Privacy-Friendly Phishing Training: Works Councils, Consent, and GDPR Essentials

⚖️ This article is general information - for specific decisions about your organisation, consult a qualified lawyer in your jurisdiction.

TL;DR

You can run impactful phishing simulations in the EU without alienating staff or risking non-compliance by:

using legitimate interests (not consent) as your primary legal basis and documenting a balancing test;
engaging works councils early and codifying guardrails in a works agreement where required;
prioritising anonymization/pseudonymization, short retention, and transparent notices; and
running a DPIA if your context points to high risk (e.g., systematic monitoring).

1) Lawful basis: why legitimate interests usually beats consent

In the employment context, consent is rarely freely given because of the employer–employee power imbalance. The European Data Protection Board’s Guidelines 05/2020 on Consent underline that employee consent is valid only in exceptional circumstances without adverse consequences for refusal. For phishing simulations, a better fit is Article 6(1)(f) legitimate interests, documented with a Legitimate Interests Assessment (LIA) that weighs your security needs against employees’ rights and expectations.

Good practice for the LIA

Define the interest (security awareness; fraud prevention).
Map reasonable employee expectations (training is normal; covert profiling is not).
List mitigations (see Sections 3–5).
Record why consent would be inappropriate in your context.

References: EDPB Guidelines 05/2020 on Consent; GDPR Recital 47 (reasonable expectations).

2) Works councils: Germany & Austria in focus

If you operate in countries with strong co-determination, involve the works council before rollout.

Germany (BetrVG §87(1) No. 6): the works council co-determines the “introduction and use of technical devices designed to monitor employee behaviour or performance.” Even simple dashboards can trigger this, so a Betriebsvereinbarung (works agreement) that sets scope, data handling, and safeguards is common practice.
Austria (ArbVG §96(1) No. 3): monitoring measures and technical systems that may affect human dignity require works council consent (or individual consent if no works council).

What to include in the agreement/works policy
Purpose & scope, lawful basis, minimal data collected, no disciplinary use of metrics alone, who sees what, retention & anonymization schedule, vendor list (processors/sub-processors), employee rights, and an annual review clause.

Sources: Germany—BetrVG §87(1) no. 6 (official English text); analysis by Luther Law. Austria—Eurofound summary of ArbVG §96(1) no. 3; Schoenherr explainer.

3) Anonymization vs. Pseudonymization (and what it means for reports)

Anonymization (GDPR Recital 26): once data is truly anonymous, GDPR no longer applies.
Pseudonymization (GDPR Art. 4(5)): data is still personal if it can be re-linked via separate keys; treat it accordingly.

Privacy-centric reporting model

Default to aggregates by team/location.
Use stable random IDs for trend analysis instead of names; keep the key separate with strict access control.
Show individual results only to a small, need-to-know group (e.g., security awareness lead + HR) and only when necessary for targeted coaching.
Never collect real passwords; if a user attempts to submit credentials, show a training page and discard any entry.

For a practical example of how a platform implements these concepts, see AutoPhish’s anonymization overview: https://autophish.io/anonymization

4) Retention: shorter is safer (and required by principle)

GDPR’s storage limitation principle requires keeping personal data in identifiable form no longer than necessary for the stated purpose. For phishing programs, many SMEs adopt a two-tier window:

Operational window (e.g., 30–90 days): identifiable data available for coaching and remediation.
Post-campaign analytics: thereafter aggregate/anonymize, keeping only non-identifiable trends for long-term KPI tracking.

Document this in your Article 30 records of processing and in your employee privacy notice.

5) Notices: be transparent and plain-language (Art. 13)

Before your first campaign, provide a short internal notice (or update your employee privacy policy) that explains: the purpose (security awareness), lawful basis (legitimate interests), what data you collect (e.g., email, department, click/report events), retention, who can access individual-level data (limited roles), no disciplinary use of single events, employee rights (access/objection), and a contact (DPO or privacy lead).

Copy-paste starter (adapt to your context)

We run periodic phishing simulations to build security awareness and reduce fraud risk. We process your name, work email, department, and simulation interactions (e.g., opened/reported/submitted). Our lawful basis is legitimate interests (GDPR Art. 6(1)(f)). Individual-level data is visible only to the security awareness team (and HR where necessary for targeted coaching). We keep identifiable data for [X days] and then aggregate/anonymize. We never store real passwords. You can exercise your data rights (access/objection, etc.) via [contact]. See [link to your full employee privacy notice].

6) Do you need a DPIA?

A Data Protection Impact Assessment (DPIA) is required when processing is likely to result in high risk to individuals (Art. 35). Regulators and the EDPB note that employee monitoring may trigger a DPIA—especially where processing is systematic or involves vulnerable data subjects. If your programme introduces new tooling, large-scale metrics, or cross-border transfers, err on the side of conducting a DPIA.

What to cover: purpose/necessity, alternatives (less intrusive options), data flows, risks, mitigations (anonymization, minimization, role-based access, short retention, no-blame coaching), and a plan for periodic review.

7) Vendors & international transfers

If you use a platform provider, you’re the controller and they’re a processor; sign a Data Processing Agreement that meets Article 28 requirements (security, sub-processor controls, assistance with data rights, deletion at end of service). If the provider or its sub-processors are outside the EEA, implement the Standard Contractual Clauses and perform a transfer risk assessment.

8) NIS2: if you’re in scope, training is no longer optional

For entities covered by the NIS2 Directive, management must oversee cybersecurity risk-management measures (Art. 20) and ensure appropriate training and incident processes (Art. 21). Even if you’re not in scope, the bar NIS2 sets is a useful benchmark for SMEs.

9) A practical, privacy-first architecture (that still works)

Data in: name, email, team, and manager (optional). No personal emails; no special categories.
During campaign: collect only event data (delivered, clicked, reported, submitted). If a user tries to enter credentials, show training and capture no secrets.
Access control: the awareness team can see cohorts and anonymized IDs
Retention: 30–90 days for identified data → auto-anonymize; keep aggregates for year-over-year trends.
Outputs: exec report shows rates and trends, not names.
Governance: LIA + (if needed) DPIA on file; Article 30 register updated; works agreement approved.

Final thoughts

Privacy-friendly phishing training is not a contradiction. With the right lawful basis, genuine worker representation, and technical guardrails like anonymization and short retention, your programme can protect people and their data while measurably reducing risk. When in doubt, get legal advice tailored to your facts.

Legal references (Germany & Austria)

Germany — Works Constitution Act (BetrVG) §87(1) no. 6 (official English text)
Gesetze im Internet – Works Constitution Act (Betriebsverfassungsgesetz – BetrVG), English translation
Analysis by Luther Law
“Perennial issue: software vs. co-determination (Section 87 (1) No. 6 BetrVG)” — Luther Law
Austria — Eurofound summary of ArbVG §96(1) no. 3
Eurofound: Employee monitoring and surveillance — Austria
Schoenherr explainer (ArbVG §96(1) no. 3)
“Whistleblowing Hotline – Implementation Only with Employee Consent?” — Schoenherr