The German legislature is about to enact a new law to be known as the Employee Data Privacy Act (Beschäftigtendatenschutzgesetz or the Act). The Act is designed to wrap up a lengthy debate over the institution of a comprehensive statutory framework for the protection of employee data.
Germany’s data privacy law concerning the collection, storage, use or transfer of personal data has been quite restrictive, as with similar laws in the European Union. However, specific legal provisions for the protection of personal data of employees have been rare thus far. The legal framework governing employee data privacy has consisted of a variety of general laws, including the Federal Data Privacy Act (Bundesdatenschutzgesetz or BDSG), as well as case law.
The draft Act is still a work in progress, yet major parts are likely to be enacted as revised to date. For employers, it will clarify many aspects of employee data privacy and create new restraints. Below is a summary of the draft Act’s key aspects:
Why Germany is Introducing the Employee Data Privacy Act Now
Germany has seen a number of data privacy scandals lately, such as the email screening and comparing of bank account information at Deutsche Bahn, the storage of employee health data at Daimler, and the secret video observation of employees at discount chain Lidl. In September 2009, the German legislature established a new regulation to address employee data privacy in light of these events. The regulation was largely considered a “poor” job because it raised more questions than it answered.
The draft Act is intended to balance interests of employee protection in the sense of preventing “observation” and “spying.” At the same time, it is meant to accommodate the employer’s legitimate interest in monitoring employees for compliance purposes.
Why Data Privacy should Matter to Business Owners
A breach of employee data privacy may have extensive implications exposing business owners to the following:
- Criminal liability
- Administrative offenses, with fines reaching up to €300,000 per event
- Damage claims
- Potential inadmissibility of evidence in proceedings for unlawful termination
- A new right of employees to file complaints with the Data Privacy Agency
Expected Cost Exposure of Business Owners
The German government expects the aggregate financial exposure for businesses to reach approximately €9.49 million on an annual basis, in addition to one-time transition costs of approximately €10.3 million. These costs are the result of several newly introduced obligations regarding information, disclosure and notification.
Key Aspects of the Act
The draft Act will be incorporated into the Federal Data Privacy Act as new sections 32 to 32l. It draws important lines on the collection, use and processing of data during the recruitment process, as well as during and after the employment of the individual.
Information about Job Applicants
Publicly-available sources (e.g., newspapers) may be used by an employer to obtain information about a job applicant if the employer informs the applicant in advance and the applicant has no prevailing interest in secrecy. However, an employer’s use of the Internet to obtain information about job applicants is limited. Professional social networks (e.g., XING) and search engines (e.g., Google) may be utilized, but an employer may not perform searches on social networking sites (e.g., Facebook, Stay Friends).
Electronic Data Screening
Electronic data screening of employees, such as employee screening and bank account comparisons, is not permitted unless it is used to uncover criminal acts or serious infringements, subject to the following:
- The screening must be conducted in anonymous or alias form only
- The data may be used in personalized form if there is a concrete suspicion of criminal acts or seriously infringement
- The employer must inform the employee about the substance, scope and purpose of the screening as soon as doing so would no longer affect the objective of the screening
It remains unanswered whether preventive screening is permissible, but presumably it is not.
Collection of Data Without the Employee’s Knowledge
Collection of data without an employee’s knowledge is permitted if there are facts in support of a concrete suspicion of a criminal act or another serious infringement that would entitle the employer to dismiss the employee for cause. However:
- Collection without the employee’s knowledge must be necessary (i.e., collection would be impeded or would have less prospects of success if done in another way)
- The duration for which information is retrieved must be limited to what is indispensable
- Systematic screening may be conducted for no longer than 24 hours without interruption or for no more than 4 days
- The use of technical equipment for the interception or taping of words spoken not in public as well as technical equipment for observation (except for binoculars or photo cameras) is unlawful
- The use of data from the core of one’s private sphere of life (e.g., data from one’s private home) is unlawful
- The employer must in advance document the facts in support of a concrete suspicion of a criminal act or another serious infringement
- The employer must document the full circumstances of the data collection
- The employer must inform the employee about the substance, scope and purpose of the screening as soon as this would no longer affect the objective of the screening
- Data and documentation must be deleted without delay once they are no longer needed, but in no event later than at the end of the year after documentation occurred
Currently, video observation in space accessible by the general public is allowed by exception and must be marked as such. The draft Act disallows video observation at workspaces that are not accessible by the general public except in certain, limited cases and after weighing of interests, providing the observation is marked as such.
Email and Internet
The draft Act regulates the use of telecommunications services on one’s official business. Provided the employee does not have a prevailing interest in secrecy, the screening of the contents of one’s email and Internet usage on official business will be admissible if required:
- To ensure the proper operation of telecommunications networks or telecommunications services, including data security
- For billing purposes
- For random or circumstantial monitoring of employee performance or conduct
Exceptions to the Mandatory Level of Protection (via Agreements with Works Councils, etc.)
German case law has presumed that agreements with works councils may contain provisions deviating from the level of protection afforded by the Federal Data Privacy Act. Whereas the draft Act now refers expressly to the admissibility of works council agreements to deal with employee data privacy issues on the one hand, it states on the other hand that no deviation from provisions of the law may be to the employees’ detriment. So, we have to assume that existing works council agreements may be subject to future revision if they vary from the current draft Act to the employees’ detriment.
Formerly, employees could consent to any kind of use of their data by the employer or third parties as a rule, yet the requirements for such consent to be effective were quite stringent. The new Act will limit the possibilities for such consent to specific, limited situations.
Handling at Groups of Companies
Nothing in the reasoning to the draft Act suggests that the new law will address how groups of related companies should handle their specific issues of employee data privacy. Groups are faced with substantial legal uncertainty concerning the transfer of employee data to other group members, particularly to those abroad. Meanwhile, however, German politicians largely agree that this issue should be regulated in the law. Consequently, we expect that discussions on a European level will include a discussion of data privacy at groups of companies.