Like English law (considered here), German law places certain limitations on monitoring of employees. For example, video surveillance of a company’s premises must take the privacy rights of the employee into account and which means full surveillance of individuals is not permitted. In addition, covert monitoring measures are generally prohibited as a matter of principle. This also applies to the monitoring of a company’s IT infrastructure. In some cases, exceptions may apply. A number of recent cases about employee monitoring received nationwide media attention in Germany. Employers should be aware of basic principles of applicable data protection law and apply diligence when conducting monitoring measures, not only in order to ensure compliance with the law but also to avoid negative publicity.
German case law holds that monitoring by means of video surveillance is generally allowed as long as the principle of proportionality is respected. This requires the employer to assess, prior to implementation: which areas should be monitored; whether the monitoring is appropriate both in terms of how it is carried out and its duration; and how this might affect the privacy rights of employees. It is also important to take into account whether monitoring is necessary as a result of specific past incidents or whether it is implemented as a generic policy.
For a company wanting to monitor its IT infrastructure and email accounts in Germany, the implementation of suitable IT policies is crucial. As part of this process, it is especially important to provide rules on the degree of permitted private use of the company’s IT infrastructure. These can also cover the use of regular checks on an employee’s compliance with regard to any violation against a partly or completely prohibited private use. If no rules are set out by the employer and private use is tolerated over a certain period of time, the employee may, in accordance with German case law, acquire the right to such use. If this happens, monitoring for matters of IT security which requires access to emails or the retention of log files, may have legal implications. If an employer is held to be supplying an IT infrastructure to employees, the employer may be treated as offering telecommunications services. As a consequence, the requirement for secrecy of telecommunications could apply to an employee communication. A “violation” e.g. due to accessing emails, even solely business-related ones, may lead to criminal liability for the employer. According to German case law, however, this risk solely exists for details of employee communications which are not stored locally on an employee’s device because for such cases it is assumed that the telecommunication” ended.