Legal implications and best practice guidance in Germany
By Pauline Moritz
Video surveillance is so yesterday. Today, employers have far more contemporary means of monitoring their employees: Spy software, GPS tracking or lifestyle tracking by wristband to name but a few. These measure productivity, track attendance, ensure security or detect any activities that may harm the company. What an employer believes is necessary, however, may not be permissible or used as valid proof for legal purposes.
Legal framework for employee monitoring
As the methods of monitoring have developed, so has the regulatory framework governing their use. Electronic forms of employee monitoring involve the collection, processing and (often) submission of personal data and are, therefore, regulated by the German Data Protection Act (Bundesdatenschutzgesetz, BDSG). The Act establishes a general prohibition of collecting, processing and submitting personal data unless such action is permitted by law or by explicit consent of the employee.
Employers may also need to navigate the German Telemedia Act (Telemediengesetz, TMG) as well as the German Telecommunications Act (Telekommunikationsgesetz, TKG), which set even stricter parameters for the use of personal data, e.g., making it a criminal offense for employers to open and review personal emails of employees.
Moreover, as of May 2018, the EU General Data Protection Regulation (GDPR) will be binding in all EU Member States and set harmonized standards for employee monitoring. Transnational employers seeking to carry out monitoring in multiple jurisdictions, however, may still find disparity between EU regimes with some applying even greater restrictions, as is the case in Germany.
Smartphone surveillance: Monitoring WhatsApp on business phones?
The employer’s ability to monitor smartphone data and communication largely depends on whether private use has been prohibited or not. In each case, the principle of proportionality has to be respected and the privacy rights of the employees must not be violated.
If the employer prohibits private use, they have some leeway for monitoring activities, e.g., random checks of protocol data (IP addresses, the size of submitted data, duration of use) to verify whether the smartphone was used purely for business reasons. This should, however, be limited to random checks (no groundless 24/7 surveillance). The employer may also take a note of messages, unless the private nature of them is evident (e.g., in WhatsApp chats with family members).
If the employer permits or tolerates private use, the employee’s consent to any monitoring must be obtained. The collection and processing of data are only permitted if there is a concrete suspicion (e.g., a violation of the IT policy). Accessing an employee’s communication apps (Outlook, WhatsApp, etc.) is only permissible with the employee’s prior consent.
The German Federal Labor Court (Bundesarbeitsgericht) recently ruled on the use of a keylogger software which tracks all keyboard entries of the user. The Court found that the use of such software is impermissible as a measure of general surveillance, i.e., without a reasonable suspicion of violation, even if private use of the IT infrastructure is prohibited. Such spy software, as well as comparable surveillance techniques, e.g., automated screenshots, should be used restrainedly and only after a comprehensive balancing of both the employer’s and the employee’s interests.
Installing GPS devices on vehicles, smartphones, laptops or iPads can enable the employer to permanently monitor the employee’s whereabouts. While tracking their whereabouts outside of working hours is not permissible, tracking employees during working hours may be permissible either with the employee’s consent or where legitimate business reasons call for such tracking. This again requires an overall balancing of interests between the privacy rights of the employee and business needs of the employer.
Discussion mining in social media
Another rising trend in employee monitoring is discussion mining: Employers scan employees’ social media accounts and set up a profile, which can include political opinions, information on (private) activities, friends and general preferences. Such comprehensive monitoring of social media is likely to be impermissible as in most cases, the collected data will not have any link to the employment relationship. In principle, outside of working hours, the employee may chat and tweet as he or she chooses. The employer has little means to regulate such activity as statements on social media are protected free speech under the German Constitution. Depending on the circumstances, this may be different if employees disclose internal business information, bully colleagues or make derogatory or insulting comments about the employer and this information is available to the public (or a large number of coworkers are friends on Facebook). Sharing such information in public is possible simply by hitting the “like” button. The admissibility of monitoring activities in these cases depends on the particular circumstances, such as the degree of dissemination.
Extreme monitoring and employee wellness
When it comes to monitoring employees, some employers (want to) go even further. Electronic wristbands (Jawbone, Fuelband or Fitbit) or sociometric badges measure different health parameters, fitness levels, sleep quality and fatigue levels. While it may be tempting for employers to collect such information, the ordered use of such devices is not permissible as it affects the inner circle of personal privacy. Even if employers integrate such devices into voluntary employee wellness programs and obtain the consent of the employee, this may be seen as critical and declared invalid by labor courts if employees feel pressured to participate in the program. Due to the absence of relevant case law, employers should treat the use of such devices with caution and carefully consider the legal implications of the individual case.
Best practice guidance
Monitoring should always be limited in scope, targeted and time bound to comply with the principle of proportionality. As best practice, employees should be fully informed as to what extent monitoring takes place and for what purposes the data is used. If a works council is established, codetermination rights must be observed: Pursuant to the Works Constitution Act (Betriebsverfassungsgesetz, BetrVG), the works council is granted the right to codetermination (i.e., to be informed, to discuss and to conclude formal works agreements) with regard to the operational organization of a site as well as employee monitoring by technical devices. Employers should put in place clear monitoring policies and, as far as codetermination rights are concerned, conclude formal works agreements. Where it is necessary for personnel to gain access to information obtained through monitoring, those staff members should be given appropriate training on the legal framework, data protection and security.