On August 25, 2010, the German government approved a draft law concerning special rules for employee data protection, originally proposed by the Federal Ministry of the Interior. A background paper on the draft law was published on August 25, 2010. The draft law would amend the German Federal Data Protection Act (the Bundesdatenschutzgesetz or “BDSG”) by adding provisions that specifically address data protection in the employment context. Currently, employee data protection is regulated by (1) general provisions in the BDSG, (2) the new Section 32 of the BDSG introduced by the most recent reform in September 2009, (3) the Works Constitution Act, (4) guidance from state data protection authorities, and (5) comprehensive case law from federal and local labor courts.
The draft law covers nine key subject areas:
Employer Internet Searches: Employers may use public information found through web searches, but may only use information from social networks if the networking platform is intended to present professional qualifications.
Medical Exams: Medical assessments are permitted only as necessary to determine whether an employee can fulfill job requirements.
Automated Data Scanning: Allowed in anonymized or pseudonymized form to detect criminal activity or other serious violations. If unauthorized activity is suspected, data may be associated with specific individuals. Employers must document the circumstances of the screening, and inform the relevant employee after the screening.
CCTV: Covert monitoring is prohibited. CCTV may be used only if employees receive proper notice, and only in particular areas or for certain reasons (e.g., quality control, security of facilities or entrance). No monitoring of locker rooms or similar locations is permitted.
Tracking: Collection of employee data via tracking systems (e.g., GPS) is only allowed during working hours, and only if the tracking serves to ensure employee safety or is used to coordinate the work force (e.g., transport companies). Covert tracking of employees is prohibited.
Biometric Data: Such data may be collected, processed or used only for authorization and authentication purposes when there are no prevailing employee protection considerations. Photographs of employees may be used for other purposes if the employee has provided consent.
Telephone, Internet and Email Monitoring: If a company allows employees to use telecommunications services for business purposes only, the draft law distinguishes between employer monitoring of phone calls versus monitoring email and Internet use.
The draft law allows traffic and content data from email and Internet use to be collected, processed, and used, where necessary to (1) ensure the orderly functioning of the telecommunications network and services, (2) promote data security, (3) facilitate billing, and (4) occasionally monitor performance and behavior, but only if there is no overriding employee privacy interest. With respect to occasional monitoring for performance and behavior control purposes, and associating data with a specific employee, the affected employee must be notified of the monitoring as soon as such notice would not adversely impact the purpose of the processing or use.
Telephone calls may be monitored only where there is a legitimate employer interest, and if the employee and the other party to the communication have been informed about, and have consented to, the monitoring. If making telephone calls is one of the employee’s primary job functions, (e.g., call center agents), monitoring is permitted for occasional checks without specific notice to the employee, provided general notice regarding monitoring has been provided beforehand and the other party to the communication is informed and consents to the monitoring. Afterward, the employer must notify the employee without undue delay of the collection, processing and use of the phone data.
The draft law does not regulate or provide clarification regarding monitoring in cases where the employer expressly or implicitly allows for private use of telecommunications services by employees.
Works Council Agreements: Companies still may enter into works council agreements, but such agreements must not compromise the level of protection provided by law.
Security Breach Notification: Employers must notify affected employees if it is determined that employee data has been unlawfully disclosed to a third party. In the event of a serious threat to the rights or protected interests of an employee, the employer must also notify the competent data protection authority.
The approved draft law now goes before the German Parliament, where it is expected to undergo further discussions and may be amended. The first reading is expected in November 2010, leaving open the possibility that the law may be passed this year.