Article 88 GDPR: 3 Hidden Layers

Meta plans to capture employee keystrokes and mouse movements as training data for its internal AI tools. The Irish Times and Yahoo Finance both report the rollout. Strip out the US labour-law colour and the scenario translates into European terms: an employer monitors staff at the keyboard, partly for AI training. For a CIPP/E candidate, this is a textbook Domain V.A employee monitoring scenario stacked on top of Domain III.A and III.C. Article 88 GDPR is the layer most candidates underweight, and the layer the exam quietly tests. Three risks are worth mapping before the next scenario question lands.

The Lawful Basis Question Under Article 6

Domain III.B.1 of the IAPP's Body of Knowledge (BoK) covers Article 6 of the GDPR. The BoK defines every topic the CIPP/E exam covers. Employee monitoring scenarios push against two of those bases more than any other.

Why Consent Fails in Employment

Consent looks like the obvious answer. The employer announces the monitoring, asks staff to accept it, and processes the data. Article 4(11) GDPR insists on four qualifiers for consent: freely given, specific, informed and unambiguous. The first qualifier is what fails in employment. The EDPB has consistently treated employment as a context where the imbalance of power makes free consent improbable. Article 29 Working Party Opinion 2/2017 on data processing at work is explicit on the point. Refusing consent must carry no detriment, and in employment that condition rarely holds. Consent in this scenario loses marks regardless of the form's wording.

The Three Cumulative Conditions of Legitimate Interest

Legitimate interest under Article 6(1)(f) is the realistic candidate for employee monitoring. The exam expects you to know its three cumulative conditions. First, the interest itself must qualify as legitimate. Productivity insight and AI training data each pass that test, but the controller must define the interest narrowly and document it. Second, the processing must satisfy necessity; if a less intrusive method achieves the same goal, necessity fails. Third, the balancing test must come out in the controller's favour after weighing data subjects' rights and reasonable expectations. Each leg can fail independently, and a scenario passing interest and necessity may still fail balancing.

Where Article 88 GDPR Changes the Picture

Article 88 GDPR allows member states to provide more specific rules for processing in the employment context. The text is permissive rather than mandatory. The practical effect is that the GDPR floor is just a floor; national legislation often layers consultation, transparency, retention or limitation requirements above it.

Take Germany. The Federal Data Protection Act (BDSG) implements Article 88 GDPR with detailed rules on workplace monitoring. The Works Constitution Act adds a separate consultation regime through works councils. A keystroke-monitoring deployment can survive the GDPR balancing test and still fail at the BDSG layer if the employer cannot demonstrate proportionality. It can fail again at the works-council layer if the employer skips consultation.

France routes much of the same territory through the Code du Travail and CNIL guidance. Italy's Workers' Statute imposes a separate procedural pathway for monitoring tools.

For a CIPP/E candidate, the takeaway is straightforward. Article 6 tells you whether processing is permissible at the GDPR level. Article 88 GDPR tells you whether national law adds independent requirements. Both layers must hold.

Works Councils and Consultation

Domain V.A.4 covers EU Works Councils. The question CIPP/E examiners most often pose is the difference between consultation and agreement. Consultation requires the employer to inform the works council in good time, share documentation and hear the council's view before deciding. The employer need not follow that view; the procedure is the obligation, not the outcome.

Agreement is the higher bar. Where national law requires works-council agreement before introducing a monitoring system, deploying without it is unlawful at the labour-law level. The GDPR analysis being otherwise sound does not save it. Germany's BDSG and Works Constitution Act sit at this end of the spectrum for many monitoring tools.

For an exam scenario, the trap is the assumption that consulting equals approval. Candidates who treat consultation as a formality miss the procedural obligation; candidates who treat agreement scenarios as consultation pick the wrong remedy.

Exam Framing for Article 88 GDPR

Three question stems are worth practising. First: an EU subsidiary of a US parent rolls out a keystroke-capture tool company-wide, citing global policy alignment as the basis. Which Article 6 base would survive scrutiny, and what role does Article 88 GDPR play across Germany and France? Second: an employer obtains signed consent forms before deploying the monitoring tool. A subject access request later challenges that consent. Which arguments under Article 4(11) and Article 7(4) would likely prevail? Third: an employer informs a works council of the rollout but does not consult it formally. Which national-law layer engages, and how would a supervisory authority assess the resulting processing? Each stem rewards candidates who separate the GDPR layer from the Article 88 GDPR layer cleanly.

Practising the Article 88 GDPR Balancing

How would you frame the Article 6(1)(f) balancing for the Meta scenario? The interest is plain enough; AI training and productivity insight. Necessity is harder; could anonymisation, sampling or aggregation deliver the same value? Balancing is harder still; what reasonable expectation does an employee bring to a keyboard at work? Share your reasoning in the study group. The Article 88 GDPR layer that sits above it will start to feel less like an exam trap.