Although there is no German law specifically prohibiting monitoring or reading of employee emails, the German Federal Data Protection Act (Bundesdatenschutzgesetz – hereinafter “BDSG”) as well as the German Telecommunication Act (Telekommunikationsgesetz – hereinafter “TKG”) impose restrictions and strict requirements on the monitoring or reading of emails within an employment relationship.
The monitoring of emails is an area where the employer’s interest in properly managing its business may conflict with employees’ privacy interests. The German legal situation on email monitoring is rather complex, primarily because the TKG, which was enacted to control the interceptions of communications sent via third-party service providers also applies to employers intercepting and monitoring employees’ communications.
In cases where the employer allows the use by the employee of its corporate email account for private purposes (or does not prevent such use although knowing of it), the employer becomes a telecommunication service provider under the TKG with the effect that the employer is bound to the strict telecommunication secrecy provided by it. Pursuant to the TKG, the employer, like any other third party telecommunication provider, is not entitled to intercept communication of its “customer” the employee, unless (i) the employee has explicitly consented to the specific intercepting measure or, (ii) there is a compelling and documented suspicion that the employee has committed a criminal offense and the purpose is to investigate such potential criminal offense.
There are some legal experts in Germany who hold a different view. They argue that telecommunications secrecy does not apply from the moment the telecommunication process is over, i.e. the email has been received by the addressee and a copy of the email has been stored on the employee's device or on the company server (this view has been shared by the German Constitutional Court (Bundesverfassungsgericht) in its decision 2 BvR 2099/04 dated 2 March 2006). However, the discussion of this approach has just started and a conclusive result has not yet been achieved.
Monitoring and/or reading of employees’ emails is also considered to be processing of "personal data" within the meaning of the German Data Protection Act (Bundesdatenschutzgesetz - hereinafter “BDSG”). As a basic requirement under the BDSG, the employer must:
- specify a concrete purpose prior to any handling of personal data;
- collect as little data as possible in view of such purpose; and
- inform the employees about the handling of their personal data.
In addition, pursuant to Sec. 32 BDSG, the collection, processing and use by the employer of personal data of an employee is only permissible if: (1) the processing of data is effected only for purposes of performing or terminating the employment relationship; or (2) with the employee’s prior consent; or (3) to uncover a criminal offense, provided that:
- there are documented indications substantiating a suspicion that the employee has committed a criminal offense in the context of the employment,
- the collection, processing and use of the data is necessary for the investigation, and
- the type and scope of the collection, processing and use of the data is proportional to the employee's legitimate interest for privacy and the circumstances of the investigation.
It is widely recognized that the prevention of the dissemination of business secrets is part of the performance of the employment relationship, but that to allow the employer to engage in the monitoring of the employee’s email account, the employer must comply with the basic principles of the BDSG set forth above, i.e. the scope of the email monitoring must be limited to the extent necessary to the permitted purpose.