The kit · annex

GDPR & works councils

Session records are work product and personal data at once. This annex gives you the structure for that conversation — and the design decisions that make it a short one.

← The policy kit
The heavy lifting

Five design decisions carry the conversation

These are properties of a faithful CARE implementation. Confirm each with your vendor — or your own build — before relying on it in a filing.

  • 1Purpose limitation, structural. Experience signals never feed performance, compensation, or employment decisions — the single most important line for both GDPR purpose-limitation analysis and works-council concerns about performance monitoring.
  • 2Data minimization by aggregation. Nobody above the author sees raw sessions; upward views are aggregates with a minimum group size of five.
  • 3Transparency, in-product. The charter is displayed where measurement happens, and the access log gives every person a standing, self-serve answer to “who has seen my data?”
  • 4A hard collection boundary. The repository connection defines scope. Personal projects, accounts, and devices are out of scope by construction, not by promise.
  • 5Revocable, scoped sharing. Team-level visibility requires the author's explicit, revocable, logged approval — scoped to a named team, never “the organization.” Declining costs nothing.

Template and discussion aid, not legal advice. Lawful-basis analysis is jurisdiction-specific — most organizations will look at legitimate interests for custody and aggregation, and consent for sharing. Document the analysis in a DPIA, with counsel and your DPO.

The checklist

What the DPIA needs to cover

  • Processing description: what a session record contains, where it lives, the retention schedule.
  • Scope boundary: how the repository connection is enforced; what never enters collection.
  • Purpose statement and the purpose boundary — and how the boundary is enforced technically.
  • Visibility matrix: author · named team (consent) · aggregates k≥5 · no one.
  • The access log: who can read it, what it records.
  • Data-subject rights mapping — access, rectification, erasure, portability, objection.
  • Aggregate-only mode assessment, if a works council requests it.
  • Vendor and sub-processor list, with transfer analysis if hosted.

Where a works council requires it, a faithful implementation can run in aggregate-only mode: individual-level records are processed transiently for aggregation and coaching, and no raw-session browsing surface exists for anyone but the author. Offering it unprompted is the strongest trust signal available.

The first meeting

Five sentences to open with

“The record is kept like source code — and read like a census, not like a camera.”
“No number about an individual is shown to anyone but that individual.”
“Nothing here touches performance, pay, or employment — by architecture, and in writing.”
“Every person can see who accessed data that includes them, at any time.”
“Sharing is opt-in, team-scoped, revocable, and logged — and declining costs nothing.”