The new regulations regarding employee data protection as of September 1, 2009

Directors and managers are in danger of being personally liable if they do not take suitable measures to ensure compliance, especially to avoid corruption and other economic crimes. Furthermore, companies risk fines in the millions. The latest so-called data protection scandals show that the companies are legally treading on thin ice regarding the choice and implementation of these measures.

This publication should give an initial overview of possible consequences on practical compliance work which can arise due to the legislator’s fortified employee protection in the new Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).

In companies, infringements of laws can be existence-threatening: claims for compensation in the millions, punitive damages, fines as well as additional tax demands domestically and abroad, massive damages of reputation – all these can be consequences of employees’ illegal conduct. Scandals such as the ones at Volkswagen and Siemens have evidenced that. For this reason the subject of compliance is becoming more important in companies. These include organizational measures, which ensure that all legal rules and prohibitions in companies can be obeyed.

Strict rules are also in force for the avoidance and pursuit of economic crimes. Companies must observe the statutory protection of data pertaining to their employees’ personal data in regards to compliance audits and internal investigations. If they do not abide by these regulations this can in turn lead to penalties, administrative fines, compensation and damage to reputation. The amended version of the Federal Data Protection Act (Bundesdatenschutzgesetzes, BDSG) leads to a tightening of the data protection limits in practical compliance work.

The Conflicting Demands between Compliance and Employee Data Protection

On July 3, 2009 the German Federal Parliament (Deutscher Bundestag) passed an Amendment to the BDSG. The bill passed the German Federal Council (Deutscher Bundesrat) unchanged on July 10, 2009. The Amendment of the Act will lead to a tightening of the employee data protection as of September 1, 2009. Hereby, the legislator is reacting to the so-called “snitch” scandals in large German companies, as, for example, Lidl, Telekom, Deutsche Bahn and lastly Deutsche Bank, which were fiercely criticized in public. One aspect is nearly always overlooked in the discussions on this topic: companies conduct internal investigations and other measures in order to prevent and pursue economic crime. Companies, as well as managers are required by law to do this.

The regulations regarding the protection of employee data, which were applicable hitherto already made it difficult for companies to effectively conduct permissible investigations. Even experts declared the old data protection laws to be unclear and barely understandable. Furthermore, it did not contain many usable and clear specifications in regards to what was permissible and what was prohibited. References to the necessary balance of different interests provided little help as they gave no help in interpretation. Specialists were needed to interpret these – but even they were unable to agree upon the interpretation of individual provisions regarding employee data protection in the BDSG. The new regulations did not eliminate the existing uncertainties. In view of the public discussion regarding data protection scandals the legislator did not take the opportunity to provide companies and employees with clear guidelines which reflect the interests of all involved and state what is permissible and what is prohibited.

The new Employee Data Protection Law

The new Section 32 BDSG is applicable to employees’ data protection, which contains the basic rules on how to deal with employees’ data. In accordance with Section 32 Subsection 1 Clause 1 BDSG personal data may generally only be collected, processed or used under observance of strict conditions.

Handling the data must either be relevant for

  • the decision of commencing or terminating an employment relationship or
  • the implementation of the employment relationship.

Otherwise collecting, processing or using employee data is not permissible. According to Section 32 Subsection 3 BDSG the participation rights of the works council are not affected.

Necessity of Handling Employee Data

In the future, according to the Act’s wording, companies will have to ask what is “necessary”. However, the legislator does not define the term “necessary” any further. However, according to the reasons for the law it is not intended that the new Section 32 BDSG changes the principles developed by consistent practice regarding data protection of employment relationships; rather it should summarize them. Therefore, the hitherto developed employee data protection principles are still applicable. According to this data use is necessary if the company’s justified interests cannot or cannot appropriately be fulfilled in another manner. Thereby the necessity for handling employee data by personnel management and salary accounting is generally given.

Employee Data and Internal Investigations

The amendment of the Act contains serious amendments regarding handling employee data to expose crimes. In order to expose crimes and insofar as an explicit permission by the employee is not at hand, personal employee data may only be collected, processed or used under the strict conditions of Section 32 Subsection 1 Clause 2 BDSG:

  • First, actual clues (indications (Indizien)) for a committed crime must be present, abstract suspicious facts alone are not sufficient.
  • These indications must now indicate with a high probability (suspicion) that the identifiable individual committed a crime during the employment relationship.
  • The crime must have a tight connection to the employment relationship.
  • Collecting, processing and using employee data must be necessary to expose the crime.
  • The use of employee data is only permissible if the identifiable individual does not have an opposing, predominant interest worthy of protection. In particular the type and extent of the data use may not be disproportionate in regards to the reason. The legislator’s meaning of reason is on the one hand the type and severity of the crime and on the other the intensity of the suspicion.
  • The employer must document the suspicious facts at hand as well as the consideration criteria, if the investigation should take place without breaching the employee data protection.

According to Section 32 Subsection 2 BDSG these requirements apply to all employee data, even if such data is not automatically processed.

With this amount of indeterminate conditions it will be difficult to compile resilient investigative concepts in practice. Mainly the systematic comparison of employee data with other sources will then only be permissible if actual clues for the presence of already committed crimes are given, and, insofar only employees from the smallest group of suspects are included. The so-called “mass screenings” were regularly implemented by IT experts and audit firms, which are specialized in combating economic crimes. Also the recorded questioning of employees in the scope of internal investigations and the subsequent systematic analysis are only still permissible if the employee questioned has agreed or the above-referenced conditions are met. Viewing emails or examining IT user protocols would only be permissible in exceptional cases if an explicit permission while being aware of the investigations is not at hand. This is also applicable to companies, which explicitly prohibit the private use of their IT systems. Currently, the consequences of these new regulations are barely foreseeable.

Employee Data and Preventative Compliance

One of the main purposes of practical compliance work is prevention. According to the reasons for the law the principle of Section 32 Subsection 1 Clause 1 BDSG also applies to measures to prevent crimes and other statutory violations, which are connected to the employment relationship. Monitoring performance, but mainly also monitoring the employee’s conduct should continue to be permissible. But these too must be necessary. These new statutory regulations influence many measures in this area, for example:

  • guidelines for employees’ conduct (so-called Codes of Conduct);
  • determining ombudsmen, which employees and third parties can report to and get advice from when suspicious facts are at hand;
  • so-called employee screenings prior to employment in order to avoid hiring employees lacking integrity (at least in the company’s core area);
  • training programs implemented for compliance purposes (for example for training in accordance with the regulations of the General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz));
  • the introduction of the so-called whistle-blowing programs, with which employees or third parties can (often anonymously) report suspicious facts, which the company will then investigate.

Consequences for Practice

Prior to the initiation or, as the case may be, implementation of internal investigations more intensive data protection issues must be examined than before. Each individual case is to be gauged regarding the culpable crime, the degree of suspicion (circumstantial situation) and the affected employee’s interests, which are worthy of protection. This gauging process must be documented. A general ranking of permissible and not permissible investigation steps is no longer possible due to the BDSG’s strong case-by-case basis regulations.

Investigations should – at least on a first level – be limited to the analysis of data, which is not considered to be personal data. Experts in criminal and commercial law, as well as criminalistic approaches can make such investigations so precise that – on a second level – the use of personal data will provide sufficient suspicious facts.

Practice has shown that after a precise legal analysis in cases of doubt a coordination with the data protection legal authority can be useful. Furthermore, a confidant from the company’s co-determination institutions should be included. Compliance departments, company data protectors and internal audit departments will have more work. Examination measures must now be precisely aligned with the data protection’s requirements. In particular, preventative investigations are to be delineated from repressive investigations.

If companies now conduct investigations without concrete suspicions of breach of rules then they must closely examine the new legal situation. In this the main issue to be clarified is to what extent such investigations must access employee’s personal data or if it is instead not sufficient to analyze mere business data. At least when a first suspicion vis-à-vis a specific employee is present the control phase ends and investigations begin.

Furthermore, controls and investigations should also be precisely documented. Companies are only on the safe side if a compliance control is conducted based upon an exact examination of the facts and a precise analysis of the legal situation.

Practice will need to closely observe how the respective data protection supervision authorities interpret and apply the new regulations.

Outlook

The revision of the BDSG leaves many questions unanswered. The legislator had set the goal of increasing data protection’s transparency in employment relationships.

This was not accomplished. The necessity to combat economic offenses was not sufficiently considered.

While conducting internal investigations it is indispensible to use intelligent investigative approaches while exactly observing data protection legal limits of practical compliance work. Focusing on legal relevant business procedures and concrete developments are often preferential in practice vis-à-vis the usual “mass investigations”.