Is the consent of the works council required for a phishing simulation?

The legal situation:

  • According to Art. 6 para. 1 lit. f DSGVO, the issue of IT security is one of the legitimate interests of a company. If the interests of the employees in the protection of their data do not prevail, disclosure is permitted in such cases. This is to be assumed for the general personal data required by us. Therefore, the employee does not have to agree, nor does the works council have to be asked for consent. However, it is true that the works council must be informed so that it can monitor that data protection regulations are complied with.

For practical purposes:
  • In order not to risk bad blood with works councils, we recommend involving the works council as early as possible. So far, we have always been able to prove and convince that our approach is employee-friendly and compliant with data protection.