General clauses, such as Section 26 (1) of the Federal Data protection Act (BDSG), which merely reflect the general principles of the GDPR, are not "more specific provisions" within the meaning of Article 88 of the GDPR.
In its ruling of 30 March 2023, the European Court of Justice (ECJ) specified the requirements for national data protection. The existing general clauses with regard to data processing in the employment context must be classified as inapplicable because they are contrary to European law.
The opening clause of Article 88 of the GDPR allows Member States to lay down more specific rules and requirements to be complied with when processing personal data in the context of employment relationships. However, if this authorisation is used, then concrete, more "specific" rules must also be created that serve to protect rights and freedoms in the employment context and include specific measures. A mere repetition of general basic principles of data protection law, by contrast, is not sufficient, as these must always be observed anyway.
If only the general principles of Art. 5 and Art. 6 of the GDPR are repeated within a national provision, the requirements of Art. 88(1) and (2) of the GDPR are not met.
The express aim of the GDPR is to harmonise the level of data protection and the safeguarding of rights and freedoms within the Member States. Article 88 of the GDPR breaks with this objective and deliberately accepts that the Member States deviate from the desired harmonisation within a limited framework by creating special provisions in the employment context. However, this breach should only be acceptable in exceptional cases and only if the special provisions created contain concrete measures to safeguard the human dignity and fundamental rights of the persons concerned. Consequently, they must then also differ from the general rules of the GDPR. In particular, transparency and the transfer of personal data within a group of companies must be addressed and specifications made in this regard.
If the national provision does not meet the requirements of Art. 88 GDPR, it must remain inapplicable.
Although the ECJ's decision was issued in the matter of Section 23 (1) sentence 1 of the Hessian Data Protection and Freedom of Information Act (HDSIG), this is practically identical to Section 26 (1) BDSG. Since Section 26 (1) BDSG essentially reflects general basic principles of the GDPR without containing independent regulations, the inapplicability of Section 26 (1) BDSG must also be assumed against the background of the above-mentioned principles.
There are no immediate major consequences for the practice of data processing, as the processing of personal data in the context of employment relationships can regularly be justified according to Article 6 of the GDPR if Section 26 (1) of the BDSG is inapplicable. In particular, the legal bases of contract performance and the balancing of interests are also contained in Art. 6 DS-GVO, so that Section 26 (1) BDSG can thus be replaced.