In the realm of B2B transactions, understanding the legal basis for processing employee data of customers and suppliers is critical. A company, referred to as A, involved in manufacturing and selling hardware with support services, faces this challenge. While the GDPR provides guidelines, the applicability of these guidelines in specific contexts, particularly in B2B transactions, can be complex.
The central issue revolves around whether the data processing of employees, who handle transactions for their respective companies, falls under Article 6(1)(b) of the GDPR, which allows processing if it’s „necessary for the performance of a contract.“ However, the application is debatable since the employees processing the data are not the parties to the contractual agreement but are employees (under an employment law relationship) of the parties involved.
Principle of Lawfulness and the Underlying Scenario
Regardless of how sensitive or classified the information is, all personal data must be processed lawfully as per Article 5(1)(a) of the GDPR. This necessitates a legal basis for processing, derived from GDPR, BDSG (Federal Data Protection Act), specialized laws, collective agreements, or works agreements.
For instance, when customer B purchases hardware with support services from A, a contract is established between A and B. The legal entities A and B do not act themselves; instead, their employees handle various tasks such as ordering, delivery, complaints, and customer service. During these processes, employees exchange various personal data.
Legal Basis for Data Processing
The GDPR offers several bases for lawful data processing in such scenarios, including:
- Consent under Article 6(1)(a)
- Contract performance or initiation under Article 6(1)(b)
- Data processing based on overriding interests under Article 6(1)(f)
- Section 26 of the BDSG for processing employee data
Consent and Contractual Necessity
Obtaining consent for processing can be cumbersome and risky due to its revocable nature. On the other hand, processing for contract performance where the employees are not direct parties to the contract leads to interpretations that extend beyond the conventional understanding of Article 6(1)(b). The literature and case law suggest that data processing by third parties can be legitimate if it’s necessary for the performance of a contract to which the affected individual is a party.
Connecting to Employment Relationship
Some opinions demand a connection between the main contract (between A and B) and the employment contracts of B’s employees. Data processing should not be unilaterally imposed without objective necessity.
Data Protection Principles
While considering the necessity of data processing, the principles of fairness, transparency, data minimization, and integrity and confidentiality must be adhered to. It’s crucial that employees are informed about the processing of their data for business transactions.
Conclusion
Multiple legal grounds are potentially applicable for data processing in such B2B relationships:
- Consent, which is revocable and legally demanding
- Article 6(1)(b) GDPR, applicable if there’s a connection to the employment relationship and the data protection principles are considered
- Article 6(1)(f) GDPR, which offers employees the right to object
In summary, while consent provides an uncertain and revocable basis, processing under Article 6(1)(b) and 6(1)(f) offers more stable grounds, provided the principles of the GDPR are thoroughly considered and applied.
EPVO 
Hinterlasse einen Kommentar