GDPR & works councils
Session records are work product and personal data at once. This annex gives you the structure for that conversation — and the design decisions that make it a short one.
Five design decisions carry the conversation
These are properties of a faithful CARE implementation. Confirm each with your vendor — or your own build — before relying on it in a filing.
- 1Purpose limitation, structural. Experience signals never feed performance, compensation, or employment decisions — the single most important line for both GDPR purpose-limitation analysis and works-council concerns about performance monitoring.
- 2Data minimization by aggregation. Nobody above the author sees raw sessions; upward views are aggregates with a minimum group size of five.
- 3Transparency, in-product. The charter is displayed where measurement happens, and the access log gives every person a standing, self-serve answer to “who has seen my data?”
- 4A hard collection boundary. The repository connection defines scope. Personal projects, accounts, and devices are out of scope by construction, not by promise.
- 5Revocable, scoped sharing. Team-level visibility requires the author's explicit, revocable, logged approval — scoped to a named team, never “the organization.” Declining costs nothing.
Template and discussion aid, not legal advice. Lawful-basis analysis is jurisdiction-specific — most organizations will look at legitimate interests for custody and aggregation, and consent for sharing. Document the analysis in a DPIA, with counsel and your DPO.
What the DPIA needs to cover
- ☐Processing description: what a session record contains, where it lives, the retention schedule.
- ☐Scope boundary: how the repository connection is enforced; what never enters collection.
- ☐Purpose statement and the purpose boundary — and how the boundary is enforced technically.
- ☐Visibility matrix: author · named team (consent) · aggregates k≥5 · no one.
- ☐The access log: who can read it, what it records.
- ☐Data-subject rights mapping — access, rectification, erasure, portability, objection.
- ☐Aggregate-only mode assessment, if a works council requests it.
- ☐Vendor and sub-processor list, with transfer analysis if hosted.
Where a works council requires it, a faithful implementation can run in aggregate-only mode: individual-level records are processed transiently for aggregation and coaching, and no raw-session browsing surface exists for anyone but the author. Offering it unprompted is the strongest trust signal available.