In 2009, the German public was shaken by several scandals that revealed a number of international companies systematically, continuously and comprehensively monitored their employees’ personal data. This included spying on employees’ private bank accounts and secretly observing employees in their offices via hidden video surveillance.
Even though the general Federal Data Protection Act (the BDSG) was effective at the time, the German Government came to the welcome conclusion that it was necessary to implement a data protection act dedicated to the particularly sensitive relationship between employers and employees, with the primary objective of protecting employees and their right to privacy.
A new provision, Section 32 BDSG that was meant to be temporary, was enacted with haste. Despite being incomplete, it is still the only statutory standard according to which the legitimacy of any monitoring measure undertaken in an employment relationship is evaluated.
Pursuant to Section 32 BDSG, an employee’s personal data may be collected, processed or used for employment-related purposes where necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract. “Personal data” means any information concerning the personal or material circumstances of a person, in this case the employee.
Section 32 BDSG is the only provision that governs the question whether or not and— if the answer is yes—under what circumstances and to what extent the employer can monitor legally its employees’ business e-mail account.
Informed Written Consent
Besides Section 32 BDSG, and as a result of the employee’s fundamental right to make decisions relating to his or her personal data, such data can also be used legally with the employee’s express consent. According to Section 4a, the consent has to be in writing and must be based on the employee’s freely made decision while being fully informed of the purpose of the collection, processing or use of the data and the consequences of withholding consent.
Although it is not uncommon in German employment contracts to include a provision containing the employee’s general consent to any kind of data collection, processing and use, it is doubtful that such general and unspecified consent (in terms of scope and purpose) in standard terms is in accordance with the prerequisites set out in Section 4a BDSG. Moreover, even if effective consent is granted, it is revocable by the employee at any time.
The crucial distinction that has to be made in order to assess the legitimacy of e-mail monitoring under Section 32 BDSG is whether or not the employer allows the use of the business e-mail system by its employees for private communications.
Private use prohibited
If the employer prohibits any private use of the business e-mail system it is—as a general rule—legal for the employer to monitor all e-mail correspondence. Just as traditional hard copy letters are business correspondence, e-mail correspondence is seen as business correspondence and therefore cannot be considered “personal data”. As a result, the application of the BDSG and the protection it affords to employees is not triggered. The employer may save connection data (such as date, time and data volume) and the e-mail addresses of the sender and the recipient, as well as access and save the content of all e-mails (content data) received and sent via the business account. An exception applies to cases of obvious private use of the business e-mail system, even if private use is prohibited. If an e-mail is marked as “private” by the employee or contains obviously private material (an indication of which could be a subject heading “personal”, “confidential”, “your doctor’s appointment”, “holiday pictures”, etc.) the employer may neither access nor save those private e-mails because the utilisation of such private data is not necessary for the establishment, carrying out or termination of an employment relationship under Section 32 BDSG.
Private Use Allowed or Accepted
If an employer allows the private use of the business e-mail system (joint e-mail address), it is prohibited from either saving or accessing connection data and content data. Significantly, this applies to private e-mails as well as to business e-mails. Access is prohibited to not only the content of the private e-mails, but also to the account itself as this would make available private information relating to the e-mail, such as the date and time it was sent, the subject heading and, most important, the person the employee is communicating with, or at least his or her e-mail address. As a consequence, the employer would not be able to access the employee’s account for any purpose, even in order to select business e-mails from private e-mails.
These strict standards apply not only if private use of the system is allowed expressly, but also if the employer accepts private use of the e-mail system implicitly. If, however, the employer allows the private use of the business e-mail system, but provides an e-mail account and address separate from the business account, the business account can be monitored fully, as it can be if private use was prohibited, whereas monitoring of the separate private account is strictly prohibited.
There is some controversy over whether or not the use of a business e-mail system is covered and protected by the secrecy obligation enshrined in the German Telecommunications Act (Telekommunikationsgesetz, or TKG). Because the protection of the TKG ends with the completion of the data transmission process, however, it is the BDSG that governs the legitimacy of any monitoring measure taken after the e-mail is received into the employee’s business e-mail account.
Monitoring to Investigate Crimes
Section 32 BDSG provides another reason for the lawful collection, processing and use of personal data, even if private use is allowed or accepted. The employer may take monitoring measures in order to reveal criminal conduct by its employee under the following statutory conditions:
- There must be a documented reason to believe the data subject has committed a crime while employed (in the framework of the employment relationship).
- The collection, processing or use of personal data is necessary to investigate the crime.
- The employee does not have an overriding legitimate interest in ruling out the possibility of collection, processing or use of the data if the type and extent of the collection, processing or use is not disproportionate to the reason.
The standard of sufficient evidence needed to trigger e-mail monitoring is very strict. There must first be concrete evidence that a crime has been committed. There must also be a tangible suspicion with regard to one specific employee—or at least with regard to a limited group of employees— and only those people can be monitored. Under no circumstances is companywide monitoring of e-mail accounts of all employees permissible.
The assessment of legitimacy of e-mail monitoring in these circumstances has to be made on a case-by-case basis. This makes it difficult for the employer to legitimately take the decision to investigate crimes by monitoring e-mails. Other than in very clear-cut cases, a residual risk of violating the BDSG remains.
To reduce the risk of violating the BDSG, an employer should
- Prohibit the private use of the business e-mail system
- Provide a separate private e-mail account if private use is allowed
- Obtain valid consent from the employee for the specific monitoring measures the employer intends to take.