On February 5, 2016 the German data protection authorities, issued guidance (available in German) for private sector organisations explaining when and how an employer may monitor its employees’ work email account and Internet usage ("Guidance"). German employers would be wise to structure their monitoring activities to comply with the Guidance.
1. Threshold Question
The applicable legal framework, which determines whether and how an employer may monitor its employees’ work email accounts and Internet usage, depends on whether the employer permits or prohibits its employees to use workplace email and internet services for personal use:
if the employer prohibits the use of workplace email and internet services for personal use, the relevant law is the German Federal Data Protection Act ("FDPA") and there will be more scope for monitoring;
if the employer permits or tolerates the use of workplace email and internet services for personal use, the FDPA applies but - according to the German data protection authorities - also the German Telecommunications Act (“TCA”) and the Telemedia Act (“TMA”) apply. These impose further restrictions on monitoring activities. By way of background, the data protection authorities take the view that employers that permit or tolerate the use of the company IT systems (also) for personal purposes, qualify as providers of telecommunication services, respectively telemedia services. Some German courts reject this view. However, until his question is finally settled, employers would be prudent to assume the application of the TCA and TMA if they permit or tolerate such personal use.
2. Employer Prohibits Use Of Workplace Email And Internet Services For Personal Purposes
Monitoring of Internet usage - The employer may undertake spot checks of protocol data in order to check whether employees use the Internet for company purposes only. This should – in a first step – be done without collecting personal data (such as IP addresses or other data which allows the identification of individuals). For example, compiling blacklist and/or whitelists on the basis of anonymized protocol data would be preferable.
Monitoring of emails - The employer may take note of incoming and outgoing company emails and may, for example, ask employees to forward certain emails. But the employer may not ask for an auto-forwarding of all emails unless an employee is absent and an out-of-office reply is insufficient. When the employer recognises the personal character of an email, the employer must stop reading the respective email and must also not forward or print it.
A full monitoring of Internet use and/or emails is only permitted to investigate crimes and requires a concrete suspicion of misuse as well as adherence to the principle of proportionality.
3. Employer Permits or Tolerates Use Of Workplace Email And Internet Services For Personal Purposes
As a general rule, data subject to the telecommunications secrecy provisions of the TCA (e.g., protocol data) may only be accessed with the employee's consent, unless one of the very narrow statutory exceptions applies.
Monitoring of Internet usage - If an employer wants to monitor its employees’ Internet use, it should conclude a works council agreement which outlines the permitted personal use of the company IT systems (or include similar provisions in individual employment contracts and/or a policy document). In addition, the employer must obtain the employees' individual consents to any planned monitoring which must include the type and scope of the monitoring. The employer may then undertake spot checks of protocol data to check that employees adhere to the rules for personal Internet use. Despite the consent, an evaluation of protocol data by reference to individuals is only permitted if there is a concrete suspicion (e.g., of a violation of the rules for personal Internet use).
Monitoring of emails – The same applies to the monitoring of an employee’s email account. In addition, it should be stipulated (in a works council agreement/ employment contract/ policy) if and how the employer may access work emails stored in an employee’s email account that contains both company emails and personal emails.
Refusing to consent - Employees must be able to refuse their consent to the monitoring of their Internet and email usage without facing any employment-related disadvantages. However, if they refuse their consent, they will not be allowed to use the work Internet or email account for personal purposes.
The Guidance contains standard works council agreements and consent forms which may be consulted when drafting these documents or a monitoring policy.