After comprehensive amendments to the German Federal Data Privacy Protection Act (Bundesdatenschutzgesetz, BDSG) last year, employee data privacy protection is now expected to be regulated in detail by way of special provisions. On August 25, the Cabinet passed a comprehensive bill; currently the Federal Council (Bundesrat) is dealing with the issue but significant changes from the Cabinet version are not expected. Until now employee data privacy protection law has been fragmented among a large number of individual provisions and laws and further developed in a variety of court decisions. However, there continues to be considerable legal uncertainty in terms of dealing with employee data and a lot of issues remain unclear. That is why current law is predominantly deemed inadequate, based—among other things—on a number of employer spying scandals at major German commercial enterprises.
A brief overview follows, discussing the most important changes that in all probability will soon become mandatory federal law.
- Surveillance of business premises primarily used by employees for matters that have to do with their own lives (sanitary facilities, changing rooms and bedders) will be categorically prohibited.
- Covert video surveillance will only be permitted if there are actual clues and grounds for suspicion of crimes or serious breaches of contract. Hence, routine deployment of covert video surveillance will be prohibited.
- Open video surveillance - for example at company entrances or for quality control purposes - will be allowed "in as far as it is necessary for safeguarding important business interests", if it is not contrary to employees' interests and if employees are made aware of the camera.
The new law further provides for regulation of GPS surveillance as follows:
- Employers are permitted to track the location of an employee during working hours and time spent on standby duty only, that is, not during time off or leave. If employees are permitted to use their company car, for example, for private purposes, GPS tracking of their location will not be permitted during the private use. Even the collection, use and processing of data during working hours and time spent on standby duty will not be permissible unless this is necessary for operational reasons, e.g., when the employee is transporting valuable papers and the employer therefore has a considerable interest in continuously tracking the location of its property.
- Secretly tracking the location of employees is not permissible. In order to provide the required transparency for employees, employers have to make the deployment of a positioning system recognizable and must inform employees of the manner in which the positioning data is used.
Use of Telephone, E-mail, and Internet
The monitoring of an e-mail inbox will only be possible if private use is prohibited, if this is known to employees, and if monitoring is indispensable for carrying out business operations in due manner. Other than this change, the new law does not include a special regulation regarding private use of telecommunication means, so aside from the change regarding e-mail, the current legal requirements continue to apply:
- If employees are permitted to use the employer’s telecommunications systems for business use only, employers are entitled to monitor communication to the degree required, for example, for monitoring of performance and conduct. However, the legitimate protectable interests of employees must always be observed.
- Surveillance of private communication is permitted in rare cases only. Serious suspicion (for example, of industrial spying) and the lack of any other possibility of clarification are required in this respect.
Use of Social Networks
The bill also provides for restrictions on employers regarding the use of so-called "social networks". In the context of a selection/application procedure, applicant data gained from social networks may only be used if these networks are for the purpose of "describing the professional qualification".
That means that generally employers may not collect data from social networks like Facebook because this data primarily serves social communication and not professional development. This may well be different in the case of data from networks like LinkedIn that are designed exactly for the purpose of describing professional qualifications. Details in this respect will have to be clarified by the courts.
Health Examinations and Suitability Tests
Health checks and suitability tests will only be permitted if they are necessary to scrutinize an employee's suitability either because there are actual doubts about their ongoing suitability, or because a change of their function or workplace is intended. Health examinations may only be carried out by doctors and are only permissible if meeting special health requirements is an essential and decisive job requirement.
Prevention of Corruption/Implementation of Compliance Requirements
Employee data already in the employer's possession may only be compared with other data in its possession (“data replication”) if this comparison is for the detection of criminal offences or other serious breaches of duty committed by the employee. The bill provides for strict requirements for use of such data relating to the prevention of corruption and compliance, as follows:
- Initially, the comparison must be made in a way that preserves employee anonymity.
- The data may only be “personalized” (i.e., may only allow personal identification of the individuals concerned) if such comparison on an anonymous basis gives rise to suspicion of a criminal offence or a serious breach of duty.
- Another prerequisite is that the criminal offence or the serious breach of duty must have been perpetrated in connection with the employment relationship.
Penalties for Employer Violations
Depending on the circumstances, breaches of data privacy protection provisions can be punished as administrative offences or criminal offences.
- Administrative offence: Impermissible covert video surveillance of an employee can be punished as an administrative offence carrying a monetary fine of up to €300,000.
- Criminal offence: If liability for unjust enrichment or losses exists, a criminal offence can be shown to exist, with a penalty of imprisonment for up to two years or monetary fine.