A company used a keylogger software to secretly monitor how the employees used their computers. The keylogger software tracked all key strokes and made screen shots of computer screens in certain intervals. The company did not have any specific and documented suspicion of wrongdoing against one or more of its employees but used the software for the purpose of monitoring internet traffic as such as well as the general computer usage of its employees. The company informed its employees of this practice.

Based on the information gathered by the keylogger software, the company determined that an employee made excessive personal use of the internet during working hours. The company terminated the employment relationship based and relying on the facts gathered by the keylogger software. The employee challenged this decision in court.

In its judgment deciding about the lawfulness of the dismissal, the German Federal Labor Court (BAG) held on 27 July 2017 (File Record 2 AZR 681/16 – as of today, only the press release is available) that:

  1. The installation and usage of the keylogger software violated German data protection law and the employee’s constitutional right of informational self-determination. In particular, Section 32 (1) sentence 2 German Federal Data Protection Act (“FDPA”) could not justify the collection, processing and use of the employee’s personal data via the keylogger software. Section 32 (1) sentence 2 FDPA permits the collection, processing and use of employee data if (i) factual and documented indications lead to the suspicion that the employee committed a criminal offence in the course of the employment relationship, (ii) the collection, processing and use is necessary for the investigation of the criminal offence, and (iii) the legitimate interest of the employee in not being subject to such data collection, processing and use does not prevail, in particular form and extent must not be disproportionate with regard to the cause.
  2. However, the BAG held that Section 32 (1) sentence 2 FDPA must be interpreted broadly to apply not only to suspected criminal offences but also to suspected serious violations of a contractual duty. In the case at hand, the company did not have any factual and documented indications before using the tracking software that would have resulted in a sufficiently specific suspicion that the employee was in serious breach of his contractual duties. As such, the conditions of Section 32 (1) sentence 2 FDPA were not satisfied.
  3. As the company obtained the facts proving the extensive personal use of the internet unlawfully, the employee’s constitutional right of informational self-determination (Art. 2 (1) in conjunction with Art. 1 (1) German Constitution) required that the evidence was not admissible court.

The BAG therefore held that the company did not have good cause to terminate the employment relationship.

Conclusion

This decision of the BAG is relevant for two reasons:

  1. The BAG held that the very strict monitoring requirements imposed by Section 32 (1) sentence 2 FDPA, requiring amongst others a factual and documented indication for an employee’s wrongdoing, does not only apply if an employee is suspected of having committed a crime relating to the employment but also if the employee is suspected of having committed a serious breach of contractual duty. It is unclear whether these strict requirements of Section 32 (1) sentence 2 FDPA shall also apply if the employee is suspected of having committed a less serious violation of a contractual duty. Until this question is clarified by case law, any investigation into an employee’s wrongdoing must pass Section 32 (1) sentence 2 FPDA, and the employer should not rely on the lower bar of Section 32 (1) sentence 1 for potential wrongdoings below a suspected crime / serious breach of duty. As the new FDPA, which will come into effect on 25 May 2018, will retain the concept and wording of Section 32 (1) sentence 2 FDPA (in the future governed in Section 26 (1) sentence 2 FDPA-new), we do not expect that this broad interpretation and application will change (also see Schmidl/Tannen, Der Betrieb, 2017/1633).
  2. The BAG held that evidence gathered in violation of German data protection law are not admissible in court.

Further details on the court’s reasoning will be available once the BAG publishes the full text of the court decision.