In its activity report 2021, published at the end of 2022, the Bavarian data protection supervisory authority (BayLDA) addressed the question of whether employees can refuse to sign the data protection declaration of commitment. This declaration of commitment is signed at the start of employment, after the mandatory training on data protection.
Hereby, the employee confirms that they will process personal data exclusively in a legally compliant manner according to the GDPR, only within the scope of their work activities and for no other purpose. Since liability issues and possible consequences under labour law in the event of grossly negligent behaviour also play a subordinate role here, reservations sometimes arise about signing such a document.
According to the BayLDA, the obligation to comply with data protection applies even without a declaration of commitment. The obligation to data protection, both for personal data and for business data, in particular business secrets, is a legal obligation and exists even without an additional signature of the declaration of commitment. In a simplified manner, a comparison can be made here with the road traffic regulations. Here, too, every road user must comply. Even without a written document, right-of-way rules and signposting must be observed. For companies that act as processors, the situation is aggravated by the fact that they are obliged in their agreements with their clients to commit their staff to data protection.
However, no written or electronic form is required in this sense. Thus, according to the BayLDA, the legal obligation is sufficient in principle.
In the case of absolute refusal, when additional information and education do not work for the person refusing, verifiability is important for the company. Employers should therefore document the complete process, including refusal, in order to be able to prove that data protection awareness has nevertheless taken place. The reason for the lack of a declaration of commitment should be recorded in a protocol or a statement. This should include the information provided to the employee, the reference to compliance with data protection and the confidentiality of data as an integral part of the employment relationship and that this applies by law beyond the termination of the employment relationship.
In order to avoid such a situation, legitimis recommends that the employee be fully informed in advance of the obligation to data protection about the meaning and purpose of the declaration of obligation. Here, the data protection officer can also clarify any reservations in a personal discussion and have a mediatory effect.
Why should a declaration of commitment be signed if the obligation is legal? The declaration of commitment is a confirmation and reinforcement of corporate data protection. It informs the employee of the obligation and its scope. The employer, on the other hand, has written and signed proof – in other words, he has fulfilled his duty of documentation.
Finally, the question arises whether employers should nevertheless employ employees who refuse to sign the declaration of commitment? With the measures described above, hiring or employment can still take place. Refusal must certainly be regarded as an exceptional case. To prevent this from happening, education and awareness-raising on the subject is essential.
Should such a situation arise, legitimis will support its clients with advice and action. Data protection remains exciting.