Is § 26 BDSG still in force?

Yes. The statute is on the books. But the BAG held in its 8 May 2025 Workday decision (8 AZR 209/21) that § 26 Abs. 1 BDSG does not satisfy the Art. 88 (1) and (2) DSGVO opening-clause requirements as interpreted by the EuGH in C-34/21 and C-65/23. Courts therefore disapply it as an autonomous legal basis. Processing must rest on Art. 6 (1) DSGVO directly.

Which DSGVO legal basis replaces § 26 (1) BDSG for routine HR data?

For data that is contractually necessary (payroll, time tracking, holiday tracking, master data), Art. 6 (1) (b) DSGVO covers it. For data driven by statutory duties (Lohnsteuer, social security reporting, occupational safety), Art. 6 (1) (c) DSGVO. For HR analytics, performance evaluations, IT logs, or onboarding-tool extracts, Art. 6 (1) (f) DSGVO with a written legitimate-interest assessment is the typical basis. Special categories (health, union membership) need Art. 9 (2) (b) DSGVO.

Does the ruling kill the Betriebsvereinbarung as a legal basis?

No, but it kills the assumption that a BV is a free pass. The EuGH in C-65/23 confirmed that even a BV under § 26 (4) BDSG is fully reviewable against Art. 5, 6 and 9 DSGVO. The BAG Workday decision applied this directly. The employer's BV permitted only basic data, the actual transfer to the US parent included salary, social security number and home address, so the BV did not cover the processing and the underlying basis collapsed. A BV is still useful as a substantive control plane; it is no longer the citation that makes processing lawful.

What is the BeschDG and when will it apply?

The Beschäftigtendatengesetz (BeschDG) is the planned German Art. 88 DSGVO implementation. The BMAS/BMI Referentenentwurf of 8 October 2024 failed when the previous coalition broke up in November 2024. The current federal government has the project in its 2026 Sofortprogramm; a fresh draft is expected in H1 2026, with entry into force not before late 2026, more likely 2027. Until then there is no German Art. 88-compliant law and the DSGVO applies directly to HR data.

Do I have to redo every employee privacy notice now?

Yes, but the change is mostly mechanical. The Art. 13 DSGVO notice that names § 26 BDSG as legal basis is incorrect after the Workday ruling. Replace it with the matching Art. 6 (1) DSGVO basis per category of processing. For HR systems with sensitive data (Personio, HiBob, Workday, BambooHR), also update the DSFA and the Verzeichnis von Verarbeitungstätigkeiten.

Compliance

BAG Workday Ruling: HR Data Processing Without § 26 BDSG

After BAG 8 AZR 209/21 (8 May 2025) § 26 (1) BDSG is inapplicable as Art. 88 DSGVO opening clause. German startups must base HR data on Art. 6 (1) DSGVO directly.

Immo Ait Stapelfeld·Rechtsanwalt·May 13, 2026·8 min read

Key Summary

The Bundesarbeitsgericht held on 8 May 2025 (8 AZR 209/21, Workday) that § 26 Abs. 1 BDSG cannot serve as Art. 6 (3) DSGVO legal basis because it does not meet the Art. 88 (1)/(2) DSGVO requirements clarified by the EuGH in C-34/21 (30.03.2023) and C-65/23 (19.12.2024). For startups, the practical move is to re-base every HR data processing on Art. 6 (1) (b), (c) or (f) DSGVO directly, update Art. 13 DSGVO notices and DSFA records, and treat any Betriebsvereinbarung as a substantive control plane rather than a legal-basis shortcut. A new Beschäftigtendatengesetz (BeschDG) is on the 2026 government agenda but a draft will not be in force before late 2026 at the earliest.

The Bundesarbeitsgericht decided on 8 May 2025 (Aktenzeichen 8 AZR 209/21, the Workday case) that § 26 Abs. 1 BDSG is not a valid legal basis for HR data processing under Art. 6 (3) DSGVO. The statute is still on the books. Courts no longer apply it as a freestanding ground. Every startup that bases its HR processing on "§ 26 BDSG" in its privacy notice is now citing a basis the BAG has held inapplicable.

The fix is mechanical, not strategic. Re-base the same processing on Art. 6 (1) (b), (c) or (f) DSGVO directly, update the Art. 13 DSGVO information, and document the assessment. The Beschäftigtendatengesetz (BeschDG) that would solve this in German law sat in the BMAS/BMI Referentenentwurf of 8 October 2024 and never made it past the coalition breakup. A fresh draft is expected in H1 2026. Until it lands and enters into force, the DSGVO applies to HR data directly.

What the BAG actually held

The Workday case ran on a single set of facts that founders see all the time. A group of companies introduced Workday across the group. Before the rollout, real employee data was transferred to the US parent for testing. The applicable Betriebsvereinbarung allowed transfer of basic fields only (name, entry date, location). The actual transfer included salary, social security number, tax ID, home address, date of birth, age, marital status.

The BAG (8. Senat, 08.05.2025, 8 AZR 209/21) decided three things:

§ 26 Abs. 1 BDSG is inapplicable as an Art. 6 (3) DSGVO basis because it does not satisfy the Art. 88 (1)/(2) DSGVO opening-clause requirements as clarified by the EuGH in C-34/21 (30 March 2023) and C-65/23 (19 December 2024).
The Betriebsvereinbarung did not cover the processing because the actual data exceeded what the BV authorized. Even where a BV could in principle support processing, Art. 5/6/9 DSGVO review still applies independently.
Loss of control over personal data is non-material damage within Art. 82 DSGVO. The court awarded EUR 200.

The EUR 200 figure is less interesting than the legal route. The BAG validated the EuGH chain (C-34/21 + C-65/23) and applied it to a generic SaaS-rollout fact pattern that any growth-stage startup will run into.

Why § 26 BDSG fails Art. 88 DSGVO

The EuGH reasoning is short. Art. 88 (1) DSGVO lets Member States adopt "more specific" rules on employment data, but Art. 88 (2) DSGVO requires those rules to contain specific safeguards (human dignity, legitimate interests, transparency, monitoring, transfers within groups).

In C-34/21 (the Hesse teacher-streaming case) the EuGH held that a national rule that merely repeats DSGVO principles is not "more specific" and does not benefit from Art. 88. In C-65/23 (a BAG referral that originated in a different Workday-style group rollout) the EuGH extended the logic to § 26 Abs. 4 BDSG: a Betriebsvereinbarung under that paragraph does not insulate processing from Art. 5/6/9 DSGVO scrutiny.

The BAG in 8 AZR 209/21 closed the loop for § 26 Abs. 1 BDSG itself. The provision essentially restates the DSGVO necessity test plus a few procedural notes. It contains no Art. 88 (2)-style safeguards. So courts disapply it.

Art. 88 DSGVO Öffnungsklausel

The GDPR clause that allows Member States to adopt more specific employment-data rules, conditional on substantive safeguards in Art. 88 (2) DSGVO. § 26 BDSG fails this test per BAG 8 AZR 209/21.

What this means if your startup has no Betriebsrat

Most early-stage startups (5 to 50 people, no works council) base their HR data processing implicitly on § 26 BDSG. The Personio, HiBob, Workday or BambooHR setup ships with a privacy notice template that names § 26 BDSG as legal basis. After Workday, that template is incorrect.

The substantive change is small. The processing was almost always defensible on Art. 6 (1) (b) DSGVO (contract performance) and Art. 6 (1) (c) DSGVO (statutory duties) anyway. What changes is the citation in the Art. 13 DSGVO notice and in the Verzeichnis von Verarbeitungstätigkeiten. Per processing activity, name the matching Art. 6 (1) DSGVO basis directly:

HR processing activity	Correct DSGVO basis after Workday
Master data, contracts, payroll calculation	Art. 6 (1) (b) DSGVO (contract performance)
Lohnsteuer + SV reporting, ELStAM, occupational safety records	Art. 6 (1) (c) DSGVO (statutory duty)
Time tracking, holiday tracking, expense reimbursement	Art. 6 (1) (b) DSGVO
Performance review, 360 feedback, HR analytics	Art. 6 (1) (f) DSGVO with written LIA
IT monitoring, log retention beyond contract necessity	Art. 6 (1) (f) DSGVO with written LIA
Health data, union membership, religious data	Art. 9 (2) (b) DSGVO + safeguards in employment law (note: § 26 (3) BDSG inherits the Art. 88 problem, so sensitive-data processing often needs Art. 9 (2) (h) for occupational health, an applicable collective bargaining clause, or explicit consent rather than the bare § 26 BDSG hook)

The legitimate-interest assessments are the part founders skip. They are the part the BfDI and Länder authorities look at first in a complaint.

What this means if you have a Betriebsvereinbarung

A BV is still useful but no longer dispositive. The EuGH in C-65/23 was explicit: the BV must independently survive Art. 5/6/9 DSGVO review. Three things to check:

The BV must list the categories of data, purpose, recipients, retention, and third-country transfers with the precision Art. 13 DSGVO already requires.
The actual processing must stay within what the BV authorizes. The Workday case turned on the gap between "basic fields" (BV) and "salary plus SSN plus address" (actual transfer).
Where the BV references a group-internal recipient outside the EU, the BV cannot substitute for an Art. 46 DSGVO transfer mechanism. For US parents the practical path since July 2023 is the EU-US Data Privacy Framework where the recipient is self-certified; otherwise Standard Contractual Clauses plus a Transfer Impact Assessment apply. Binding Corporate Rules cover the larger groups.

Among the startups I advise that grew past 60 employees and signed their first BV, the most common mistake is treating the BV as a wall against DSGVO scrutiny. It is not. It is a substantive control plane that the supervisory authority will read alongside the actual processing logs.

Five steps to re-base HR data after Workday

Checkliste

HR Data Re-Basing After BAG Workday

0/5

What is coming — BeschDG and timeline

The Beschäftigtendatengesetz is the politically expected fix. The BMAS/BMI Referentenentwurf of 8 October 2024 (the "BeschDG-E") proposed a full Art. 88 DSGVO implementation with explicit safeguards. It contained typed legal bases for HR processing, AI-system rules referencing the AI Act, an evidence-exclusion rule for unlawfully obtained data, and specific transparency duties.

The draft did not become law. The previous coalition broke up in November 2024 before the cabinet decision. The current federal government has the BeschDG on its legislative agenda. A revised draft is commonly reported for H1 2026, with a realistic entry into force window of late 2026 or early 2027. Until then, the legal landscape is the one the Workday ruling describes.

Zeitstrahl

HR data protection timeline

30.03.2023

EuGH C-34/21 (MD): national HR rules that just repeat the DSGVO are not Art. 88 rules

08.10.2024

BMAS/BMI publish BeschDG-E Referentenentwurf

19.12.2024

EuGH C-65/23: BVs under § 26 (4) BDSG fully reviewable against the DSGVO

08.05.2025

BAG 8 AZR 209/21 (Workday): § 26 (1) BDSG inapplicable, EUR 200 damages

H1 2026

New BeschDG draft expected

late 2026 / 2027

Possible BeschDG entry into force

Bottom line

The legal change is real, the operational fix is small if you do it now and large if you wait for an audit. Replace § 26 BDSG in your privacy notice and Verzeichnis with the correct Art. 6 (1) DSGVO basis per processing activity, write the LIAs that justify the Art. 6 (1) (f) ones, and treat any Betriebsvereinbarung as something the supervisory authority will read alongside actual data flows, not as a wall against scrutiny. The BeschDG might land in 2027. The Workday ruling already binds courts.

Legal Sources

§§ 26 Abs. 1 BDSG — German Federal Data Protection Act, employment data clause; held inapplicable as autonomous Art. 6 (3) DSGVO basis by BAG 8 AZR 209/21 (8 May 2025) for failing Art. 88 (1)/(2) DSGVO requirements
§§ 26 Abs. 4 BDSG — BDSG clause on collective agreements as employment-data legal basis; still applies but the BV must independently satisfy Art. 5, 6 and 9 DSGVO per EuGH C-65/23
§Art. 88 (1) DSGVO — Opening clause for more specific national rules on employment data; § 26 BDSG fails this test
§Art. 88 (2) DSGVO — Substantive safeguards Art. 88 national rules must contain (human dignity, transparency, monitoring rules, data transfers)
§Art. 6 (1) (b) DSGVO — Contract performance — primary basis for routine HR data (payroll, time tracking, master data) after Workday
§Art. 6 (1) (c) DSGVO — Statutory duties — payroll tax reporting, social security, occupational safety
§Art. 6 (1) (f) DSGVO — Legitimate interests — HR analytics, performance review, IT monitoring; requires written LIA
§Art. 9 (2) (b) DSGVO — Special categories in employment (health data, union membership); requires safeguards and a legal basis in employment law
§Art. 13 DSGVO — Information obligations at point of collection; must cite correct Art. 6 (1) DSGVO basis after Workday
§Art. 82 DSGVO — Compensation for non-material damage; loss of control over personal data is recognized as such
•BAG, 08.05.2025 - 8 AZR 209/21 (Workday), 2025-05-08 — § 26 (1) BDSG does not satisfy Art. 88 (1)/(2) DSGVO and cannot serve as an Art. 6 (3) DSGVO basis. Loss of control over personal data is a non-material damage under Art. 82 DSGVO. EUR 200 damages awarded for sending real employee data (incl. salary, social security number, home address) to US parent for Workday testing where the BV permitted only basic fields.
•EuGH, 30.03.2023 - C-34/21 (MD ./. Land Hessen), 2023-03-30 — National rules that merely repeat DSGVO principles are not 'more specific' within Art. 88 (1) DSGVO. The judgment directly invalidated § 23 (1) HDSIG and was widely read in commentary as also undermining § 26 (1) BDSG as an Art. 88 basis; the BAG drew that consequence explicitly in 8 AZR 209/21.
•EuGH, 19.12.2024 - C-65/23 (K GmbH, Workday-Vorlage des BAG), 2024-12-19 — Collective agreements under § 26 (4) BDSG are fully reviewable against Art. 5, 6 and 9 DSGVO. The BV does not insulate processing from DSGVO scrutiny.
•BMAS / BMI, Referentenentwurf eines Gesetzes zur Stärkung eines fairen Umgangs mit Beschäftigtendaten (BeschDG-E), 08.10.2024 — Joint draft of the German Art. 88 DSGVO implementation; expressly intended to replace § 26 BDSG. The draft did not pass cabinet before the November 2024 coalition breakup. The current federal government has the project on its legislative agenda, with a fresh draft commonly reported for H1 2026.
•LfDI Baden-Württemberg, FAQ zu Rechtsgrundlagen bei Beschäftigtendaten (EuGH C-34/21), 2023 — First detailed supervisory authority guidance on the C-34/21 fallout. Confirms that Art. 6 (1) DSGVO applies directly to HR data processing where no Art. 88-compliant national rule exists.

Frequently Asked Questions

Is § 26 BDSG still in force?: Yes. The statute is on the books. But the BAG held in its 8 May 2025 Workday decision (8 AZR 209/21) that § 26 Abs. 1 BDSG does not satisfy the Art. 88 (1) and (2) DSGVO opening-clause requirements as interpreted by the EuGH in C-34/21 and C-65/23. Courts therefore disapply it as an autonomous legal basis. Processing must rest on Art. 6 (1) DSGVO directly.
Which DSGVO legal basis replaces § 26 (1) BDSG for routine HR data?: For data that is contractually necessary (payroll, time tracking, holiday tracking, master data), Art. 6 (1) (b) DSGVO covers it. For data driven by statutory duties (Lohnsteuer, social security reporting, occupational safety), Art. 6 (1) (c) DSGVO. For HR analytics, performance evaluations, IT logs, or onboarding-tool extracts, Art. 6 (1) (f) DSGVO with a written legitimate-interest assessment is the typical basis. Special categories (health, union membership) need Art. 9 (2) (b) DSGVO.
Does the ruling kill the Betriebsvereinbarung as a legal basis?: No, but it kills the assumption that a BV is a free pass. The EuGH in C-65/23 confirmed that even a BV under § 26 (4) BDSG is fully reviewable against Art. 5, 6 and 9 DSGVO. The BAG Workday decision applied this directly. The employer's BV permitted only basic data, the actual transfer to the US parent included salary, social security number and home address, so the BV did not cover the processing and the underlying basis collapsed. A BV is still useful as a substantive control plane; it is no longer the citation that makes processing lawful.
What is the BeschDG and when will it apply?: The Beschäftigtendatengesetz (BeschDG) is the planned German Art. 88 DSGVO implementation. The BMAS/BMI Referentenentwurf of 8 October 2024 failed when the previous coalition broke up in November 2024. The current federal government has the project in its 2026 Sofortprogramm; a fresh draft is expected in H1 2026, with entry into force not before late 2026, more likely 2027. Until then there is no German Art. 88-compliant law and the DSGVO applies directly to HR data.
Do I have to redo every employee privacy notice now?: Yes, but the change is mostly mechanical. The Art. 13 DSGVO notice that names § 26 BDSG as legal basis is incorrect after the Workday ruling. Replace it with the matching Art. 6 (1) DSGVO basis per category of processing. For HR systems with sensitive data (Personio, HiBob, Workday, BambooHR), also update the DSFA and the Verzeichnis von Verarbeitungstätigkeiten.