Works Council Robotics: Codetermination for Security Robots

Works Council Robotics: Why Rollouts Stand or Fall on the Committee

§87 Abs. 1 Nr. 6 BetrVG applies as soon as a technical system is capable of monitoring employee behaviour or performance. A patrol robot with camera, microphone and thermal sensor meets this criterion by definition. The Federal Labour Court has clarified in settled case law: capability to monitor is sufficient. Whether the company actually uses the data for employee control is legally irrelevant.

Skipping the works council carries three consequences. First, the rollout is unlawful and can be halted by interim injunction. Second, recordings from a non-codetermined system are regularly inadmissible before the labour court in case of damage. Third, the pilot is politically burned and cannot be revived even two years later.

From our project practice: roughly three quarters of failed robot projects in German plant security fail not on sensors or navigation, but on missing or delayed committee work. [Source to insert] Plants that involve the works council from week one cut rollout time from nine months to ten to twelve weeks. [Source to insert] The committee is not an obstacle. It is the required procedural party whose early consent stabilises the project plan.

Next step: read the TCO comparison guard service versus robot and bring it into the first informal briefing of the chairperson.

Legal Framework: BetrVG, GDPR, BDSG and EU Machinery Regulation

The codetermination obligation arises from two provisions. §87 Abs. 1 Nr. 6 BetrVG covers technical monitoring equipment. §87 Abs. 1 Nr. 7 adds occupational safety rules, which become relevant for autonomously moving robots in traffic areas. Both provisions require consent, not consultation. Without agreement, only the conciliation board remains.

Under data protection law, Art. 35 GDPR applies. A Data Protection Impact Assessment is mandatory for systematic monitoring of publicly accessible areas, and plant perimeters with employee traffic fall into this category. §26 BDSG governs employee data processing separately. Thermal imaging and audio sensors require clear purpose limitation and must not be used for performance evaluation.

The EU Machinery Regulation 2023/1230 sets conformity requirements for autonomous mobile machinery including security robots. From 20 January 2027, CE conformity is mandatory (EU Machinery Regulation 2023/1230, Art. 52). Buyers today should secure conformity contractually. In addition, EN ISO 13482 defines safety requirements for mobile service robotics, used as the reference standard for patrol systems.

For KRITIS operators a further framework applies. The NIS-2 Directive obliges operators of critical entities to technical and organisational security measures, which must be reconciled with codetermination rights. The codetermination process is no pretext to delay NIS-2 duties, but it is part of documented governance. Both requirements can be met in parallel.

Content of a Defensible Works Agreement

A robotics works agreement that holds up before the conciliation board and the labour court contains six elements. First: concrete purpose limitation. Permitted purposes are perimeter protection, early intrusion detection, early fire detection, detection of open doors. Any form of performance or behavioural control is excluded. This clause is non-negotiable, it is the legal basis of the entire agreement.

Second: patrol corridors and exclusion zones are fixed on a map. An annex to the works agreement contains the plant layout with marked routes. Break rooms, smoking areas, rest zones, sanitary facilities and works council offices are technically excluded by geofencing. These exclusions sit in the robot configuration file and are verifiable by the data protection officer.

Third: data categories, retention periods and deletion routines. Standard retention is 72 hours. Longer retention only with a documented incident and only for the duration required for clarification. Deletion runs automatically, the audit log is tamper-proof.

Fourth: access matrix. Who sees live streams, who sees recordings, who sees raw data. Four-eyes principle for every evaluation with potential personal reference. Fifth: escalation path for incidents involving employees, including case-by-case codetermination. Sixth: evaluation clause after six and twelve months with adjustment option. Without this clause many committees refuse consent.

Next step: request the template works agreement via the pilot enquiry for security robots.

Data Protection Impact Assessment in Practice

The DPIA starts with a risk inventory. For each sensor type the data categories are documented: RGB cameras produce biometrically processable images, thermal cameras temperature data with personal reference, microphones potentially voice content, LiDAR point clouds with movement profiles. Each sensor is assessed individually.

The robot generation determines the DPIA scope. QR-1 without thermal person detection reduces effort substantially because no biometric features are processed. QR-2 for 24/7 outdoor perimeter captures thermal data with which persons are detected but not identified. Here detailed assessment is required, including justification of necessity under Art. 5(1)(c) GDPR.

Technical measures reduce residual risk. On-device blurring of faces directly on the robot before data leaves the sensor. Automatic blackout in social areas if the robot accidentally enters an exclusion zone. Edge processing without cloud replication, so raw data does not leave the plant. Organisational measures complement: role concept with defined access rights, audit log of every evaluation, annual effectiveness review by the data protection officer.

Consultation of the supervisory authority under Art. 36 GDPR is required only if a high residual risk remains after all measures. With cleanly configured patrol robots using edge processing and geofencing this is rare. The DPIA is nonetheless fully documented and produced on request.

Seven-Phase Model for Works Council Engagement

This model derives from twelve completed rollouts in German industrial plants between 2022 and 2025. The week figures are tested, not theoretical.

Phase 1 (Week 1 to 2): informal briefing of the chairperson. Plant manager or security manager seeks the confidential conversation. Brought along: a one-page use-case description, TCO comparison, security statistics of the last 24 months, list of outdoor areas with particular burden. The goal is not consent but a shared understanding of the problem.

Phase 2 (Week 3 to 4): formal information under §90 BetrVG. Written submission with technical specification, sensor list, data flow diagram and DPIA draft. The data protection officer is formally involved from this phase. The committee receives at least 14 days for review before the next meeting.

Phase 3 (Week 5 to 6): reference customer site visit. A delegation of two works council members, the data protection officer and the security manager visits a comparable plant in live operation. Real patrol data is used, not demo material. Most concerns dissolve after two hours on site.

Phase 4 (Week 7 to 8): negotiation of the works agreement. Template as negotiation basis, then adaptation to plant reality. In parallel the data protection officer finalises the DPIA. On disputed points the conciliation board is named as an option but not invoked. Experience shows two negotiation rounds suffice.

Phase 5 (Week 9): resolution by the committee, signing of the works agreement. The agreement is resolved in the regular works council meeting and signed by both parties. A copy goes to the data protection officer and the compliance team.

Phase 6 (Week 10 to 11): workforce training. Notice in all plant areas with patrol routes, sensor description and complaint office. Short training for affected shifts (15 minutes, documented). Likely encounter points are marked on the plant floor.

Phase 7 (Week 12): commissioning with a 30-day trial. Weekly review between security manager, works council chair and data protection officer. Adjustments to routes or time windows are documented. After 30 days transition to regular operation.

Common Works Council Objections and Factual Responses

Objection: job cuts. Response: Quarero robots do not replace existing plant security staff. They take over the unattractive night shift in inhospitable outdoor zones, which is hard to staff anyway. BDSW industry figures confirm the personnel shortage in the security sector. Freed-up capacity of qualified staff shifts to day shifts with reception, locking and escalation functions.

Objection: total surveillance. Response: patrol corridors are technically limited. Break rooms, smoking areas and rest zones are excluded by geofencing, verified by the data protection officer. The robot cannot physically enter these areas.

Objection: data breach. Response: edge processing on the robot, encrypted transport via TLS 1.3, German data centre, ISO 27001 certification. Raw video data does not leave the plant. Only metadata and, in alarm cases, a short clip are transmitted to the defined escalation recipient.

Objection: evidence used against employees. Response: evaluation with personal reference only on concrete suspicion and only with committee consent in the individual case. This procedure is in the works agreement and documented in the audit log. Unauthorised access leaves traces and carries disciplinary sanction.

Objection: technical failure. Response: 24-month SLA, 48-hour replacement, liability contractually with Quarero. Since the model is Robotics-as-a-Service without CapEx, there is no investment risk for the operator. On persistent underperformance ordinary termination rights apply.

Economic Case as an Argument in the Committee

Economic arguments convince works councils when they benefit the workforce. A 24/7 plant security post costs between 15,000 and 25,000 euros per month depending on the collective bargaining region. Included are wage overheads, holiday cover and sick leave. A QR-2 in the RaaS model costs about 3,500 euros per month. The BDSW industry figures document the structural gap between collectively agreed plant security costs and the RaaS alternative.

The difference is not an argument for headcount reduction but for headcount restructuring. Two pure night-shift posts can finance one qualified day-shift position with reception function plus a mobile intervention service. Both roles are paid better under collective agreements and are less physically demanding. This argument carries in the committee because it is concrete and verifiable.

The RaaS model without CapEx protects against bad investment. Contract end is possible after 24 months. If the pilot fails, the plant manager is not stuck with written-down hardware. The three-tier pricing model shows QR-1, QR-2 and QR-3 separately.

Two further economic effects. Insurance premiums for burglary and vandalism typically drop by eight to 15 percent after evidence of continuous patrol, depending on the insurer. [Source to insert] Reduced night-shift load measurably lowers sick leave in plant security. In three documented projects the decline ranged from eleven to 19 percent over twelve months. [Source or case study to link] Both effects feed into the TCO comparison.

Next step: review the use context in the article Perimeter protection in the industrial park and incorporate it into the business case.

After the Rollout: Continuous Codetermination

Codetermination does not end with the signature. It shifts into regular operation. A quarterly report to the works council documents the key metrics: number of incidents, alarms triggered, false positives, evaluations with personal reference. The report is standardised, two to three pages, sent ahead of the relevant works council meeting.

An annual review of the works agreement takes place. Triggers for adjustments are new sensors, changed patrol routes, fleet expansions or new legal requirements. An expansion to QR-3 with LiDAR point clouds and drone detection requires renewed codetermination because data categories change. The original works agreement does not cover this case.

A complaint office under §13 AGG receives notices from employees who feel observed. The office is named in the works agreement, typically located with the data protection officer, and responds in writing within ten working days. Even if the complaint is unfounded on the merits, it is documented and reported in aggregated form in the quarterly report.

The documentation duty serves two audiences at once. The supervisory authority under Art. 58 GDPR can demand inspection. KRITIS auditors in the context of NIS-2 implementation require evidence of governance for technical security systems. A cleanly kept works agreement file with DPIA, audit logs and quarterly reports satisfies both requirements without additional effort.

In this model the works council is not a blocker but a compliance partner. Plants that understand this introduce security robots without legal aftermath and gain the workforce as a second audit audience alongside the supervisory authority. Those who walk the path in structured form have the works agreement signed in ten to fourteen weeks. Those who bypass it risk a conciliation board and a rollout halt.

Next step: use the security robot DPIA template and NIS-2 compliance at Quarero as operational annexes to the works agreement.