Phishing simulation compliant with the law: BetrVG, GDPR, and the works council

Phishing simulations have gone in recent years from a niche method to a standard component. NIS2 Art. 21(2)(g), § 75b SGB V KBV and practically every cyber insurer require documented awareness work — and phishing simulation is the only method that reliably measures its effectiveness.

In Germany, implementation regularly fails because of the works council. Not because the works council is against security — but because phishing simulation must be presented cleanly so it is not perceived as employee monitoring. This article shows what the legal situation is, which works agreement is recommended, and how to rebut the most common objections objectively.

The legal situation: BetrVG § 87(1) No. 6

Phishing simulation reliably triggers co-determination in Germany. The legal basis is § 87(1) No. 6 BetrVG: "Introduction and use of technical devices intended to monitor the behavior or performance of employees".

The simulation platform fulfills this criterion because it logs per user who clicked, who entered credentials, who opened attachments, who reported the email. This is individualized performance monitoring within the meaning of the BetrVG. The Federal Labor Court has repeatedly clarified that actual evaluation is not required to trigger co-determination — suitability for evaluation is sufficient.

Without a works agreement (or, in the public sector, without a service agreement) phishing simulation is unlawful. The works council can block implementation, and already collected data would have been obtained unlawfully.

This is not a formality. Tolerating 'we'll just do it without' can become expensive for the employer in a dispute.

The GDPR dimension: What is processed and by whom

Every phishing simulation processes personal data: email addresses, click timestamps, IP addresses, and, if applicable, entered credentials. The GDPR roles must be clarified.

Typically, you as the employer are the controller within the meaning of the GDPR; the platform provider is a processor. A data processing agreement under Art. 28 GDPR is mandatory. The DPA must regulate:

• Which data are processed

• Where they are stored (EU reference critical)

• How long they are retained

• Who may access them

• What security measures apply

• How deletion and return are handled

For US providers or providers with US infrastructure, standard contractual clauses and a documented transfer impact assessment are also required. In 2026 this is no longer a theoretical issue — data protection authorities are actively reviewing it.

The legal basis for processing is generally Art. 6(1)(f) GDPR (legitimate interest in protecting IT security). Employee consent is not clean in an employment relationship because voluntariness is generally lacking.

The works agreement: What absolutely belongs in it

A viable works agreement typically has eight to twelve sections. The following points are non-negotiable in our view:

Purpose limitation. Explicitly: Phishing simulation serves exclusively to improve security awareness and to fulfill legal obligations (NIS2, § 75b/c SGB V, GDPR). It does not serve to monitor the performance or behavior of individual employees.

Ban on use for personnel measures. Clear stipulation: Results from the simulation may not serve as a basis for employment law measures — not for warnings, not for dismissals, not for promotion decisions. Without this prohibition, the works council would have its central objection.

Anonymization at the evaluation level. For management reports, data are aggregated (click rate per department, trend over time). Individual results are visible only to the employee concerned and to the security team within a narrow scope.

Retention periods. Raw data (who clicked when) are deleted after X months. Typical practice: 12-24 months for trend analysis, afterwards only aggregated statistics.

Access rights. Who in the company may see which evaluations? Typical: security team at the individual level with clear limitation, managers only on team aggregates from 5+ employees, HR not at all.

Transparency toward employees. Once a year, all employees receive information that phishing simulations take place, without advance notice of individual campaigns. Employees therefore know that simulations exist, but not when.

Evaluation clause. The works agreement is evaluated every 24 months jointly between the employer and the works council. Additions or changes are decided by consensus.

Employee rights. Every employee has the right to view their own simulation results, and the right to additional training without disadvantage.

Five common works council objections and factual responses

"That is employee monitoring."
Factual response: The simulation detects whether phishing emails are recognized — not whether employees are working productively. The works agreement with an explicit prohibition on use for personnel measures neutralizes the accusation structurally. The goal is clear: the workforce should learn to recognize attacks.

"That only frightens employees."
Factual response: Realistic campaigns without a blame culture, paired with an immediate learning resource (landing page with explanation instead of an angry email), have a de-escalating effect. Studies from the US and Germany show that after 12-18 months of simulation, teams reduce their fear of real phishing emails — because they know the patterns.

"We don't have phishing problems."
Factual response: Undetected credential phishing is the most common initial vector for ransomware. The fact that no incidents are known does not mean there are none. And insurers will increasingly check documented awareness work from 2025-2026 as a condition for coverage.

"External providers get our data."
Factual response: Processing on behalf under Art. 28 GDPR, EU data centers, pseudonymized transmission wherever possible. The data protection impact assessment is part of the project.

"That's too expensive."
Factual response: Common market prices for German mid-sized providers are €2-5 per employee per month. For a hospital with 1,000 employees, that is €24,000-60,000 per year. A single ransomware incident costs, according to IBM figures in the healthcare sector, an average of $4.88 million.

Getting through the first campaign

Once the works agreement is signed, we recommend the following approach for the first campaign:

Week 1-2: Baseline campaign. Moderately difficult email (e.g., a fake Microsoft Teams invitation), broad target group. Purpose: measure current state, determine realistic click rate. Typical in German clinics without prior training: 20-35% click rate, 5-10% credential entry.

Week 3-4: First learning phase. Everyone who clicked receives an automated short learning resource (90-second video, 2-question quiz). No one is publicly shamed, no one is disciplined.

Month 2-3: Differentiated campaigns. Different scenarios per functional group (medical vs. commercial vs. IT), increasing difficulty.

Month 4: First evaluation with the works council. Present trends, derive measures (e.g., targeted training for departments with high click rates), joint commitment to further expansion.

After 12 months, the click rate should typically be below 10%, and the report rate (that is: how many actively report the phish?) above 30%. That is an awareness culture that is robust in an audit and with the insurer.

Conclusion

Phishing simulation rarely fails in Germany because of technology. It fails because projects are started without a clean legal basis and then stopped by the works council — or because works council negotiations go nowhere because the security side cannot respond precisely.

A viable works agreement is not an obstacle but an accelerator: it creates trust, clarifies expectations, and enables the long runtime that makes awareness work effective.

At Entropy CS, we have several works agreement templates for clinics and care facilities that work as a starting point for negotiations. In the free risk assessment, a brief look at your works council landscape is part of the conversation — so you know before project start what effort to expect.

Are you planning a phishing simulation? Our free risk assessment takes 30 minutes and provides an assessment of regulations, works council preliminary work, and the suitable campaign format.