Companies can transfer their IT environment to external providers through cloud computing. The outsourced hardware or software is then no longer located on the company's own computer or in the company data centre, but rather on the Internet – metaphorically speaking, in 'the cloud'. The great benefit of cloud outsourcing is the flexibility and cost savings it offers companies, which use and pay for IT applications only as needed. Acquisition costs no longer arise and no IT support employees need be engaged. From an employer's perspective, cloud computing offers a host of new possibilities in the day-to-day running of a company. However, certain legal aspects should be taken into account.
Presence monitoring and time recording
Cloud computing opens up new technical possibilities for presence monitoring and time recording. The installation of local time-recording systems becomes superfluous since, through the use of the relevant cloud application, such time recording can be done over the Internet. As soon as employees turn their computer on or off, this can be recorded automatically. The same applies for longer periods of absence. These are also registered through non-use of the computer. The employer can thus monitor employees' work hours independently of their location.
At many companies, the electronic personnel file replaced the paper file long ago. Human resources departments scan and electronically record the relevant documents and place them on file. However, such data need not be maintained in the storage space of the company, but rather can be filed in the cloud.
Cloud computing can also be of great benefit in relation to payroll accounting. Companies whose payroll accounting is carried out by external accounting centres can use share points (ie, joint internet-based platforms) for effective cooperation. The company can enter the relevant employee data there and the external accounting centre can access that data in order to complete the payroll.
In the vision of cloud computing providers, the office of the future will be equipped only with remote internet access. Computers will no longer be provided by employers; rather, employees will bring their own computers to work with them. Employees will connect their computers with the Internet, on which they have access to all company data and the share points which they need for their work. Working from home will also be substantially simplified.
Employers in Germany in general have the right to decide autonomously on the use of their work materials. Within the scope of an employee's work, employers have the authority to direct the use of new IT technologies and thus the use of cloud applications. Nevertheless, employers must comply with employment and data protection requirements when introducing cloud applications.
Data protection law
If cloud applications are implemented in connection with personnel, this will involve use and processing of personal employee data within the meaning of the Federal Data Protection Act. To ensure compliance with the data protection requirements, the employer remains responsible even if the company procures the cloud applications from an external third party.
The employer may transfer employee data to cloud providers only by entering into a contract data-processing agreement with the cloud provider which meets the requirements of Section 11 of the act. It is important that such a contract permits the use and processing of employee data only in Germany and within the European Economic Area (EEA). However, in connection with cloud computing, data is processed and stored across the world. Therefore, in the case of a data transfer in countries outside the EEA, it must be ensured that there is an adequate level of data protection in such countries. This has been thus far confirmed for Switzerland, Canada, Argentina, Guernsey, the Isle of Man, Jersey, Andorra, the Faroe Islands and Israel. For cloud providers with data centres in other countries, an adequate data protection level can be reached by stipulating the application of the standard contract clauses of the European Union. Cloud providers which process data in the United States can ensure an adequate data protection level by agreeing to comply with the 'safe harbour' provisions negotiated between the European Union and the United States.
Before the introduction of cloud applications, employers would be well advised to consider carefully the issue of (international) transfers of personal employee data and to enter into appropriate arrangements with the cloud provider. If necessary, the transfer must be restricted to the territory of the EEA. Otherwise, companies may not only be exposed to significant legal consequences (eg, administrative and monetary fines), but also suffer substantial damage to their reputation.
Employers are also required to choose the cloud provider carefully and monitor its performance. In addition, employers must timely inform the data protection officer of their plans before the introduction of the cloud applications.
Works constitution law
Where a works council exists at a company, if cloud applications are introduced, co-determination rights under works constitution law must be observed. The works council must co-determine the "introduction and application of technical equipment having the purpose of monitoring the conduct and performance of the employees" (Section 87(1)(6) of the Works Constitution Act). The works council can therefore engage in co-determination not only in the introduction of cloud-based time recording and presence monitoring, but also for every cloud application which records employee data and which can process data into observations on the conduct and/or performance of employees. This is likely to be the case for many – if not all – cloud applications, since such use is documented.
The works council must be involved as soon as the employer has decided to introduce cloud applications. It may then participate in the discussions as to whether such applications will be introduced, as well as on the details of their implementation (eg, providers, date of introduction and changed work processes). For this purpose, the employer must submit the relevant planning documents. As a rule, this co-determination procedure is completed through a works agreement on the introduction and use of the relevant cloud applications. Since experience shows that the introduction of new technologies leads to a substantial need for information on the works council side, the employer should factor in a certain period of time prior to the introduction of the cloud application and inform the works council as soon as possible.
In connection with the transfer of documents into the cloud, statutory or collective bargaining form requirements should not be overlooked. Certain documents can be scanned and data can be introduced in digitised form in the respective cloud application, but must also be stored in parallel in the original. This applies in particular to fixed-term employment contracts and termination agreements, which are both subject to statutory written form requirements. Generally, no paper documents should be destroyed without review, since scanned documents have less evidential value before a court than documents submitted in the original.
Finally, employee data which is digitised in cloud applications should be treated confidentially and kept securely. This involves restricting the sphere of persons having access rights and permitting access only to trustworthy persons. The trustworthiness of such persons should be checked at the time of engagement within the permissible scope of a background check. If, in an international corporate group, employees from another country are to have access to data relating to employees in Germany, these employees are external third parties and the relevant data protection provisions must be complied with.
Cloud computing offers new technical possibilities in the work environment which are appealing with regard to costs and flexibility aspects. Further technical developments will also lead to an increasing number of IT applications being cloud-based. However, in the course of implementation, employment data protection regulations and co-determination rights may not be disregarded. This also applies where the new technology is merely replacing previous IT applications.
For further information on this topic please contact Bjoern Gaul, Nina Hartmann, Bernd Roock or Eckhard Schmid at CMS Hasche Sigle by telephone (+49 89 238 07 318), fax (+49 89 238 07 40 817) or email ([email protected], [email protected], [email protected] or [email protected]).