Data Protection in (Digital) Employee Surveys
Information in employee questionnaires as personal data
When an employee or manager completes a questionnaire, information is processed that is clearly attributable to an identifiable individual. In addition to basic data such as the name, the questionnaire specifically collects performance and behavioral data, assessments of goal achievement, and feedback on management culture. This constitutes personal data within the meaning of Article 4(1) of the GDPR. This data is sensitive and allows conclusions to be drawn about the professional suitability and personality of the data subject. A legal basis is therefore mandatory for its lawful processing.
Consent and Section 26(1) BDSG as a Legal Basis
Consent pursuant to Section 26(2) of the Federal Data Protection Act (BDSG) is generally considered a legal basis for data processing. In practice, however, consent is often associated with uncertainties. Due to the structural relationship of dependency, the voluntary nature of consent is subject to strict requirements. Furthermore, consent may be revoked at any time without providing reasons.
Therefore, § 26(1) BDSG is regularly relied upon as the legal basis. According to this provision, the processing of personal data is permissible if it is necessary for the performance of the employment relationship. Structured employee appraisals serve to manage personnel deployment, assess performance, and provide individual development support, which is why they are generally considered necessary for the performance of the employment relationship.
Nevertheless, caution and a precise examination of the individual case—and thus of every single question included in the questionnaire—are warranted. The threshold of necessity may be exceeded, for example, if information from the private sphere is requested that has no direct connection to the work performance required. Data processing is then no longer covered by Section 26(1) of the BDSG.
Transparency Requirements and Specifics of Digital Tools
In principle, paper questionnaires and digital tools are subject to the same data protection requirements. In addition to having the correct legal basis, companies must fulfill their transparency obligations and inform their employees comprehensively about the details of data processing in accordance with Art. 13 GDPR.
Digital tools entail specific additional requirements: In particular, the use of cloud solutions constitutes processing on behalf of a controller within the meaning of Art. 28 GDPR, which requires the conclusion of a legally compliant data processing agreement (DPA) between the company and the software provider. Furthermore, the early involvement of the works council—if one exists—is necessary because digital systems for performance and behavior monitoring are generally subject to its co-determination rights.
Individual Consultation from VOELKER
Would you like to digitize your employee questionnaires in a legally compliant manner? The law firm VOELKER offers specialized advice on data protection and labor law. We review your existing questionnaires for necessity within the meaning of Section 26(1) BDSG, prepare legally compliant information sheets for your employees, and review your data processing agreements with software providers.