GDPR, collective bargaining and data transfer abroad

The article examines the judgment of the Court of Justice of the European Union of 19 December 2024, C-65/23, concerning the protection of workers’ personal data, with particular reference to Article 88 GDPR and the role of collective bargaining in regulating data processing in the employment context. After reconstructing the procedural background, the analysis focuses on the limits to the ability of national laws and collective agreements to introduce derogatory or merely duplicative provisions in relation to the Regulation, reiterating the need to comply with the principles set out in Articles 5, 6 and 9 GDPR. The paper explores the broad scope of judicial review over compliance with these principles, with the consequence of non-application in case of incompatibility. It then addresses the issue of data transfers to third countries, paying particular attention to the Schrems saga, alternative safeguard mechanisms, and the recent EU-US Data Privacy Framework, highlighting the continuing uncertainties and the potential impact of the “European Data Strategy”.

Keywords: Protection of persons about the processing of personal data; Regulation (EU) 2016/679; Article 88(1) and (2).

Barbara de Mozzi, GDPR, contrattazione collettiva e trasferimento di dati all’estero in "GIORNALE DI DIRITTO DEL LAVORO E DI RELAZIONI INDUSTRIALI " 187/2025, pp 538-559, DOI: 10.3280/GDL2025-187009