GDPR Article 88 and employee data: what does it mean for AI at work?

Short answer: Article 88 GDPR allows Member States to set, by law or collective agreement, specific rules for processing employee data. The Netherlands has not filled that space with a dedicated law, so for AI at work the general GDPR applies, supplemented by the Dutch GDPR Implementation Act (UAVG). Key consequence: in a relationship of subordination consent is rarely a valid basis, and any AI application must pass the tests of purpose limitation and proportionality.

What Article 88 does

Article 88 is an "opening clause": it empowers Member States to lay down, by law or by collective agreements, "more specific rules" for processing in the context of employment. Think of recruitment, performance of the contract, monitoring and termination. Those rules must include suitable safeguards for human dignity, legitimate interests and fundamental rights.

Member-State-specific rules — and the Dutch situation

Practice varies widely by country: some Member States have detailed employment-privacy laws, others do not. The Netherlands has not adopted a specific Article 88 law. As a result, employer processing falls back on the general GDPR plus the Dutch GDPR Implementation Act (UAVG). There is therefore no separate "lighter" or "heavier" regime for the workplace; the ordinary GDPR principles apply in full.

The weak basis of consent

Many employers want to base processing on employee consent. That is risky. In a relationship of subordination consent is rarely "free": the employee can hardly refuse without fearing adverse consequences. Regulators therefore assume that consent at work is usually not a valid basis. An AI application rests more safely on performance of the contract, a legal obligation or a carefully balanced legitimate interest.

Purpose limitation and proportionality

Two principles constrain AI at work especially strictly:

• Purpose limitation: data collected for one purpose (for example payroll) may not simply feed an AI model for another purpose (for example performance prediction).
• Proportionality and subsidiarity: the intrusion must be proportionate to the aim, and no less intrusive means may be available. This is highly relevant to AI employee monitoring.

The role of collective agreements and works councils

Article 88 expressly names collective agreements as an instrument. In the Netherlands co-determination matters most: the works council has a right of consent for arrangements on personnel-monitoring systems and the processing of personal data. Introducing an AI system in the workplace without the works council is therefore often not only unwise but legally vulnerable — see co-determination and the works council's role in AI.

What to do

• Choose a sustainable basis — not consent, but contract, legal obligation or legitimate interest with a balancing test.
• Guard purpose limitation for every new AI use of existing personnel data.
• Test proportionality and subsidiarity before rollout and record the assessment.
• Involve the works council in good time and check the right of consent.

Without its own Article 88 law, the Netherlands offers no separate shelter for AI at work: the ordinary GDPR principles are the yardstick, and they are strict.