Use the Lexology Navigator tool to compare the answers in this article with those for other jurisdictions.
Employment and privacy law issues
What employment issues must companies consider in deciding whether to switch to the bring your own device (BYOD) model?
Companies must consider a number of employment issues when implementing the BYOD model.
Individual employment contracts or works council agreement
There are different ways for the employer to implement BYOD. One option is to amend individual employment contracts. In this case, the employees’ duties will be expanded and they will be obliged to use their own private devices for professional purposes. At the same time, the employer will be obliged to compensate employees for this use. Thus, an employer cannot require employees to use their own device for the purposes of employment without their consent, as the employer must usually provide the necessary devices for professional purposes to the employee.
An alternative option for BYOD implementation is to negotiate the BYOD model with the company’s works council (if applicable) and conclude a written works council agreement between company management and the works council. This approach has the advantage that the employer need not agree on the use of the private device with each individual employee. However, the parties to a works council agreement can set rules regarding only the conditions at the workplace and not conditions for use of the device in employees’ private lives, as well as other relevant issues. Therefore, the BYOD rules that can be established through a works council agreement are limited and individual agreements with employees are required.
Rules for use of the device
The agreement between employee and employer should determine the type and scope of use of the private device so that the attendant rights and duties are clear to both parties. In particular, the agreement should contain rules on:
- the private use of the device during working hours;
- conditions for termination of BYOD use;
- access by the employer to the private device and software stored on the device (eg, security software); and
- conditions under which the employee may be obliged to hand over the device to the employer so that it can access data stored on the device (eg, in case of internal investigations).
By using a private device, an employee uses his or her own asset for professional purposes. The related expenses must be compensated by the employer, as they are not usually part of the salary package. This compensation should cover the actual costs of professional phone calls and internet use for work-related purposes, as well as the general use of the device over time.
In the context of BYOD, problems may also arise due to the fact that the employee always carries the private device ready for use. This increases the likelihood that the employee may execute professional tasks outside of regular working hours. Under the Working Time Act, it may be necessary for the employer to restrict the employee’s duties on days when a lot of work must be done in order to comply with the act and avoid administrative or criminal penalties.
The general liability regime in the employment context applies to BYOD. If an employee uses personal devices for professional use at the request of the employer, the employer must compensate for any damage that may arise in the context of this use. The employer may also be liable for damage to the device if the employer requests that the employee be available constantly and the device is damaged outside regular working hours.
Are there any specific issues that organisations with a global presence, or those in highly regulated sectors, should bear in mind?
No specific rules cover the implementation of BYOD in a global organisation or in highly regulated sectors in Germany. However, certain laws covering highly regulated sectors set out specific IT security requirements (eg, the Banking Act). The act requires that institutions implement adequate technical and organisational resources as well as an adequate contingency plan, particularly for their IT systems. In accordance with the Banking Act and the Minimum Requirements for Risk Management, institutions must ensure that their IT systems and IT processes ensure the integrity, availability, authenticity and confidentiality of data.
Privacy and confidentiality
How do privacy laws, employment laws and protecting a company's confidential information overlap or intersect on this issue – and how can they be reconciled, given their disparate aims?
Privacy laws, employment laws and the protection of a company’s confidential information overlap significantly in the context of implementing a BYOD model. German data protection law includes specific provisions on the collection, processing and use of employee data in order to balance the rights of employees and the interests of the employer. In addition, the law sets down a list of specific security controls that must be implemented by the employer when processing personal data in order to protect both the data and confidential information. These measures must be implemented on employee BYOD devices that contain personal data.
At the same time, the Works Constitution Act determines which parts of BYOD require approval by the works council in order to protect employees’ interests and requires that the works council approve implementation of BYOD. This includes both:
- the introduction and use of BYOD, as BYOD is considered to be a technical device designed to monitor the behaviour or performance of employees (according to Federal Labour Court precedent, the potential possibility of monitoring is sufficient); and
- the way that the employee is supposed to use the device, as BYOD is considered to relate to the operational rules of the establishment and the conduct of employees in the establishment.
The various laws and regulations may be reconciled by implementing an appropriate agreement between the employer and employees relating to the introduction and use of BYOD which strikes a balance between the interests of the employer and its employees. In addition, the Work Constitutions Act must be observed to ensure that the implementation process runs smoothly.
For those that make the switch to BYOD, how can the confidentiality of both employer and employee be preserved?
The implementation of security measures for BYOD is sensitive, as many users are not ready to accept restrictions on their own devices or to allow access to their devices by the employer. In particular, security measures which invalidate the device’s warranty will usually be difficult to implement.
The Federal Office for Information Security (BSI) has issued a guidance paper suggesting that the following points should be clarified before developing a BYOD strategy:
- whether the strategy is compatible with the security requirements of the company; and
- which conditions must be met and whether BYOD will be acceptable for employees under these conditions.
Usually, if a BYOD strategy is incompatible with the security requirements of a company or if the necessary conditions are unacceptable to the employees, BYOD cannot be implemented.
From a security perspective, BYOD also involves the imposition of restrictions on the type of device used. According to the BSI guidance paper, companies can take the following practical steps:
- Restriction of selected types of device – few companies will be in a position to administer and manage an unlimited number of different devices, operating systems and applications from a security perspective. Thus, the types of approved device should be limited.
- Identification of user types – not every employee will necessarily use his or her own device and the motivation to do so could be very different. Therefore, it may make sense to create different rules for the various user groups. Many employees may just want to be able to check their calendars when travelling. For such uses, security-compliant solutions can be found quite easily. However, if, for example, employees would like to be able to perform administrative access requests remotely from a smartphone, this may be much more difficult to implement from a security perspective.
With a BYOD strategy, employees are given significant responsibility not only for the security of the devices, but also for the overall security of the company. This loss of control must be balanced by clear rules agreed between the employees and the employer. The BSI paper recommends that, with regard to the devices used, employees ensure that:
- current anti-virus programs are applied;
- all security patches are applied promptly;
- each device is used exclusively by the respective employee;
- access to the device is adequately protected (eg, by strong passwords); and
- all locally stored data is encrypted.
Further, according to the BSI guidance paper, the following additional obligations should be included in the agreement, between the employees and the employer:
- An employee must report immediately if he or she loses a device or cannot locate a device for a certain period of time.
- The employer should clarify which applications should not be allowed to run on the device (eg, by providing a list on the intranet).
- Routing or jail breaking the device should be explicitly prohibited.
- The employer should determine which data employees can synchronise with other devices or services on the Internet – a strict separation of private and business data must be ensured.
- The employer should request consent to carry out automated scans of devices in the context of network access controls to verify compliance with security requirements.
- The employer must determine what to do about business data on devices when they are no longer used for business purposes or when an employee leaves the company.
In addition, the company should specify in the BYOD agreement that it will inform employees regularly of current threats via mobile devices and required security measures.
Separation and ownership of data
How can companies separate out what information sent or received on the device is official and business related? Who owns this information – the employer or the employee? And how can employer access to information be assured?
Separation and access
It is recommended that companies use certain software tools (known as ‘container software’) that enable the storage of company information in an encrypted container on the employee’s device to ensure the separation of professional data and an employee’s private data. This approach will also enable the employer to access company information and install security software to the extent required to protect company information while not accessing the employee’s private files.
The employer will be considered to be the owner of all company-related information stored on the device and is also responsible for implementing appropriate security measures to protect that information.
Breach events and departing employees
Handling a breach
What happens in the event of a security breach? Is the employee protected from liability?
In case of a security breach, German law sets out a comprehensive data breach notification regime. Depending on the type of data compromised and whether a number of additional requirements are met, the employer may be responsible for notifying both the individuals concerned and the competent data protection authority. The employee will not be liable under this regime, but may bear some responsibility under the individual agreement with the employer, such as a duty to inform the employer if the device is lost or damaged.
What steps can a company take to prevent an employee leaving the company from taking company confidential information via his personal device? And how can the employee's own personal information be safeguarded in the process?
German data protection law requires that the employee sign a specific confidentiality agreement relating to personal data processing at the time of hiring. The duties under this agreement continue to exist after termination of the employment relationship. Template confidentiality agreements are available on the websites of the state data protection authorities.
If the employer implemented a mobile device management solution and a secured separate sandbox using container software to separate the employee’s private files from company information, the employer should be in a position to delete easily the information in the sandbox when the employee leaves the company to prevent the employee from retaining company information. This approach should also ensure that the employee's personal data is safeguarded during this process, as it is not mixed with company information.