The German Federal Labor Court had to decide on a work council’s demand to be provided with a personal computer with a group account for access to the internet (in contrast to personalized internet access for the individual works council members). The district court had denied the request; the higher regional court had reversed the decision. Upon appeal by the employer, the federal court upheld the decision that the employer has to provide a non-identifiable internet access to the works council.

The reason for this request was to guarantee that each works council member should be able to research freely on the internet without the employer being able to monitor or review who researched what, and for how long. According to the Works Constitution Act, an employer must provide the works council with the necessary means to conduct its business, including information and communication tools. Whether a specific device or tool is necessary is in the works council’s discretion – in consideration of its own interests, but also the interests of the employer. In order to comply with this provision, the employer had given the works council a personal computer that contains personal data for fulfilling its tasks, including research on the internet – but with personalized internet access only. The works council is entitled to demand non-identifiable access to the internet, especially in light of the works agreement in place between the parties, according to which the employer has certain monitoring permissions - which the works council views as a risk to fulfilling its tasks without obstacles. One of the arguments brought forward by the employer for insisting on personalized access only was the requirement to provide for appropriate data security measures as prescribed in section 9 of the German Federal Data Protection Act (the “Act”), according to which every data controller/processor has to implement measures for ensuring compliance with the Act. This requires that any automated processing and use of personal data, and the acting person, can be traced and verified.

The Federal Labor Court decided that the works council, being a part of the employer (and data controller with regard to the personal data contained on that computer in question) is itself responsible for complying with the requirements of the Act, including the implementation of appropriate technical and organizational security measures on the computer. The requirement to enable the tracking of any processing and use of personal data on that personal computer does not mean, however, that it must be traceable for the employer. It is sufficient if for instance the works council allocates identifiers to the individual works council members without providing the identifiers to the employer.

The decision strengthens the position of German works councils as it gives them wide discretion regarding the implementation of data security measures, and thereby limiting the employer’s options to maintain control over its IT systems.