By Flemming Moos
On April 24, 2009, the so-called Düsseldorfer Kreis (the assembly of all supreme German DPAs) adopted a resolution on privacy aspects of employee screenings by internationally operating companies.
In the resolution, the Düsseldorfer Kreis addresses whether it is permissible for international companies to screen their employees against official lists that contain names of those suspected to be involved in terrorism. The assembly stated that such screenings might be lawful under German data protection law, in particular on the basis of a balancing-of-interest test; however, provided that the rule of law is observed in the creation of the respective list and it is ensured individuals are given sufficient legal remedy. This will most likely be the case for the denied person lists which are included in several EU Regulations relating to restrictions on economic and financial relations with Iraq. Yet, the Düsseldorfer Kreis did not explicitly give its opinion on ‘denied persons’ lists originating from other countries or organizations.
Consent of the employee is not considered to be a valid basis for these kinds of screenings due to an alleged lack of voluntariness.
With respect to another type of employee screening, the Data Privacy Officer (DPO) of Hamburg has found that certain anti-corruption practices by major European aircraft manufacturer Airbus are incompatible with German data protection rules. The company had apparently compared personal details of some 20,000 employees—including employee ID and bank details—with respective bank details from suppliers.
In its decision, the Hamburg DPO stated that, for such screenings to be lawful, the works council and the company's data protection officer must be informed and involved beforehand. Furthermore, in order to meet the requirements under the proportionality rule, screenings must be limited to employees in departments that are prone to corruption.
In this respect, it should also be noted that on September 1, 2009, a new Sec. 32 was inserted into the Federal German Data Protection Act. It’s set an explicit legal framework for data processing steps intended to reveal criminal conduct.