Share This Article
The recent ECJ judgment in Case C-65/23 (MK v K GmbH) delivers a clear and far-reaching message for employers across the EU: a works agreement cannot serve as a valid legal basis under the GDPR.
The case—originating in Germany—concerned the rollout of an HR platform. The employer introduced the system through a provisional works agreement with the works council and proceeded to transfer employee data—including sensitive information—to the US. The twist? The employee who brought the claim was also the chair of the works council.
He sued for EUR 3,000 in non-material damages under Article 82 GDPR, alleging that the data transfer exceeded what was authorized by the agreement and was therefore unlawful. Lower courts sided with the employer, but the German Federal Labour Court referred the case to the ECJ, asking whether a works agreement could substitute the legal basis required under GDPR.
The ECJ’s answer was unequivocal: No.
No Exceptions: GDPR Rules Supersede Works Agreements
The ECJ held that Article 88 GDPR, which allows Member States to adopt more specific rules on employee data processing, does not permit a deviation from core GDPR obligations.
Employers must always comply with:
-
Article 5 (data minimisation, purpose limitation, lawfulness)
-
Article 6(1) (lawful legal basis)
-
Article 9(1) and (2) (extra protections for sensitive data)
Even if a works agreement is legally valid under national law, it cannot override the GDPR. The court explicitly rejected the idea that the “necessity” of processing can be left to the discretion of works councils and employers. Instead, courts must retain full authority to review whether data processing complies with the GDPR—including whether it is truly necessary.
Practical Impact: What Employers Must Now Do
This decision significantly raises the compliance bar for employers, especially those managing cloud-based HR systems or rolling out cross-border data transfers.
Here’s what needs to change:
-
✅ Do not rely on works agreements as a standalone legal basis for processing employee data.
-
✅ Assess necessity and proportionality of any data collection, particularly in test environments.
-
✅ Avoid transferring data to third countries (like the US) without adequate safeguards and a valid legal basis.
-
✅ Update your GDPR documentation to reflect independent compliance—not reliance on agreements.
What Would Happen Under Italian Law?
If this case had arisen in Italy, the conclusion would likely be the same—perhaps even more severe.
Under Italian law, collective bargaining agreements are recognized, but their impact is limited when it comes to data protection. The Italian Data Protection Code (Legislative Decree 196/2003), as amended to comply with GDPR, does not expressly refer to works agreements as a way to bypass the legal bases required under Articles 6 and 9 GDPR.
In fact, the Italian Data Protection Authority (Garante) has previously sanctioned employers who relied on collective bargaining agreements agreements or internal works arrangements to justify processing that lacked a proper legal basis.
In other words: the same outcome would have occurred in Italy, perhaps with administrative fines attached.
Legal Basis Always Comes First
The ECJ’s ruling is a wake-up call. For too long, many employers have viewed works agreements as a flexible tool to manage internal compliance, particularly in HR. This decision puts an end to that approach.
The GDPR is clear: a valid legal basis must exist for all processing of personal data, and no internal agreement—however well-intentioned—can replace it.
Key Takeaways
-
Works agreements are not a legal basis under GDPR.
-
GDPR Articles 5, 6(1), and 9 apply fully—even with collective bargaining agreements.
-
Judicial review of necessity is mandatory.
-
Employers must ensure GDPR compliance independently of internal agreements.
On a similar topic, you can read the following article “The Garante Issues First GDPR Fine Over Employees Email Metadata Privacy Breach in Italy“.