The German Dimension: BetrVG, BDSG & Your 2026 Compliance Roadmap(AI employee monitoring Germany compliance)

DEEP DIVE SERIES | Part 3 of 3

Germany-specific compliance for AI monitoring — works council rights, employee data law uncertainty, and a month-by-month implementation roadmap for H2 2026

May 2026  |  PEOPLEGRIP GmbH

Executive Summary(AI employee monitoring Germany compliance)

Germany combines the EU AI Act and GDPR obligations with a uniquely powerful layer of domestic labour and data protection law. The Betriebsverfassungsgesetz (BetrVG) grants works councils mandatory co-determination rights over any technical monitoring system — a right that predates the AI Act by decades and carries its own enforcement mechanisms. BDSG §26 creates a narrower lawful basis for employee data processing than GDPR’s legitimate interest. And the pending Beschäftigtendatengesetz (BeschDG) signals even stricter requirements to come.

For organisations operating in Germany — whether as German companies or as foreign-headquartered groups with German subsidiaries — navigating this three-layer regulatory stack is the central compliance challenge of 2026.

In Germany, there is no legal path to deploying AI monitoring tools without works council engagement. The question is not whether to involve the Betriebsrat, but how to structure that engagement to produce a defensible Betriebsvereinbarung that satisfies both BetrVG and the AI Act simultaneously — and to do so before August 2026.

This article — the third and final instalment in this series — provides a Germany-specific compliance guide and a practical implementation roadmap for the second half of 2026.

This is the third and final article in PEOPLEGRIP's Deep Dive series on AI employee monitoring in the EU.

Part 1 examined the EU AI Act's risk classification framework and prohibited practices for HR AI tools.

Part 2 covered GDPR obligations, lawful bases, and the DPIA/FRIA requirement for deployers.

This article focuses on the German-specific compliance layer — BetrVG, BDSG §26, and the emerging BeschDG.

Update: May 2026

AI Omnibus: Political Agreement Reached (7 May 2026)

The European Parliament and Council reached a provisional agreement on the Digital Omnibus on AI. For organisations with AI systems embedded in regulated products (Annex I), the application of high-risk rules under Article 6 is now linked to the availability of harmonised standards and may extend to August 2027.

Critically, Annex III high-risk systems — including AI used in employment, recruitment, and performance management — remain subject to the 2 August 2026 deadline. The H2 2026 roadmap in Section 6 should be treated as firm for HR AI tools.

Draft Transparency Guidelines Published (8 May 2026)

The EU AI Office opened a public consultation on draft guidelines clarifying the Article 50 transparency obligations (consultation closes 3 June 2026, final guidelines expected Q2 2026).

For HR deployers, the draft confirms: (1) AI systems used in recruitment and performance management must disclose their use to affected employees (2) deployers of Annex III high-risk AI systems — including hiring and performance AI — must register in the EU AI database by 2 August 2026 and (3) transparency reports must cover purpose, risk classification, and human oversight arrangements.

Note: the guidelines are not yet finalised — organisations should monitor the final version, expected June 2026, before locking compliance documentation.

1. Why Germany Is a Special Case

The EU AI Act establishes a floor — minimum obligations that all EU member states must meet. Germany builds significantly above that floor through three national instruments that apply alongside the EU framework:

• Betriebsverfassungsgesetz (BetrVG) — The Works Constitution Act grants works councils co-determination rights (Mitbestimmungsrecht) over technical monitoring systems under §87 No. 6. This is not an advisory or consultative right — it is a veto right. The employer cannot unilaterally deploy a technical monitoring system if a works council exists and has not agreed.

• Bundesdatenschutzgesetz (BDSG) — The Federal Data Protection Act implements GDPR in Germany with employment-specific provisions in §26. BDSG §26 is the primary lawful basis for employee data processing in Germany and is materially narrower than GDPR’s legitimate interest basis.

• Beschäftigtendatengesetz (BeschDG) — Draft: The pending Employee Data Act, with its October 2024 draft, signals a significant tightening of employee data protections, including specific provisions on algorithmic decision-making in HR contexts. While not yet enacted, its direction is clear and its provisions are already influencing works council negotiations.

These three instruments, operating alongside the EU AI Act and GDPR, create a compliance matrix that is unique in Europe. German-specific compliance is not an add-on to EU compliance — it is structurally different from the EU baseline, and more demanding in several key respects.

2. BetrVG §87(1) No. 6 — Works Council Co-Determination for AI Monitoring

A. What Triggers the Co-Determination Right

BetrVG §87 No. 6 grants works councils a co-determination right over “the introduction and use of technical devices designed to monitor the behaviour or performance of employees.” The Bundesarbeitsgericht (Federal Labour Court) has interpreted this provision broadly. It applies whenever:

• A technical device is used (including software — not just hardware).

• The device is capable of monitoring employee behaviour or performance — even if monitoring is not its primary purpose.

• There is an objective possibility of surveillance — the actual intention of the employer is irrelevant.

Practical reach: Every AI monitoring tool described in Part 1 of this series triggers §87 No. 6. Productivity dashboards, performance scoring engines, communication analysis tools, attendance prediction systems, and task allocation AI all constitute “technical devices capable of monitoring behaviour or performance.” There are no exceptions for “passive” monitoring, aggregated-data-only tools, or systems where monitoring is incidental to the primary function.

B. The Betriebsvereinbarung as Compliance Mechanism

The standard outcome of a §87 No. 6 consultation is a Betriebsvereinbarung (BV) — a binding works agreement between the employer and the works council. The BV is legally equivalent to a collective agreement for the matters it covers, and it binds all employees in the establishment. A well-structured BV for an AI monitoring tool serves simultaneously as a BetrVG compliance instrument, a GDPR lawful basis supplement (BDSG §26(4)), and an AI Act Article 26(7) consultation record.

A comprehensive BV for an AI monitoring tool should address the following clauses:

C. What Works Councils Can Demand — and Typically Do

Works councils in Germany have developed sophisticated positions on AI monitoring tools, often advised by specialist unions (particularly ver.di and IG Metall, both of which have published detailed guidance on AI in the workplace). Common works council demands in BV negotiations include:

• A prohibition on individual-level performance scoring by AI — only team-level aggregates may be disclosed to management.

• Minimum anonymisation thresholds before management access (e.g., a minimum team size of 10 before individual data is visible).

• A requirement that AI outputs serve only as input to human decisions — never as standalone decisions affecting employment terms.

• Mandatory human review for any AI-flagged “performance concern” before any management action is taken.

• A works council seat on any AI oversight or review committee.

• Periodic bias audits by an independent third party, with results shared with the works council.

D. Consequences of Unilateral Deployment

Deploying an AI monitoring tool without works council agreement where §87 No. 6 applies carries serious legal consequences:

• Injunction: The works council can seek an immediate injunction (einstweilige Verfügung) in the labour court (Arbeitsgericht) prohibiting further use of the system.

• Evidence exclusion: Any data collected during the period of unauthorised deployment may be inadmissible in subsequent employment proceedings (Beweisverwertungsverbot).

• Dismissal voidance: Employees disciplined or terminated based on data from an illegally deployed monitoring system may successfully challenge their dismissal as void.

• Relationship damage: The employer’s trustworthiness with the works council is damaged, making future negotiations across all topics significantly harder.

3. BDSG §26 — The Legal Basis for Employee Data Processing

A. What BDSG §26 Permits

BDSG §26 is the primary lawful basis for processing employee personal data in Germany. Its core provision allows processing where it is “necessary for the decision to establish an employment relationship, or, after establishment, for its performance, termination, or exercise of rights and obligations of an employee representative body as laid down by law or collective agreement.” As covered in Part 2, GDPR Article 6(1)(f) legitimate interest provides a broader lawful basis across most EU member states. Germany's BDSG §26 is structurally different — and materially stricter.

This “necessity for the employment relationship” standard is stricter than GDPR’s legitimate interest test. German courts and the DSK have interpreted this to mean:

• Processing must be objectively necessary, not merely useful or commercially beneficial.

• The purpose must be directly linked to a core function of the employment relationship.

• There must be no less intrusive alternative available to achieve the same purpose.

For AI monitoring tools, the necessity requirement is genuinely demanding. Using AI to score individual productivity on a second-by-second basis is difficult to characterise as “necessary for the employment relationship” when aggregate team output measures could serve the same legitimate management purpose.

B. The Legal Uncertainty and Its Practical Implications

A consequential legal question remains contested: does BDSG §26 provide the exclusive lawful basis for employee data processing in Germany, or can employers fall back on GDPR Article 6(f) legitimate interest when §26 conditions are not met? The dominant view among German data protection authorities — consistently applied in DSK guidance and by several Länder supervisory authorities — is that BDSG §26 is exclusive in the employment context.

Practical consequence: German employers cannot use AI monitoring tools that would be permissible under a “legitimate interest” analysis in other EU jurisdictions. The compliance bar is materially higher in Germany than in most other member states.

C. Risk Mitigation Strategies

Three strategies offer the most defensible positions given this uncertainty:

• Combine §26 necessity with a Betriebsvereinbarung: A BV that specifically authorises the processing provides an independent legal basis supplement under BDSG §26, reducing vulnerability to necessity challenges. This is the most robust approach available.

• Apply a strict necessity analysis: Apply the “no less intrusive alternative” test rigorously before deploying any AI monitoring tool. Document the analysis thoroughly. If a less intrusive method exists, either use it or justify why the AI approach is nonetheless proportionate.

• Consider voluntary prior consultation: For novel or particularly sensitive AI monitoring implementations, consider voluntary prior consultation with the relevant state data protection authority (Landesdatenschutzbehörde). A favourable opinion significantly reduces enforcement risk.

4. The Beschäftigtendatengesetz — What Is Coming

A. Current Draft Status

The German Federal Ministry of Labour published a draft Beschäftigtendatengesetz (BeschDG) in October 2024. As of March 2026, the draft is under parliamentary deliberation. While not yet enacted, its core provisions are politically well-supported across the major parties and represent a reliable indicator of where German employee data law is heading.

B. Key Provisions Affecting AI Monitoring

The October 2024 draft contains several provisions directly relevant to AI monitoring tools in the workplace:

C. Strategic Implications Before Enactment

Even if the BeschDG is not enacted before August 2026 — which appears likely given parliamentary timelines — two strategic implications apply immediately. First, organisations that build their AI compliance architecture around the BeschDG’s requirements now will avoid costly redesigns when it eventually passes. Second, works councils and employee representatives are already using the BeschDG draft as a negotiating benchmark in Betriebsvereinbarung discussions — citing its provisions as the standard they expect employers to meet voluntarily.

5. HQ–Subsidiary Governance: The Cross-Border Compliance Gap

A. The Deployer Problem for Foreign-Headquartered Organisations

Many organisations operating in Germany are not German companies — they are foreign-headquartered groups (US, UK, APAC) with German subsidiaries or branches. When the group’s HR technology team deploys a global AI monitoring platform and rolls it out to the German entity, a compliance gap frequently emerges:

• The global tool was designed for the home market’s compliance requirements, which are often less stringent than Germany’s.

• The German subsidiary is the “deployer” under the AI Act and the entity legally responsible for BetrVG compliance — regardless of where the deployment decision was made.

• The global HR team may not have engaged the German works council, DPO, or the relevant Landesdatenschutzbehörde before rollout.

The practical consequence: The German subsidiary faces compliance liability for a tool it did not choose, cannot modify, and may not be able to suspend — because the contract is between the AI provider and the parent company, not the German entity.

B. Establishing a Compliant Cross-Border Governance Model

Four structural fixes address the HQ–subsidiary governance gap:

6. The H2 2026 Implementation Roadmap

For organisations that have not yet begun compliance preparation, the following month-by-month roadmap provides a prioritised path to August 2026 readiness — and to sustainable ongoing compliance thereafter.

7. Series Conclusion: The Path Forward

This three-part series has mapped the regulatory landscape that HR leaders must navigate when deploying AI-driven monitoring and performance management tools in the EU — and specifically in Germany. The central conclusion is structural: AI monitoring compliance in 2026 is not a single-framework problem.

It requires simultaneous compliance with the EU AI Act, GDPR, and — for Germany — the BetrVG, BDSG, and the emerging BeschDG. These frameworks are mutually reinforcing in their direction: more transparency, more human oversight, more worker rights, and more accountability for algorithmic decision-making.

The organisations that will navigate this landscape successfully are those that treat compliance not as a constraint to minimise, but as a governance opportunity: a chance to build AI systems that employees understand, works councils can engage with, and supervisory authorities can audit. In an era where the EU AI Act Whistleblower Tool enables employees to report non-compliance directly to the EU AI Office, governance quality is not just legally advantageous — it is operationally essential.

PEOPLEGRIP’s three recommendations for 2026:

• Start now: Every month of preparation before August 2026 reduces legal risk and works council conflict. The consultation, documentation, and technical changes required cannot be compressed into weeks.

• Integrate: Build one compliance architecture that satisfies the EU AI Act, GDPR, BetrVG, and BDSG simultaneously — not parallel silos that diverge under pressure.

• Engage: Works council relationships built on transparency and early communication are the single most effective risk mitigation tool available to German employers. Start the conversation before the law requires it.

  
  

References

• Regulation (EU) 2024/1689 — EU Artificial Intelligence Act, Articles 5, 6, 14, 26, 27

• General Data Protection Regulation (EU) 2016/679 (GDPR)

• German Works Constitution Act (Betriebsverfassungsgesetz — BetrVG), §§87, 90

• German Federal Data Protection Act (Bundesdatenschutzgesetz — BDSG), §26

• Draft Employee Data Act (Beschäftigtendatengesetz — BeschDG-E), October 2024

• Bundesarbeitsgericht — Leading judgments on BetrVG §87(1) No. 6 and technical monitoring

• Datenschutzkonferenz (DSK) — Guidance on BDSG §26 and employee data processing

• ver.di — Guidance on AI and Digitisation in the Workplace

• IG Metall — Framework Agreement on AI in the Workplace

• European Commission Digital Omnibus Package, November 2025

• EU AI Office Whistleblower Tool, November 2025

• European Parliament Initiative on AI in the Workplace, November 2025

• EU AI Office — Draft Guidelines on Transparency Obligations under Article 50 of the AI Act (May 2026); public consultation open until 3 June 2026

• European Parliament & Council — Provisional Political Agreement on Digital Omnibus on AI, 7 May 2026 (amendments to AI Act application timeline for Annex I high-risk systems)

Read the full series:

→ Part 1: EU AI Act Risk Classification & Prohibited Practices for HR AI

→ Part 2: GDPR, DPIA/FRIA & Lawful Bases for AI Monitoring

→ Part 3: The German Dimension — BetrVG, BDSG & Your 2026 Compliance Roadmap (this article)

March 2026 | Updated May 2026

Songbin Choi

Consultant

PEOPLEGRIP GmbH

Deep Dive Series: AI × Employee Monitoring & Performance Management in the EU