whether, on the other hand, the processing of their personal data is covered by the first sentence of Paragraph 23(1) of the HDSIG and Paragraph 86(4) of the HBG.

27      It should also be noted that the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden) stated in its request for a preliminary ruling, first, that the national legislature considered that Paragraph 23 of the HDSIG and Paragraph 86 of the HBG constitute more specific rules within the meaning of Article 88 of the GDPR and, second, that the outcome of the dispute in the main proceedings depends on whether the first sentence of Paragraph 23(1) of the HDSIG and Paragraph 86(4) of the HBG satisfy the requirements of Article 88 of the GDPR, so as to constitute more specific rules applicable to the processing of the personal data of teachers when classes are livestreamed by the videoconference system at issue in the main proceedings.

28      In the light of the information thus provided in the request for a preliminary ruling, the arguments put forward by the German Government are not capable of rebutting the presumption of relevance enjoyed by the questions referred.

29      In those circumstances, the view cannot be taken either that the interpretation of the provisions of EU law that is sought clearly bears no relation to the actual facts of the main action or its purpose, or that the problem is hypothetical, since the referring court is likely to take that interpretation into account for the purposes of resolving the dispute in the main proceedings. Lastly, the Court has before it the factual and legal material necessary to give a useful answer to the questions submitted to it.

30      Therefore the request for a preliminary ruling is admissible.

 Consideration of the questions referred for a preliminary ruling

 Preliminary observations

31      The questions referred for a preliminary ruling concern the interpretation of Article 88(1) and (2) of the GDPR in a dispute relating to the processing of teachers’ personal data during the live streaming by videoconference of the public educational classes which they are responsible for providing.

32      In the first place, it must be determined whether that processing falls within the material scope of the GDPR, having regard to the fact that, under Article 2(2)(a) of the GDPR, that regulation does not apply to the processing of personal data carried out ‘in the course of an activity which falls outside the scope of Union law’ and that, in accordance with Article 165(1) TFEU, Member States are responsible for the content of teaching and the organisation of their education systems.

33      In that regard, it is clear from the case-law of the Court that the definition of the material scope of the GDPR, as set out in Article 2(1) of that regulation, is very broad and that the exceptions to that scope, as provided for in Article 2(2) thereof, must be interpreted restrictively (see, to that effect, judgments of 9 July 2020, Land Hessen, C-272/19, EU:C:2020:535, paragraph 68, and of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C-439/19, EU:C:2021:504, paragraphs 61 and 62).

34      In addition, Article 2(2)(a) of the GDPR is to be read in conjunction with Article 2(2)(b) and recital 16 of that regulation, which states that that regulation does not apply to the processing of personal data in the context of ‘activities which fall outside the scope of Union law, such as activities concerning national security’ and ‘activities in relation to the common foreign and security policy of the Union’ (judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C-439/19, EU:C:2021:504, paragraph 63).

35      It follows that Article 2(2)(a) and (b) of the GDPR, which partly represents a continuation of the first indent of Article 3(2) of Directive 95/46, cannot be interpreted in broader terms than the exception resulting from the first indent of Article 3(2) of Directive 95/46, a provision which already excluded from that directive’s scope, inter alia, the processing of personal data taking place in the course ‘of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the [EU Treaty, in the version in force prior to the Treaty of Lisbon,] and in any case … processing operations concerning public security, defence, State security’ (judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C-439/19, EU:C:2021:504, paragraph 64).

36      In the present case, it is common ground that the activity relating to the organisation of teaching in the Land Hessen cannot be classified in the category of activities intended to preserve national security, referred to in Article 2(2)(a) of the GDPR.

37      Therefore, the processing of teachers’ personal data as part of the live streaming by videoconference of the public educational classes which they provide, such as that at issue in the main proceedings, falls within the material scope of the GDPR.

38      In the second place, it is apparent from the request for a preliminary ruling that teachers whose personal data processing is at issue in the main proceedings are part of the public service of the Land Hessen, as employees or civil servants.

39      Therefore, it is necessary to determine whether such processing of personal data falls within the scope of Article 88 of the GDPR, which refers to ‘the processing of employees’ personal data in the employment context’.

40      In that regard, it should be pointed out that the GDPR does not define the terms ‘employees’ and ‘employment’, nor does it refer to the law of the Member States to define those terms. In the absence of any such reference, it should be recalled that, as follows from the need for a uniform application of EU law and from the principle of equality, the terms of a provision of EU law which makes no express reference to the law of the Member States for the purpose of determining its meaning and scope must normally be given an autonomous and uniform interpretation throughout the European Union (judgment of 2 June 2022, HK/Danmark and HK/Privat, C-587/20, EU:C:2022:419, paragraph 25 and the case-law cited).

41      Furthermore, since the GDPR does not define the terms ‘employed’ and ‘employment’, they must be interpreted by reference to their usual meaning in everyday language, while also taking into account the context in which they occur and the purposes of the rules of which they are part (judgment of 2 June 2022, HK/ Danmark and HK/ Privat, C-587/20, EU:C:2022:419, paragraph 26 and the case-law cited).

42      The term ‘employee’ in its usual meaning refers to a person who performs his or her work in the context of a relationship of subordination with his or her employer and therefore under the latter’s control (judgment of 18 March 2021, Kuoni Travel, C-578/19, EU:C:2021:213, paragraph 42).

43      Likewise, the essential feature of an ‘employment relationship’ is that for a certain period of time a person performs services for and under the direction of another person in return for which he or she receives remuneration (judgment of 15 July 2021, Ministrstvo za obrambo, C-742/19, EU:C:2021:597, paragraph 49).

44      Since such a characteristic is specific to employees and to employment both in the public and in the private sector, it must be inferred that the terms ‘employee’ and ‘employment’, understood in their usual sense, do not exclude persons who pursue their professional activity in the public sector.

45      The scope of Article 88(1) of the GDPR cannot be determined by reference to the nature of the legal relationship that binds the employee to the employer. Thus, it is irrelevant whether the data subject is employed as an employee or as a civil servant, or even whether the terms on which he or she is employed come under public or private law, since those legal designations are varied at the whim of national legislatures and cannot therefore provide an appropriate criterion for a uniform and autonomous interpretation of that provision (see, by analogy, judgments of 12 February 1974, Sotgiu, 152/73, EU:C:1974:13, paragraph 5, and of 3 June 1986, Commission v France, 307/84, EU:C:1986:222, paragraph 11).

46      Specifically with regard to persons whose employment relationship is not an employment contract, such as civil servants, it is true that Article 88 of the GDPR refers, in paragraph 1, to the ‘performance of the contract of employment’. However, it should be noted, first, that that reference is among other purposes of the processing of personal data in the employment context which may be the subject of more specific rules adopted by the Member States, listed in Article 88(1) of the GDPR, and that, in any event, that list is not exhaustive, as is demonstrated by the adverbial phrase ‘in particular’ used in that provision.

47      Second, the irrelevance of the classification of the legal relationship between the employee and the administration employing that employee is borne out by the fact that the management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, the protection of employer’s or customer’s property, the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and the termination of the employment relationship, which are also listed in Article 88(1) of the GDPR, relate to employment in both the private and the public sectors.

48      Consequently, it cannot be inferred from the reference to the ‘performance of the contract of employment’ in Article 88(1) of the GDPR that employment in the public sector that is not based on an employment contract is excluded from the scope of that provision.

49      The same conclusion must be reached in relation to the fact that Article 88(2) of the GDPR mentions, among the three factors to which the Member States must have ‘particular regard’ when adopting those ‘more specific rules’, the transfer of personal data ‘within a group of undertakings, or a group of enterprises engaged in a joint economic activity’. The other two factors, namely the transparency of processing and monitoring systems at the work place, are relevant both to employment in the private sector and to employment in the public sector, whatever the nature of the legal relationship that binds the employee to the employer.

50      The interpretation arising from the wording of Article 88 of the GDPR is confirmed by the context of that article and by the objective pursued by the legislation of which it forms part.

51      As is apparent from Article 1(1) of the GDPR, read in the light, inter alia, of recitals 9, 10 and 13, that regulation seeks to ensure the harmonisation of national legislation on the protection of personal data which is, in principle, complete. However, the provisions of that regulation make it possible for Member States to lay down additional, stricter or derogating national rules and leave them a margin of discretion as to the manner in which those provisions may be implemented (‘opening clauses’) (see, to that effect, judgment of 28 April 2022, Meta Platforms Ireland, C-319/20, EU:C:2022:322, paragraph 57).

52      Article 88 of the GDPR, which forms part of Chapter IX of that regulation entitled ‘Provisions relating to specific processing situations’, constitutes such an opening clause, since it gives Member States the option of adopting ‘more specific rules’ to ensure protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context.

53      The specific features of the processing of personal data in the employment context and, consequently, the option given to Member States by Article 88(1) of the GDPR are explained, in particular, by the existence of a relationship of subordination between the employee and the employer and not by the nature of the legal relationship that binds the employee to the employer.

54      Furthermore, under Article 1(2) of the GDPR, read in conjunction with recital 10, that regulation has the objective in particular of ensuring a high level of protection of the fundamental rights and freedoms of natural persons with respect to the processing of personal data; that right is also recognised in Article 8 of the Charter of Fundamental Rights of the European Union and is closely connected to the right to respect for private life, enshrined in Article 7 of that charter (see, to that effect, judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C-184/20, EU:C:2022:601, paragraph 61).

55      It is consistent with that objective to apply a broad interpretation of Article 88(1) of the GDPR, according to which the ‘more specific rules’ which the Member States may lay down to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context are likely to apply to all employees, irrespective of the nature of the legal relationship that binds them to their employer.

56      In those circumstances, the processing of teachers’ personal data during the live streaming, by videoconference, of the public educational classes which they provide, such as that at issue in the main proceedings, falls within the material and personal scope of the GDPR.

 The first question

57      By its first question, the referring court asks, in essence, whether Article 88 of the GDPR must be interpreted as meaning that, in order to be classified as a more specific rule within the meaning of paragraph 1 of that article, a rule of law must satisfy the conditions laid down in paragraph 2 of that article.

58      As has been pointed out in paragraph 52 above, the Member States have the option, and not the obligation, to adopt such rules, which may be provided for by law or by means of collective agreements.

59      Furthermore, when the Member States exercise the option granted to them by the opening clause of the GDPR, they must use their discretion under the conditions and within the limits laid down by the provisions of that regulation and must therefore legislate in such a way as not to undermine the content and objectives of that regulation (see, to that effect, judgment of 28 April 2022, Meta Platforms Ireland, C-319/20, EU:C:2022:322, paragraph 60).

60      In order to determine the conditions and limits to which the rules referred to in Article 88(1) and (2) of the GDPR are subject and, consequently, to assess the discretion left to the Member States by those provisions, it must be recalled that, in accordance with settled case-law, the interpretation of a provision of EU law requires account to be taken not only of its wording, but also of its context and the objectives and purpose pursued by the act of which it forms part (judgment of 15 March 2022, Autorité des marchés financiers, C-302/20, EU:C:2022:190, paragraph 63).

61      As regards the wording of Article 88(1) of the GDPR, it is apparent, first of all, from the use of the words ‘more specific’ that the rules referred to in that provision must have a normative content specific to the area regulated, which is distinct from the general rules of that regulation.

62      Next, as has been pointed out in paragraph 52 above, the objective of the rules adopted on the basis of that provision is to protect employees’ rights and freedoms in respect of the processing of their personal data in the employment context.

63      Lastly, it follows from the different purposes for which the processing of personal data may be carried out, as set out in Article 88(1) of the GDPR, that the ‘more specific rules’ to which it refers may relate to a very large number of processing operations in connection with an employment relationship, so as to cover all the purposes for which the processing of personal data may be carried out in the context of an employment relationship. Furthermore, since the listing of those objectives is not exhaustive, as has been pointed out in paragraph 46 above, the Member States have a margin of discretion as regards the processing which is thus subject to those more specific rules.

64      Article 88 of the GDPR provides, in paragraph 2, that the rules adopted on the basis of paragraph 1 are to include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, having particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity, and monitoring systems at the work place.

65      Thus, it is apparent from the wording of Article 88 of the GDPR that paragraph 2 of that article circumscribes the discretion of those Member States which intend to adopt ‘more specific rules’ under paragraph 1 of that article. Therefore, first, those rules cannot be limited to reiterating the provisions of that regulation and must seek to protect employees’ rights and freedoms in respect of the processing of their personal data in the employment context and include suitable and specific measures to protect the data subjects’ human dignity, legitimate interests and fundamental rights.

66      Second, particular regard must be had to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity, and monitoring systems at the work place.

67      As regards the context of Article 88 of the GDPR, it should be noted, in the first place, that that provision must be interpreted in the light of recital 8 of that regulation, according to which, where that regulation provides for specifications or restrictions of its rules by Member State law, Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of that regulation into their national law.

68      In the second place, it must be borne in mind that Chapters II and III of the GDPR set out, respectively, the principles governing the processing of personal data and the rights of the data subject with which any processing of personal data must comply (judgment of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes), C-175/20, EU:C:2022:124, paragraph 50).

69      In particular, all processing of personal data must comply, first, with the principles relating to processing of data set out in Article 5 of the GDPR and, second, with one of the principles relating to lawfulness of processing listed in Article 6 of that regulation (judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C-439/19, EU:C:2021:504, paragraph 96 and the case-law cited).

70      As regards the principles relating to the lawfulness of processing, Article 6 of the GDPR sets out an exhaustive and restrictive list of the cases in which processing of personal data can be regarded as lawful. Thus, in order to be capable of being regarded as legitimate, processing must fall within one of the cases provided for in Article 6 (judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C-439/19, EU:C:2021:504, paragraph 99 and the case-law cited).

71      Therefore, although, when exercising the option granted to them by an opening clause of the GDPR, Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of that regulation into their national law, the ‘more specific rules’, adopted on the basis of Article 88(1) of that regulation, cannot be limited to a reiteration of the conditions for the lawfulness of personal data processing and the principles of that processing, set out, respectively, in Article 6 and Article 5 of that regulation, or to a reference to those conditions and principles.

72      The interpretation that the discretion of the Member States, when adopting rules on the basis of Article 88(1) of the GDPR, is limited by paragraph 2 of that article, is consistent with the objective of that regulation, recalled in paragraph 51 above, which is to ensure the harmonisation of national legislation on the protection of personal data which is, in principle, complete.

73      As the Advocate General observed, in essence, in points 56, 70 and 73 of his Opinion, the possibility for Member States to adopt ‘more specific rules’ on the basis of Article 88(1) of the GDPR may lead to a lack of harmonisation within the scope of those rules. The conditions imposed by Article 88(2) of that regulation reflect the limits of the differentiation accepted by that regulation, in that that lack of harmonisation may be accepted only where the differences that remain are accompanied by specific and suitable safeguards intended to protect employees’ rights and freedoms with regard to the processing of their personal data in the employment context.

74      Consequently, in order to be classified as a ‘more specific rule’ within the meaning of Article 88(1) of the GDPR, a rule of law must satisfy the conditions laid down in paragraph 2 of that article. Apart from having a normative content specific to the area regulated, which is distinct from the general rules of that regulation, those more specific rules must seek to protect employees’ rights and freedoms in respect of the processing of their personal data in the employment context and include suitable and specific measures to protect the data subjects’ human dignity, legitimate interests and fundamental rights. Particular regard must be had to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity, and monitoring systems at the work place.

75      In the light of all the foregoing, the answer to the first question is that Article 88 of the GDPR must be interpreted as meaning that national legislation cannot constitute a ‘more specific rule’, within the meaning of paragraph 1 of that article, where it does not satisfy the conditions laid down in paragraph 2 of that article.

 The second question

76      By its second question, the referring court asks, in essence, what conclusions should be drawn from a finding that national provisions adopted to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context are incompatible with the conditions and limits laid down in Article 88(1) and (2) of the GDPR.

77      In that regard, it must be borne in mind that, under the second paragraph of Article 288 TFEU, a regulation is to be binding in its entirety and is to be directly applicable in all Member States, so that its provisions do not, as a general rule, require the adoption of any implementing measures by the Member States (judgment of 15 June 2021, Facebook Ireland and Others, C-645/19, EU:C:2021:483, paragraph 109).

78      However, as has been recalled in paragraph 51 above, opening clauses provided for by the GDPR allow Member States the possibility of laying down additional, stricter or derogating national rules and leave them a margin of discretion as to the way in which the provisions concerned may be implemented.

79      As has been noted in paragraph 59 above, when the Member States exercise the option granted to them by an opening clause of the GDPR, they must use their discretion under the conditions and within the limits laid down by the provisions of that regulation and must therefore legislate in such a way as not to undermine the content and objectives of that regulation.

80      It is for the referring court, which alone has jurisdiction to interpret national law, to assess whether the provisions at issue in the main proceedings comply with the conditions and limits laid down in Article 88 of the GDPR, as summarised in paragraph 74 above.

81      However, as the Advocate General observed in points 60 to 62 of his Opinion, provisions such as Paragraph 23(1) of the HDSIG and Paragraph 86(4) of the HBG, which make the processing of employees’ personal data subject to the condition that such processing is necessary for certain purposes connected with the performance of an employment relationship, appear to reiterate the condition for general lawfulness of processing already set out in point (b) of the first subparagraph of Article 6(1) of the GDPR, without adding a more specific rule within the meaning of Article 88(1) of that regulation. Indeed, such provisions do not appear to have a normative content specific to the area regulated, which is distinct from the general rules of that regulation.

82      If the referring court were to find that the provisions at issue in the main proceedings do not comply with the conditions and limits laid down in Article 88 of the GDPR, it would, in principle, be required to disregard those provisions.

83      In accordance with the principle of the primacy of EU law, provisions of the Treaties and directly applicable measures of the institutions have the effect, in their relations with the internal law of the Member States, merely by entering into force, of rendering automatically inapplicable any conflicting provision of national law (judgments of 9 March 1978, Simmenthal, 106/77, EU:C:1978:49, paragraph 17; of 19 June 1990, Factortame and Others, C-213/89, EU:C:1990:257, paragraph 18; and of 4 February 2016, Ince, C-336/14, EU:C:2016:72, paragraph 52).

84      Therefore, in the absence of more specific rules that comply with the conditions and limits prescribed by Article 88 of the GDPR, the processing of personal data in the employment context, both in the private and public sectors, is directly governed by the provisions of that regulation.

85      In that regard, it should be noted that points (c) and (e) of the first subparagraph of Article 6(1) of the GDPR, under which the processing of personal data is lawful where that processing is necessary, respectively, for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller, may apply to the processing of personal data such as that at issue in the main proceedings.

86      Article 6(3) of the GDPR provides, first, with regard to those two situations where processing is lawful, referred to respectively in points (c) and (e) of the first subparagraph of Article 6(1) of that regulation, that the processing must be based on EU law or on Member State law to which the controller is subject and adds, secondly, that the purposes of the processing are to be determined in that legal basis or, as regards the processing referred to in point (e) of the first subparagraph of Article 6(1), are to be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (see, to that effect, judgment of 8 December 2022, Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of the processing of personal data – Criminal investigation), C-180/21, EU:C:2022:967, paragraph 95).

87      It should be pointed out that the Court has already held that lawful processing of personal data by the controllers on the basis of point (e) of the first subparagraph of Article 6(1) of the GDPR presupposes not only that they can be regarded as performing a task carried out in the public interest, but also that the processing of personal data for the purpose of performing such a task is founded on a legal basis referred to in Article 6(3) of that regulation (see, to that effect, judgment of 20 October 2022, Koalitsia ‘Demokratichna Bulgaria – Obedinenie’, C-306/21, EU:C:2022:813, paragraph 52).

88      Consequently, where the referring court finds that the national provisions on the processing of personal data in the employment context do not comply with the conditions and limits laid down in Article 88(1) and (2) of the GDPR, it must still verify whether those provisions constitute a legal basis referred to in Article 6(3) of that regulation, read in conjunction with recital 45, which complies with the requirements laid down in that regulation. If that is the case, the national provisions must not be disregarded.

89      In the light of the foregoing, the answer to the second question referred for a preliminary ruling is that Article 88(1) and (2) of the GDPR must be interpreted as meaning that the application of national provisions adopted to ensure the protection of employees’ rights and freedoms in respect of the processing of their personal data in the employment context must be disregarded where those provisions do not comply with the conditions and limits laid down in Article 88(1) and (2), unless those provisions constitute a legal basis referred to in Article 6(3) of that regulation, which complies with the requirements laid down by that regulation.

 Costs

90      Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (First Chamber) hereby rules:

1.      Article 88 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that national legislation cannot constitute a ‘more specific rule’, within the meaning of paragraph 1 of that article, where it does not satisfy the conditions laid down in paragraph 2 of that article.

2.      Article 88(1) and (2) of Regulation 2016/679

must be interpreted as meaning that the application of national provisions adopted to ensure the protection of employees’ rights and freedoms in respect of the processing of their personal data in the employment context must be disregarded where those provisions do not comply with the conditions and limits laid down in Article 88(1) and (2), unless those provisions constitute a legal basis referred to in Article 6(3) of that regulation, which complies with the requirements laid down by that regulation.

[Signatures]

*      Language of the case: German.



Disclaimer