Referral C-65/23 (K GmbH, 8 Feb 2023)

1. Is a national legal provision that has been adopted pursuant to Article 88(1) of Regulation (EU) 2016/679 – such as Paragraph 26(4) of the Bundesdatenschutzgesetz (German Federal Law on data protection, ‘the BDSG’) – and which provides that the processing of personal data, including special categories of personal data, of employees for the purposes of the employment relationship is permissible on the basis of collective agreements subject to compliance with Article 88(2) of Regulation 2016/679, to be interpreted as meaning that the other requirements of Regulation 2016/679 – such as Article 5, Article 6(1) and Article 9(1) and (2) of Regulation 2016/679 – must always also be complied with?

2. If the answer to Question 1 is in the affirmative:May a national legal provision adopted pursuant to Article 88(1) of Regulation 2016/679 – such as Paragraph 26(4) of the BDSG – be interpreted as meaning that the parties to a collective agreement (in this case, the parties to a works agreement) are entitled to a margin of discretion in assessing the necessity of data processing within the meaning of Article 5, Article 6(1) and Article 9(1) and (2) of Regulation 2016/679 that is subject to only limited judicial review?

3. If the answer to Question 2 is in the affirmative:
In such a case, to what is the judicial review to be limited?

4. Is Article 82(1) of Regulation 2016/679 to be interpreted as meaning that a person is entitled to compensation for non-material damage when his or her personal data have been processed contrary to the requirements of Regulation 2016/679, or does the right to compensation for non-material damage additionally require that the data subject demonstrate non-material damage – of some weight – suffered by him or her?

5. Does Article 82(1) of Regulation 2016/679 have a specific or general preventive character, and must that be taken into account in the assessment of the amount of non-material damage to be compensated at the expense of the controller or processor on the basis of Article 82(1) of Regulation 2016/679?

6. Is the degree of fault on the part of the controller or processor a decisive factor in the assessment of the amount of non-material damage to be compensated on the basis of Article 82(1) of Regulation 2016/679? In particular, can non-existent or minor fault on the part of the controller or processor be taken into account in their favour?