Employee monitoring: which controls the GDPR allows

The EU General Data Protection Regulation (GDPR) has been applicable for two years and has again emphasized the importance of data protection, including in employee monitoring and controls. Although the GDPR imposes data protection limits on the employer with regard to the monitoring of the employee, at the same time criminal and regulatory provisions force the employer to monitor his employees under certain circumstances. In practice, employee monitoring and controls take place in particular in connection with internal investigations or IT security tools. The COVID-19 crisis with increased work from home has also increased the need of employers to control the working hours and work performance of employees more precisely.

The tension between data protection and compliance will soon be enriched by a further facet: With the planned introduction of the Association Sanctions Act, the federal government intends to standardize uniform “corporate criminal law” in Germany. For the first time, the Federal Government’s draft also contains procedural regulations for carrying out internal company investigations. Compliance with these procedural rules is an obligation of the employer in order to benefit from considerable sanction mitigation. If the employer does not comply with the regulations, it is possible that his own efforts to provide information will not be taken into account in a way that mitigates sanctions. An important principle here is compliance with the “fair trial” principle. This principle is the gateway for data protection law, since proceedings against employees as potentially accused are only likely to be fair if, in addition to labor law, data protection regulations are complied with. The importance of data protection in employment will therefore continue to increase in the future, especially in the area of ​​compliance.

In contrast to other countries, employee data protection is particularly pronounced in Germany. The constitutionally guaranteed right to informational self-determination also applies to employment. Total surveillance of employees is therefore ruled out from the outset. The “No expectation of privacy” approach in employment does not apply in Germany. Rather, compliance with data protection, labor and telecommunications regulations is required for the permissible monitoring and control of employees. In particular, the view of the data protection authorities and some courts on the applicability of telecommunications secrecy in the employment relationship represents a legal hurdle for surveillance measures that can only be overcome in advance with a corresponding binding regulation. The employer can also facilitate the implementation of possible monitoring and control measures in accordance with legal requirements by creating general transparency with regard to these measures.

In order to investigate suspected anti-trust agreements or the betrayal / abuse of trade secrets, companies often want to sift through employee emails. However, the following aspects should be considered in advance:

The German telecommunications secret

If employees are permitted to use the e-mail system privately (either expressly or through the tolerance of the employer), the data protection authorities and some courts believe that the employer is a telecommunications service provider and is subject to telecommunications secrecy. Telecommunications secrecy prohibits, under threat of a fine or even imprisonment, in particular making communication content and communication circumstances accessible to third parties (i.e. who communicated with whom and when about what), unless the communication participant has consented. Sometimes it is even argued that telecommunications secrecy does not only apply to purely private communication, but also to mixed professional-private or even purely professional communication. In the case of internal investigations, employee e-mails may already be made available to third parties if the external service provider or legal adviser or the parent company receives information on the employee’s e-mail communications. It is true that the voices in legal literature and in the courts are getting louder and louder that the employer is not to be regarded as a telecommunications service provider and the associated criminal liability provisions do not apply in the event of a breach of telecommunications secrecy. As long as this legal issue has not been decided by the highest court or by the legislature, it is advisable to take measures to avoid the applicability of telecommunications secrecy.

Since the consent of employees in an acute internal investigation is both practical (the employee may refuse or revoke their consent) and legal (the data protection authorities generally assess such consent as ineffective because the employee is not free to give his or her consent can submit without compulsion) reaches limits, the data protection authorities recommend expressly forbidding the private use of the professional e-mail account for all employees. In addition, a control system must be established in order to enforce this ban. A ban without enforcement can lead to tolerated private use, which in turn may be treated in the same way as expressly permitted private use.

If such a total ban on private use is not desired for reasons of the working atmosphere and previous practice, the employer can choose a middle course: Despite the general and express prohibition of private use, the individual employee is offered that in individual cases the private use of the professional e-mail Accounts is allowed if, in return, he renounces telecommunications secrecy. Such a waiver is viewed by the data protection authorities as a voluntary act and therefore as effective. In this case, however, it is unclear whether, if the waiver is revoked, telecommunications secrecy will be revived for emails that have already been received and sent and thus searches of these existing emails will lead to a violation of telecommunications secrecy or whether and how the telecommunications secrecy for the external Communication partner applies.

Other options are to allow the use of private webmail services via the company Internet, so that professional e-mail correspondence in the professional e-mail account is separated from private correspondence in the webmail service. However, this permission for private use of the company Internet has the consequence that the usage data of the company Internet should be subject to telecommunications secrecy, for example the log files as information about the circumstances of communication over the Internet.

The aforementioned options are typically implemented through a works agreement, through an internal guideline for the use of IT systems or through regulations in the employment contract. There is currently no ideal way to deal with telecommunications secrecy in Germany. Companies should determine the best solution for them after weighing the specific work conditions with the possible legal implications.

Data protection rights

Even if the applicability of telecommunications secrecy has been ruled out, data protection principles such as necessity, proportionality, data minimization, legal permission and transparency must be observed when searching purely business emails. These data protection principles require, in particular, measures to limit the search to what is absolutely necessary, documentation of the legal basis for the search under data protection law, restriction of access rights, transparent information to employees about the purpose of the search, and, if necessary, the implementation of a data protection impact assessment.

In particular, determining the correct legal basis under data protection law requires careful analysis. Insofar as the search of the emails is carried out to uncover criminal offenses or serious breaches of duty by the employee, there is a legal basis under data protection law, provided

• documented factual evidence justifies the suspicion that the employee concerned has committed a criminal offense or serious breach of duty in the employment relationship,

• the search is necessary for detection and

• the employee’s legitimate interest in the search of the emails does not prevail (in particular, the type and extent of the search must not be disproportionate to the cause).

In practice, the procedure is typically gradual in order to meet the principle of necessity and proportionality, for example discussions with the employee to uncover the facts on the first stage, automated search of e-mails for keywords and limited to the shortest possible period of time second level, and a manual review of potentially relevant e-mails only on the third level.

works Council

If it is not a matter of incident-independent checks or spot checks, but rather the clarification of specific individual breaches of duty, such investigative measures are subject to lack of collective reference and – since it is regularly the work behavior of the employee – not subject to co-determination. Nevertheless, the introduction and use of the technical facility (here: the e-mail inbox or the e-mail program that is the subject of the investigation or the e-discovery tool for the automatic search of the professional e-mail account) employee participation. The conclusion of a corresponding works agreement on the introduction and use of the facility, which standardizes the employer’s right to carry out evaluations in the event of an urgent suspicion of serious breaches of duty and criminal offenses by an employee, is required in any case. This also applies to the constellations outlined below (with the exception of Section 7), which – as this concerns access rights to technical equipment – are also subject to corporate co-determination.

If an employee is temporarily absent (due to vacation or illness) or permanently due to leaving the company, there is often a need for the employee’s business e-mails (and other files), both in the archives and now in the inbox, to continue business operations to see. Here, too, a regulation is initially required that avoids a violation of telecommunications secrecy when accessing the e-mails (see above). In addition, a transparent regulation that adequately takes into account the interests of the employees, be it as an internal guideline, as a works agreement or as part of the employment contract, should define the circumstances and conditions of access.

In order to protect confidential information, trade secrets and personal data from unauthorized access, employers regularly use IT tools such as data loss prevention tools, virus filters or SSL decryption systems. Insofar as these tools pursue the purpose of preventing access to personal d
ata, they are generally viewed as suitable and necessary security measures to protect personal data (Art. 32 GDPR). However, the restrictions of telecommunications secrecy and data protection must be observed when implementing these tools.

If the private use of the professional e-mail account and the company Internet is not expressly and effectively prohibited, these tools regularly lead – in accordance with the view of the data protection authorities and some courts – to a violation of telecommunications secrecy and thus to a possible criminal liability. In addition, these tools must be configured and implemented in such a way that they comply with the data protection principles mentioned above. In particular, the principles of necessity, proportionality and data economy typically require a step-by-step approach. At the first level, the tools should – as far as possible – work with pseudonyms instead of the full names of the employees. In the second stage, the employee should, as far as possible, be informed of possible misconduct by means of automated warning messages. In the third stage – as far as possible – pseudonymized logs should be evaluated before the pseudonym is assigned to the employee in the event of an actual violation.

A software with which all keyboard entries are logged for the purpose of employee control is generally not permitted under data protection law. Such keylogger software may only be permitted in individual cases and in the event of a specific documented suspicion that the employee in the employment relationship has committed a criminal offense or another serious breach of duty in connection with the use of the computer, and if there is no more lenient means of detection, such keylogger software may be permitted . Furthermore, the restrictions on telecommunications secrecy (see above) must be observed.

In the case of employees working outside the company, the employer may have an interest in locating the employees, for example using GPS, WLAN or the cellular network of the company cell phone. With a location, on the one hand, compliance with working hours could be checked. On the other hand, the location can serve the economic optimization of business processes (e.g. route planning, utilization management, fuel consumption, etc.). In the course of the COVID-19 pandemic, the proposal for permanent real-time location of employees to track chains of infection has often been made.

When locating via telecommunication devices, such as the company cell phone, the legal requirements of telecommunications secrecy can be relevant. On the other hand, an uninterrupted and precise location of the individual employee is generally not permitted. The isolated and rough location, on the other hand, may be permissible if it serves to carry out the employment relationship. Whether the location of field service employees is permitted for the purpose of fleet management and deployment coordination depends on the specific implementation, in particular the frequency and accuracy of the location, transparent information and location-free periods. In principle, checking the employee’s working hours can also be a permissible processing purpose if this does not lead to total surveillance.

In any case, the location must be carried out in accordance with the general data protection principles, i.e. permissible processing purpose, transparent information to the employees, location only within the absolutely necessary framework (if possible only location of an area instead of location of the exact location), concrete definition of the purpose, very limited storage of the data and very limited access to the data.

The Telecommunications Act may also require the consent of the employee, particularly when locating via cell phones that are based on “bring your own device”, but this will usually be ineffective due to the employee-employer relationship. If the location is carried out via the cellular network of the telecommunications provider, an SMS would have to be sent to the cell phone each time the location is located, provided the location is not only displayed on the cell phone. In the case of location via the Internet and GPS, the Federal Commissioner for Data Protection and Freedom of Information takes the view that the Telecommunications Act does not apply and that “only” the basic principles of data protection law must be observed.

Random, unreasonable and suspicious checks of bags (for example at the exit to prevent theft) or drawers (for example for call center employees to prevent credit card fraud) in the presence of the employee are regularly permitted under data protection law if the basic principles of data protection law get noticed. Telecommunications secrecy does not matter in this context. Although no technical facility is the subject of the investigation in this case, general controls are subject to the works council’s right of co-determination, as there is a collective reference and such measures affect the behavior of employees in the company, namely to tolerate the control of the employer.

Employers whose employees work from home may need technical monitoring with regard to working hours. A large number of different monitoring and control means are conceivable for this, such as logging logging in and logging out of the computer, activities in the company network and even individual keystrokes on the employee’s computer.

The recording of the frequency of keystrokes is generally not permitted due to the nature of the continuous monitoring (see above on keylogger software). The verification of the login data could be compared with the analog stamping in and be regarded as permissible if the other basic principles of data protection law are observed. Evaluations of the activity status in instant messenger services will only be permitted in individual cases, because the purpose of the activity status is typically not working time control but real-time communication and therefore a recording of the activity status should generally not be necessary. Comprehensive or even complete control measures by the employer are, however, also generally not permitted in the home office.

The following checklists are guidelines for the many legal questions that arise before starting an internal investigation and can be used in a similar way for other monitoring measures. There are no clear yes / no answers to the individual questions – they would also be misleading. Some of the situations have never been resolved in court, at least not by the highest court. As far as the data protection part is concerned, the answers mostly depend on the individual case. In short: an IT manager should go to his legal department with this list to discuss the various points. (pg)

Data protection and criminal law

1. What is the specific subject and scope of the internal investigation? How can the subject matter and scope be narrowed down as best as possible? Are there already specific keywords and a period for the documents to be searched? – the less data is searched, the better.

2. What should be searched? E-mails, document archives, instant messenger messages, SMS messages, communication log files? Should interviews also be carried out?

3. Which employees are the subject of the internal investigation and why? (Accused, possible accomplices, possible witnesses, possible owners of relevant documents?)

4. In which systems are these documents stored and who has access to these documents?

5. Is private use for these systems either expressly permitted or tolerated? Is there an IT guideline, usage guideline, usage agreement, employment contract regulation and / or works agreement?

6. Is data accessed as part of the internal investigation that is specially protected against unauthorized access and whose access protection must be specifically overcome?

7. Are private data changed or deleted as part of investigative measures?

8. Have the employees given their consent to private use of the systems in advance?

9. Have the employees been adequately and transparently informed about the implementation of internal investigation / monitoring and control measures in accordance with the information obligation in accordance with Art. 13 or Art. 14 GDPR?

10. On what legal basis of the GDPR and the BDSG may the personal data of the employees be processed for the purpose of the internal investigation (typically § 26 Paragraph 1 Sentence 1 BDSG, § 26 Paragraph 1 Sentence 2 BDSG or Article 6 Paragraph 1 lit. f GDPR)?

11. Is it possible to base the investigation on the consent of the employees concerned (attention: employee consents are generally not voluntary, unless the employees concerned are executives or belong to the management)?

12. If the investigation or investigation is carried out in cooperation with an external service provider (e.g. forensic service provider, e-discovery service provider) and an order processing contract has been concluded with this service provider in accordance with. Art. 28 GDPR closed?

13. Have the service provider been given written instructions on how he should carry out the investigation (keywords, period, etc.) and how he should handle private or irrelevant emails (for example “close immediately”, “do not read”, “do not copy”, “do not forward”, “do not print”)?

14. Are the results of the investigation (e.g. the results of the e-mail search or interview transcripts from employee surveys) transmitted to third parties (to other companies in the group that may be located outside the EU or to external legal advisors) and – provided the answer ” yes “is – has the admissibility of the transmission been checked and, if necessary, has an adequate level of data protection been ensured for the recipient (Art. 44 ff. GDPR)?

15. Are the results of the document search or interview transcripts in employee surveys anonymized or pseudonymized before being forwarded?

16. Are the retention and deletion periods for examination results clear, and is deletion of examination results adhered to and controlled?

17. Has the company given any thought to the fact that unlawfully collected evidence in later legal proceedings may be subject to a prohibition on the use of evidence and therefore cannot be used?

18. Are there possible reporting obligations to state law enforcement authorities for the investigated offenses?

Employment Law

1. Is there a works council?

2. Are there company agreements on control measures for employees or on the control of IT / e-mail systems?

3. Have notification obligations to the works council and / or the works council’s rights of co-determination been observed?

4. Is the employee to be interviewed a suspect or an accused?

5. Do employees have to come to interview appointments and answer questions?

6. Should employees be provided with a lawyer (at the employer’s expense) for interviews?

7. Are employees to be advised that they do not have to burden themselves? If so, in which form?

8. Are representatives of the works council entitled to take part in the interviews or other investigative measures?

9. Does the works council have the right to receive or view the results of the investigation?

10. Do the employees have a right to receive or view the test results?

11. Do the examination results have to be in the personnel file?

12. Has the company thought that unlawfully collected evidence in later legal proceedings may be subject to a prohibition on the use of evidence and therefore cannot be used?