these workplace-specific rules remain national and less harmonised. In practice, especially before courts, the pro­tection of workers’ personal data is frequently absorbed or overshadowed by national labour frameworks. This duality has produced a structurally asymmetric regulatory field, in which enforcement patterns and substantive protections vary significantly across Member States. Notably, the GDPR tends to play a comparatively more prominent role than labour law where labour protections are weaker, such as for platform workers classified as independent contrac­tors. This approach is consistent and readily explained: in these cases, it is strategically advantageous to focus direct­ly on GDPR rights rather than on the preliminary question of employment status as data protection rights are in prin­ciple guaranteed to all workers, regardless of their classifi­cation(Hendrickx 2022). In addition, in this context, union involvement seems to be higher, reflecting the use of GD­PR-driven claims as a tool for mobilisation and proselytism in contexts where union density and collective bargaining are weak(Gaudio 2024). A third and more conceptual difficulty concerns the individ­ualistic architecture of the GDPR itself(Hendrickx 2019; Todolí-Signes 2019; Nogarede 2021; De Stefano& Wouters 2022; Abraha 2023; Adams& Wenckebach 2023; EC 2023; Otto 2026). Unlike labour law, which recognises collective representation and confers rights upon workers’ representa­tives, the GDPR is built around individual entitlements and complaint mechanisms. This asymmetry is especially evi­dent in the workplace, where data processing concerns groups of workers collectively, and where the conscious and effective exercise of data protection rights presupposes technical knowledge and procedural resources that individ­ual workers rarely possess. Article 80 GDPR offers a poten ­tial channel for collective enforcement through representa­tive entities. However, the national reports consistently in­dicate that this provision has had little to no tangible impact in practice. In sum, the GDPR’s universalist framework encounters the fragmented realities of national implementation. The lack of harmonised DPA procedures, the coexistence of diver­gent workplace-specific rules, and the residual role of col­lective enforcement mechanisms have produced a patch­work of protections where workers’ data rights are uneven­ly recognised and, above all, weakly enforced. This gap between the GDPR’s universal ambition and the fragment­ed reality of data governance in the European workplace exposes a structural fault line at the heart of EU data pro­tection enforcement. The GDPR and more specific rules on data pro­cessing at work: where fragmentation starts The limited enforcement of the GDPR in employment mat­ters cannot be understood in isolation from the coexistence of data protection and labour law frameworks. In most Member States, national laws or collective bargaining agreements already provide more specific and generally more protective rules governing workers’ privacy and the use of their data – some of which predate the GDPR itself (Hendrickx, Mangan& Gramano 2023). These protections exist both at the individual and collective levels, reflecting the dual nature of labour rights, and remain crucial in de­fining the limits of managerial prerogatives, even after the GDPR entered into force. At the individual level, several jurisdictions, such as Italy, have long incorporated safeguards that restrict employers’ monitoring powers and protect workers’ personal informa­tion and privacy. At the collective level, the complementari­ty between data protection and labour law becomes even clearer. While the GDPR recognises rights only for individu­al data subjects, labour law traditionally grants not only in­dividual workers, but also their representatives, autono­mous rights that have direct or indirect implications for data protection. These typically take the form, in most Member States, of information and consultation rights, and in some cases extend to co-determination powers over the introduction of new technologies, as in Austria, Germany, Italy and Luxembourg. Through this latter mechanism, workers’ representatives may not only restrict or veto cer­tain forms of data processing that could undermine work­ers’ dignity or autonomy, but also use such powers as a bargaining chip to bring employers to negotiate more tai­lored rules via collective bargaining – a mechanism identi ­fied early on as the most suitable regulatory tool for ad­dressing not only general data protection challenges, but also those arising from the introduction of algorithmic management systems(De Stefano 2019, De Stefano& Taes 2022 and ETUC 2025b). That said, co-determination rights over technology can be significantly weakened in practice wherever union or works council representation is limited. Even in Germany— where workers’ representatives enjoy strong statutory co-determi­nation rights— only around 45% of workers are actually represented by a works council(DE Statistics Office). In practice this means that such protections may not be effec­tively operative for a large share of the workforce. Moreo­ver, for those workers and firms where works councils and unions are present, anecdotal evidence suggests that the respect of labour rights around technology are not guaran­teed. As reported in the French report, Orange, a telecom operator, has been working on an automated quality man­agement tool that records and analyses conversations in real time, without consultation of the works council. This corresponds with findings from earlier studies suggesting that works councils may not be able or willing to use their information, consultation and co-determination rights to prevent the deployment of intrusive surveillance and per­formance management systems(Christl 2021; Staab and Geschke 2020). More recently, certain countries have even updated their la­bour law frameworks to introduce provisions specifically addressing algorithmic management(EC 2023; Müllen ­Empirical findings 9