GB Psych Self-Survey: Why Two Authorities May Inspect in Parallel from 2026
The 5% inspection quota from 2026 brings labour authorities back to the gates. Companies that survey their psychological risk assessment internally via Excel or Forms also risk a parallel GDPR fine under Article 9 — up to 20 million euros or 4 % of group revenue.
From 2026, the German Occupational Safety Inspection Act increases the probability of a labour-authority inspection tenfold — 5 % of all companies per year. What the public debate misses: where a psychological risk assessment is carried out internally, a second authority sits at the same table. The state data protection authority. And its fine framework is in a different league.
The fine architecture many overlook
Section 25 ArbSchG is well known: up to 30,000 euros for an inadequate or missing risk assessment. That is the labour authority's fine. Running in parallel:
- Art. 83 (5) GDPR: up to 20 million euros or 4 % of worldwide group revenue — for breaches of Art. 5, 6 or 9 GDPR. Issued by the state data protection authority.
- Section 43 BDSG: up to 50,000 euros for breaches of employee data protection.
The three strands are independent. One authority does not impose another's fine. Each imposes its own.
Why the data protection authority gets involved
A psychological risk assessment captures answers about stress, conflicts, exhaustion, sleep — answers that allow conclusions about health. That triggers Art. 9 GDPR: special categories of personal data, the highest protection standard. Processing is generally prohibited and only permissible under the narrow exceptions in Art. 9 (2).
In a self-survey — Excel, Google Forms, Microsoft Forms, SharePoint, in-house tool — the employer typically sees the raw answers. That is the problem. Anonymity under the GDPR is not a promise but a technical property of the architecture. Whoever has technical access processes health data — even if they organisationally forbid it.
Three obligations practically never met in self-surveys
The Data Protection Impact Assessment under Art. 35 GDPR is effectively always required when employee data, health data and systematic processing combine. Three hits on the WP248 list are enough for high risk. In self-survey settings the DPIA is practically never carried out; its absence is independently fineable under Art. 83 (4) GDPR — even without a concrete data incident.
The works council agreement under Section 87 (1) Nos. 6 / 7 BetrVG is the second obligation. The Federal Labour Court confirmed it for risk assessments in case 1 ABR 13/03 and explicitly for psychological stress in 1 ABR 104/09. Without that agreement, the legal basis under Art. 88 GDPR is also missing.
The minimum group size n ≥ 5 is the third. It is not just a methodological recommendation in the GDA guideline; it determines whether a dataset is still personal data (Recital 26 GDPR). In a self-survey, it sits in the analysis manual, not in the system architecture.
Architecturally compliant surveying
Processing on behalf of a controller under Art. 28 GDPR structurally separates collector and analyst. The processor collects, anonymises with a technically enforced threshold and hands over only aggregates. The employer remains controller but has no raw-data access. Exactly that separation cannot be created in a self-survey.
Going deeper with all sources: Data protection and the psychological risk assessment when surveyed in-house. And the inspection facts hub: Authority Inspections of Psychological Risk Assessments 2026.
