Sharing personal and work-related information on social media sites has become a prevalent practice for many employees nowadays. Likewise, social media is also used by employers as a platform to connect with the public (e.g. for employer branding and in recruitment) and to communicate within the workforce.
However, both sides should be aware that the use of social media sites may potentially pose threats. Employees may share information about the employer which may lead to a breach of their confidentiality obligations. Social media sites have always been a popular platform for employees to taunt or attack co-workers against whom they have a grudge, which may lead to unlawful behavior for which the employer may in some instances be held vicariously liable. It is also not uncommon for employees to make derogatory statements about their employer in social media posts which can turn into negative publicity for the company and damage its reputation.
To cushion the blow of any risks arising from social media misuse, it has become common practice for employers to put in place a social media policy which sets out guidelines for the acceptable and unacceptable use of social media by employees. Implementation of a suitably drafted social media policy will help protect employers’ interest against potential legal liabilities and reputational damage arising from employees’ misuse of social media.
However, the monitoring of social media behavior linked to the implementation of such policies almost inevitably leads to the collection of personal data of employees. To manage the risks of employees’ social media misuse as well as the risks of having adopted an unlawful monitoring practice, employers should assess the appropriateness of personal data collection. The legal grounds for the introduction of such policies in Germany are the right of the employer to give instruction (Direktionsrecht des Arbeitgebers) and bilateral works agreements. In any case, these policies must comply with the data protection rules in place. In Germany, this is the Federal Data Protection Act (Bundesdatenschutzgesetz). However, national data protection laws will be replaced by the newly adopted European Data Protection Regulation (GDPR). As of May 2018, the GDPR will be directly applicable in every EU Member State, without the necessity for national implementing laws. The Regulation contains many key changes, that employers need to observe when drafting social media policies. While the current fragmentation of national data protection laws is mitigated by the GDPR’s direct applicability across the EU, non-compliance will lead to heavier sanctions in the future. The revised enforcement regime is underpinned by power for regulators to levy financial sanctions of up to 4% of the annual worldwide turnover of the organization. The GDPR will also be applicable in cross-border transfers of employee data. Employers will have increased responsibility and accountability on how they control and process personal employee data. This is in particular true for the lawful grounds for processing personal data. Historically many employers have relied on consent as the basis for processing but this has always been problematic in the employment arena due to concerns over the impact of the imbalance in bargaining power on the validity of the consent. Aside from consent, the other grounds relevant to the processing of employee data include that processing is necessary (a) for the legitimate interests of the controller or a third party – unless those interests are overridden by the rights or interests of the data subject (i.e. the employee), (b) for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract or (c) for compliance with a legal obligation.
Against this changing background, many employers will need to revisit their approach to social media and data protection and adopt a brand new culture in relation to data processing, including the implementation of comprehensive policies and procedures. Critically, employers will need to audit the data which they currently process and scrutinize the reasons for doing so, and the grounds on which they believe this is currently lawful. They will then need to assess whether this still applies under the new regime and what remedial measures they may need to put in place.