All posts

Main Aspects of the Employee Monitoring System in Germany

This practical guide is dedicated to German laws and official documents dealing with a system of employee monitoring. In this paper, all legal peculiarities concerning personal data protection are described including the rights of employees to agree on or reject of being monitored by employers as well as to be primarily informed about such working principles. In addition, this guide discovers the existing restrictions and prohibitions of checking communications systems if they are owned by employers; issues of tracking employees’ gadgets, implementing CCTV monitoring on companies’ premises, keeping track of workers in their off-hours; the notion of co-determination right in the modern employment system and possible penalties and fines for violation of the requirements and laws.

Employers cannot do without employee monitoring for achieving many purposes, such as controlling and improving their performance, tracking the fulfillment of enterprise working principles, supervising the quality of work, standing up for employees’ security and providing reliable company assets. In Germany, there are no laws that control employee monitoring. However, this process can be regulated by other official documents, such as the GDPR (short for the General Data Protection Regulation), various regulations that protect personal information on federal or state levels as well as the Telemedia Act and the Telecommunications Act.

Boost Productivity
of Your Employees!

Free Trial Live Demo

All these regulations act in accordance with:

• Employer’s status (whether he or she is a private or public, federal or non-federal entrepreneur);
• Employer’s policy concerning the usage of communications systems (whether he or she gives or denies access to these systems for employees’ personal use).

This practical guide is concentrated exclusively on those documents concerning private and federal public companies. It does not cover laws addressed to monitoring activity conducted by non-federal public entrepreneurs.

The guide deals with:

• Laws in force;
• Legal specifications for employee tracking;
• Rights of employees and non-employees including a notice, abilities to protest against being monitored, opportunities to receive access to monitored data with a right of limiting or deleting some information;
• Employers’ responsibilities including requirements for collecting, processing, storing and protecting employees’ personal data;
• Peculiarities of using communications systems owned by employers for personal purposes of employees;
• Keeping track of employees’ gadgets;
• Implementation of a CCTV monitoring system on companies’ sites;
• Tracking employees’ activity in their off time;
• Labor Contracts and Collective Agreements;
• Probable penalties and sanctions for violating employee monitoring requirements.

Laws in Force

General Data Protection Regulation in the EU

The General Data Protection Regulation that is known in the European Union as GDPR was developed to change the European Data Protection Directive. It was introduced on May 25, 2018, and is mandatory in all member-countries of the European Union. According to Article 1 of the GDPR, personal information includes all data that can be applied for the identification of a certain natural person. In other words, personal information represents a set of data that either together with other aspects found by an organization or independently can describe a personal data owner in a direct or indirect way. This document regulates the protection of data collected by a company through tracking activity.

A sizeable portion of European policy on data protection has not changed if compared with the principles stated in the EU Directive. Nevertheless, new specific aspects have been taken into consideration in the process of compiling the GDPR. Furthermore, this official document does not prohibit passing laws that:

• Provide deeper insight into certain narrow issues such as processing of employees’ personal information that can influence the general monitoring requirements (Article 88);
• Limit or broaden the boundaries of the GDPR rules.

You can get more information about the GDPR fundamentals, especially regulations that allow bringing in changes to the EU member-countries legislation on the base of GDPR, from practical guides dedicated to allowed GDPR variations and requirements in the EU.

Federal Data Protection Act

Germany has recently introduced a new version of the Federal Data Protection Act (BDSG from its original title “Bundesdatenschutzgesetz”). It deals with the protection of personal information on a level with the GDPR. However, this new version has certain features that are not congruent with the GDPR fundamentals. Nevertheless, the main part of requirements devoted to employee tracking and personal information processing has not been subject to noticeable modifications. Since May 25, 2018, employers are obliged to meet all the requirements of both documents, GDPR and BDSG, in the process of employee monitoring unless other official regulations define more detailed peculiarities (see Other Regulations).

If you are interested in getting more information about data protection in Germany, pay attention to Data Protection in Germany: Overview, Country Q&A or go the Federal Data Protection site. In case you need more info concerning the difference between the GDPR and BDSG documents, address the practical guide German Implementation of the GDPR.

Other Regulations

There are some other regulations that deal with personal information protection and can make a considerable impact on the monitoring policy of employers. A list of these laws includes:

• Article 10 (1) of the German Constitution according to which the confidentiality of telecommunications and correspondence should be guaranteed;
• Section 88 of the Telecommunications Act that guarantees the privacy of telecommunications in Germany;
• The obligation of employers to protect the secrecy of employees’ personal information;
• The Telemedia Act introduced in Germany and known as TMG;
• Provisions of the German Criminal Code specifying penalties and sanctions for violation of actual privacy principles.

According to German legislation, those employers who allow employees using their communications systems for personal purposes are referred to as either providers of telecommunication services based on the TKG or providers of telemedia services based on the TMG. Both documents limit or forbid monitoring, collecting and processing data taken from private communications and activity of individuals on websites by employers who serve as providers.

The Telemedia Act conditions, which regulate the processing of data related to an employee’s access to sites by their employers in the role of telemedia service providers, were initially determined by the European Directive.

Nowadays, the TMG terms are not officially congruent with the GDPR principles. Nevertheless, this practical guide takes them into consideration. The TKG conditions, in their turn, are more based on the ePrivacy Directive and have no relation to the EU Directive. Therefore, they officially regulate employee monitoring activity (Article 95 of the GDPR).

In case the usage of communications systems for personal purposes is forbidden by employers, the TMG and TKG provisions do not make any influence on the tracking policy. If you are interested in more detailed information concerning this issue, pay attention to the section Peculiarities of Using Communications Systems Owned by Employers.

German Instructions on Data Protection

Some authorities in Germany have developed special instructions on the process of tracking communications systems in companies. All these guides are not linked with each other, but they explain the authorities’ point of view concerning data protection laws functioning in Germany. A good example of such activity is the introduction of a guideline on tracking and applying electronic communications means in a company represented by the Conference of Federal and State Authorities of Data Protection in 2016. This instruction describes those terms according to which:

• Employees are entitled to avail of communications systems owned by employers for personal purposes;
• Employers may be tracking workers’ use;
• Employers may get access to workers’ means of communication.

This instruction is represented in German and uploaded to websites of data protection authorities.

Tracking Communications Systems Owned by Employers

According to Article 88 of the GDPR, all member-countries of the European Union have the right to implement specific regulations related to processing personal information of employees. As a result, the BDSG contains more extended rules for data processing. The 26th section of this document allows entrepreneurs to collect, process and utilize personal information of employees in case it is necessary for the employment process including:

• Making a final decision on hiring a person;
• Signing or terminating an employment agreement.

As far as Section 26 (1) of the BDSG is concerned, employers can also gather, process and utilize personal data of workers for the purpose of crime investigation if the following four conditions are observed:

• There are official suspicions that an employee has been involved in criminal activity during the period of his or her employment;
• It is vital to gather, process and utilize employee’s personal data for successful crime investigation;
• Legal interests of employees do not outweigh those of employers;
• The kind and amount of monitored information fully correspond to the purpose.

According to this section of the BDSG, employee tracking cannot be legal if there is no need:

• To sign, continue or terminate an employment agreement;
• To detect a certain crime.

If an employer cannot justify his or her actions based on the 26th Section of the BDSG, it is possible to appeal to Article 6 of the GDPR. According to the first part of this article, it is allowable to process information if it is necessary for protecting the legal interests of an employer. However, they cannot be outweighed by employees’ confidentiality interests. This article is actually not applicable to personal information of employees if compared with the BDSG Section 26. But in some cases, entrepreneurs’ actions can still be justified in accordance with the sixth Article of the GDPR, for instance, when the processing of workers’ personal information can help avoid fraud in a company. In this example, it is necessary for safeguarding the employer’s legal interests that have no direct connection with the labor relationship.

Business owners should not be dependent on employees’ agreement for justifying monitoring activity aside from cases when workers can provide legal consent. Such a situation is possible when employers allow employees to use their IT systems for personal purposes. Then the employers can require legal consent for limited tracking.

The BDSG does not allow or forbid business owners to practice tracking in their companies for controlling their employees in the explicit form. However, it is strictly prohibited to monitor them in some locations where a high level of privacy should be guaranteed. This refers to changing rooms, WC, etc. It is reasonable enough for employers to use tracking only in specific cases while ensuring that such actions are completely congruent with the BDSG, GDPR and other legal regulations.

If the legal requirements on employee tracking are not met by employers, it is considered a violation of data protection law. This can finally lead to opening a case against an employer for the illegal usage of personal information. The German Federal Labor Court has recently conducted a trial concerning the usage of a key-logger for the purpose of employee tracking. Applying this program was not justified even if it showed that an employee had excessively used employer’s communication systems and access to the Internet. Therefore, this could not be considered as grounds for dismissal. In addition, this tracking activity was not specifically conducted for the purpose of crime investigation but only for checking, which was inappropriate according to that version of the BDSG, Section 32. A new variant of this law also has the same requirements stated in the 26th Section.

Agreement

In case a business owner allows employees to use communications systems and access to the Internet for personal purposes, he or she does not need to rely on workers’ agreement for conducting monitoring activity according to the German legislation.

If an employer provides workers with free access to communications systems, they are entitled:

• To agree on the employer’s terms and to use the Internet and IT systems without objecting to being monitored;
• To reject offered conditions and be deprived of the right to use employer-owned systems for personal purposes.

German authorities who deal with protecting personal data believe that employee tracking cannot be considered legal even if a worker gives the full agreement on an employer’s actions. The point is that the employment relationship stipulates that there is a certain kind of hierarchy between an employer and employee that influences the worker’s decision. Therefore, his or her agreement cannot be absolutely voluntary. The consent can be considered legal only if it corresponds to all the requirements of the GDPR. They are stated in the 4^th (11) Article that contains the definition of agreement, the 7^th Article in which terms for consent are determined, and the 6^th (1) (a) Article which includes requirements for providing an agreement in certain cases.

If an employer justifies his or her monitoring as well as the processing of employees’ personal data relying on the workers’ consent, it is important to take into account its validity. The question of agreement validity depends on the following aspects:

• The peculiarities of the relationship between an employer and employees;
• The conditions under which this consent was given.

This is regulated by the 26^th (2) Section of the BDSG.

According to Article 7(1) of the GDPR, employers can rely on consent in the process of employee monitoring, but they have to:

• Inform workers before implementing tracking activity along with stating the amount and purposes of data collecting. It is also necessary to explain the consequences of employees’ denials of being monitored. For example, they can be limited in or deprived of the ability to use employer-owned communications systems for personal purposes.
• Meet all the requirements of existing laws and regulations for getting the legal agreement.
• Explain to employees that they have a legal right to withhold consent if they agree to probable consequences.
• Get an employee’s agreement in the form which then can become a proof that he or she really permits an employer to practice monitoring and process the collected data.

Rights of Employees and Non-Employees

According to the GDPR, all individuals who undergo monitoring conducted by business owners are entitled to:

• Be primarily informed about this activity (go to Notice and Agreement for Non-Employees);
• Raise an objection to be monitored under certain conditions (go to Ability to Protest against Being Monitored);
• Limit the processing of their personal information under certain conditions (go to Processing Limitations);
• Obtain free access to the data collected by the employer with an ability to limit or delete them (go to Access to Collected Data, Editing and Deleting).

Notice

According to the GDPR, every employee, as well as any other personal data owner, is entitled to be primarily informed about existence of the actual process of personal information monitoring, collecting and processing apart from specific cases stated in the 13th and 14th Articles of the GDPR and the 32nd and 33rd Sections of the BDSG.

In most cases, the information warning about conducting monitoring activity is represented in the form of:

• A specific document containing employee privacy requirements;
• A separate paper developed for informing about tracking;
• A part of a big document with the requirements of company policy on using information technologies.

It is also possible to place a warning about monitoring, collecting and processing personal data in a works council contract (go to Labor Contracts and Collective Agreements).

After providing employees with a notice about tracking activity, an employer is able to process the received personal information exclusively for the purposes stated in that notice. In case, he or she has another aim, a new notice should be developed according to the 13^th (3) and 14^th (4) Articles of the GDPR (go to Data Storage).

Notice Standards

The GDPR determines a set of data any notice has to contain including:

• The name and contacts of an employer as well as the contact information of an EU representative, if he or she exists;
• The contact information of the employer’s data security officer, if he or she exists;
• The reasons explaining why the employer has to monitor, collect and process the personal information of employees;
• The laws and regulations which confirm the validity of these actions;
• The type of information the employer is planning to collect and process, if it is not taken directly from data owners;
• Determination of the employer’s legal interests if they are considered a legitimate basis for information processing;
• The information about subjects who will receive the collected data;
• The intentions of the employer to send the collected information abroad, if there are any, with specifying the way of transfer;
• The information about a data storage period along with giving explanations concerning the criteria of such a choice;
• The explanation of requirements according to which an employer has to provide necessary personal data, for instance, a contract, agreement, statute, etc., with identifying the probable consequences in case of denials;
• The link to sources from which all data are collected, no matter whether they are freely available or closed if only the information is not taken directly from a data owner;
• The type of data processing the business owner uses with specifying whether it has an automated mechanism of making decisions and describing possible consequences for data owners;
• The rights of employees:
• to obtain access to the collected data with an ability to change, edit, delete, limit them or protest against transferring them to other subjects;
• to refuse monitoring activity including the ways of using this right in case an employer requires the employee’s consent for justifying the information processing;
• to appeal to information protection authorities with complaints in case of violating the rights stated in the laws and regulations.

Probable Exceptions

According to the 13^th (4) and 14^th (5) Articles of the GDPR and the 32^nd and 33^rs Sections of the BDSG, there are certain exceptions from the main requirements on notice content. They are not applicable in the following cases:

• The worker who undergoes monitoring has already got the information;
• The employer received the data not directly from the information owner and delivering the data
• is impossible or requires inadequate efforts;
• seriously violates the initial purposes of data processing. For example, it would be inadequate to provide an employee with a notice in the process of crime investigation.

Ability to Protest against Being Monitored

According to Article 17 of the GDPR, workers are entitled to express their objections to the illegal tracking activity of employers and demand the deletion of all data collected in an illegitimate way. However, their rights are rather restricted when monitoring is carried out on legal grounds. In case the tracking is conducted legally relying on Article 6 (1)(e) of the GDPR that allows data processing in the interests of society or Article 6 (1) (f) that permits processing for the protection of an employer’s or third person’s legal interests and an employee rejects being monitored under certain circumstances, the employer has to cease this tracking activity.

Under the 21^st (1) Article of the GDPR, a business owner is obliged to cease monitoring unless:

• he or she is able to provide solid legal reasons for their activity which are more important than rights and legitimate interests of employees;
• it is impossible to defend legitimate claims or conduct legal actions without data processing.

The BDSG Section 36 claims that employees’ abilities to protest against being monitored can be restricted if urgent interests of society overriding the legal interests of workers are observed or if the tracking is necessary according to current laws and regulations.

Notice and Agreement for Non-Employees

Tracking of an employee’s activity cannot be conducted without collecting certain types of information about non-employees because of checking workers’ emails, recording their phone calls or just implementation of CCTV monitoring. Therefore, the BDSG and GDPR are also applicable to collecting, applying and processing of personal data of those people who are not members of a company’s staff. Under these regulations, an employer is obliged to inform non-employers about probable tracking activity. The processing of non-employees’ personal information should be based on compelling legitimate grounds. Those laws and regulations that allow employee tracking do not justify the infringement of the rights of non-employers.

In case personal information about non-employees can be monitored through recording of phone calls, an employer has to provide them with a specific message notifying non-employees as both callers and recipients about the fact that:

• their conversation can be recorded by the company;
• there is a legal reason for such actions, for instance checking the quality of employees’ performance.

However, it is important to mention that even such a warning cannot fully permit to collect and particularly process personal information of non-employees. It is compulsory for business owners to be supported by legitimate sources for justifying the tracking of non-employees because of conducting workers monitoring. In this case, even a specific notification about recording phone conversations is not enough.

All non-employees who happen to appear at the premises of a company should be informed in case CCTV monitoring is applied (go to Implementation of a CCTV Monitoring System at Companies’ Premises).

There are several solid legitimate reasons for monitoring non-employees’ activity and collecting their personal information according to the GDPR, such as:

• The necessity of non-employees tracking is based on protecting the legal interests of the employer, which are more significant and compelling if compared with the privacy rights of non-employers (The GDPR Article 6 (1) (f));
• The interests of non-employers cannot override the legal rights and purposes of business owners in case of implementing CCTV monitoring under the BDSG, Section 4. However, this law is applicable to those cases when video monitoring is conducted for the interests of society or according to an official order. Here, the GDPR Articles 6 (1) (e) and 6 (3) gain an advantage.
• There are no legal grounds for conducting monitoring activity but a business owner managed to get a non-employee’s agreement for tracking and collecting data (The GDPR Article 6 (1) (a)) (go to Agreement).

Even if a person who does not work for a company communicates with a business owner or employees and is informed about carrying out monitoring activity, it is not advisable to use a tacit consent as a solid ground for justifying tracking.

Processing Limitations

According to the GDPR, all workers are entitled to limit the processing of their personal information under certain conditions. This also refers to situations when an employee expresses objections to data processing grounded on an employer’s legal interests (go to Ability to Protest against Being Monitored) (GDPR, Article 18). It is possible to read more about the issue of data processing limitations in other practice guidelines.

Access to, Editing and Deletion of Recorded Data

All employers and non-employers are entitled to get free access to data collected by an employer. They can also edit their personal information which was recorded and even delete it taking into consideration specific exceptions under the GDPR Articles 15, 16 and 17. According to this regulation, personal information owners also obtain new rights, such as:

• To limit the processing of their personal information under certain conditions due to the 18th Article of the GDPR (go to Processing Limitations);
• Ability to transfer data according to specific circumstances due to the 20th Article of the GDPR.

The GDPR binds business owners to give a quick response to data owners’ inquiry. The term for giving an answer does not usually exceed one month but in some cases, it can be prolonged according to Article 12 (3). You can get familiarized with detailed information dedicated to the rights of personal data owners, as well as responsibilities of information controllers, reading other practice guidelines. The new version of the BDSG also claims that there are certain exceptions to the rights of data owners.

Storing and Protecting Personal Information

According to the 32^nd Article of the GDPR, companies are obliged to:

• Introduce a risk-oriented model for protecting personal information;
• Develop and apply both technical and administrative methods for ensuring the security of information in accordance with the risk.

Other laws and regulations in Germany also pay attention to the issue of protecting personal information.

Transmission of the Information

Transmission to TPSPs (Third-Party Service Providers)

There are some cases when it is necessary to send monitored personal information to third-party service providers, which can be situated in Germany as well as somewhere abroad, or when a foreign company conducts the tracking in the name of an employer. Those employers who decided to transmit collected personal data to some service providers or other companies are obliged to:

• Sign an agreement with the service supplier about the data processing in which all the necessary aspects will be taken into consideration (the 28th Article of the GDPR);
• Evaluate the quality of technical and administrative means of the third party before signing the agreement as well as in the process of cooperation on a regular basis;
• Guarantee the high level of data security provided by the service supplier if it is not located somewhere within a European Economic Area under the 44th Article of the GDPR. In case the country where the service provider is located is not included into the EEA list and the European Commission cannot determine its level of data protection as high enough, it is still possible to transmit information by applying:
• Standard Contractual Clauses according to the decision of the Commission 2010/87/EU;
• Compulsory rules of the company (can be applied exclusively to transmissions of information within a group);
• The accepted policy of the EU-US Privacy Shield dedicated to transmissions from the European Union to the USA according to the decision of the Commission 2016/1250.

Transmissions to Third-Party Information Controllers

The demand to sign an agreement concerning information processing in the process of data transmission will not be applicable in case a third party who should receive these data wishes to obtain the information for reaching its personal aim. This subject is not considered a dependent service supplier but acting in his or her own interests. Therefore, an employer is obliged to:

• Take advantage of legal documents that regulate the process of obtaining the information by the third party and its self-dependent processing (the GDPR, Article 6);
• Guarantee the high-level protection and secure transmission of the personal data to the country that is not located within the EEA by applying a solid legitimate base, such as Standard Contractual Clauses covering the transfer from a controller to a controller according to corresponding decisions of the Commission.

The point that an employer serves as a part of a joint company structure cannot be a legal reason for transmitting employees’ personal data to other joint or holding companies situated outside the EEA, no matter whether it is sharing among two information controllers or between information processors and controllers. There are also other practical guidelines dedicated to the issues of data transmission between different companies.

Data Storage

There is no specific period for keeping the information collected in the process of tracking activities according to German law. Therefore, employers have the right to store personal information about employees as long as they need in order to achieve those goals for which the tracking was used taking into consideration current laws and regulations according to which a period of data keeping can be prolonged (The 5^th (1 (e) and 17^th (3) Articles of the GDPR). The periods of data storage can be different because of varying reasons for monitoring. In case an initial goal is achieved, an employer is obliged to delete the collected information. It can be kept for a longer time if employers are entitled to process this data.

In most cases, a period for data storage is not long. For instance, if CCTV monitoring is organized for providing a higher level of employees’ and company’s assets security and records do not show suspicious incidents, all the data should be immediately deleted. According to German authorities dealing with personal information protection, all video records should be deleted by employers within 48 hours. In case an employer needs those camera records for the purpose of crime investigating, the storage period can be prolonged.

In some cases, an employer can have other grounds for conducting monitoring activity, for example, to handle tax, archiving or accounting issues. Then it is necessary to block this personal data to prevent information processing for other intentions.

If camera tracking is based on the 4th Section of the BDSG (go to Implementation of a CCTV Monitoring System at Companies’ Premises), employers are restricted in the ability to utilize the collected video for reaching new goals. New or modified purposes are allowed only if it is necessary for:

• Preventing dangerous situations and providing a high level of security for society;
• Investigating crimes (the 4^th (3 Section of the BDSG)).

Peculiarities of Using Communications Systems Owned by Employers

The main laws, regulations, and guidelines dedicated to employee tracking rely on the peculiarities of using communications systems owned by employers for personal purposes of employees. The business owners can either allow or forbid the usage of these systems at their own discretion.

Forbidding the Usage for Personal Purposes

The prohibition to utilize employer-owned communications systems for personal purposes of employees is absolutely appropriate according to German legislation. Those employers who forbid personal usage of IT systems and the Internet:

• May not be targeted by the TMG and TMK;
• Take advantage of expanded tracking rights (go to Other Regulations and Allowing the Usage for Personal Purposes);
• Are targeted by laws and regulations devoted to data protection, such as the BDSG and GDPR;
• Should ensure compliance with the prohibition policy and apply penalties or other sanctions for violating the rules.

If employers do not manage to ensure compliance with the prohibition of using communications systems for personal purposes, the TKG and TMG can be applicable.

Those business owners who forbid personal usage of telecommunications systems:

• Have to use anonymized information for conducting random checks for the purpose of ensuring that employees utilize IT systems and the Internet exclusively for working goals;
• Can keep track of received and sent emails and all metadata related to them as well as require workers to send specific emails in order to provide the proper employer-employee relationship and comply with legal reasons. Yet, business owners may not require workers to automatically forward all messages unless a worker is not present and an out-of-office answer is inefficient;
• Have to refrain from reading personal messages. In case an email has the slightest pattern of personal tone, an employer cannot conduct collecting and further processing of this information;
• Should not track all emails, check Internet pages or record all phone conversations unless it is necessary for crime investigation. But even in case of legal proceedings, such overall monitoring should have its limits. For example, it is more preferable to read all emails or listen to collected recordings together with an employee and a representative of the works council if it is possible. Such an approach will not violate the employee’s rights for privacy and will be more adequate than covert observation.

Allowing the Usage for Personal Purposes

Those employers who allow employees to use IT systems and the Internet for their own purposes are targeted by the TKG as telecommunications service suppliers and by the TMG as telemedia service suppliers.

According to the TKG, business owners as service suppliers do not have the right to track employees’ private conversations. The same situation is observed with the TMG that forbids processing of the employees’ personal information, their access to sites and history of pages usage. In case the TKG and TMG are taken into account, the rights of business owners for tracking activity are strictly limited. They are able to get access to some personal data after receiving an employee’s agreement and meeting all the TKG and TMG requirements. Another way is to access some data in case of legal exceptions, for instance, when it is necessary to provide some services or detect and repair certain technical failures in IT equipment.

Those employers who allow employees to use telecommunications systems for personal purposes have to:

• Sign a works committee agreement where it is stated in what scope telecommunications systems can be used for personal purposes and which rights the employer has concerning workers tracking. This provision is appropriate only if there is a works committee in the company;
• Add requirements on personal usage of communications systems and IT technologies owned by an employer to employees’ working contracts or to a separate document addressing IT policy. This paper is used in case a works committee does not function in the organization, and it should include an employer’s tracking rights.
• Get an agreement to tracking from workers (go to Agreement).

Employers are also entitled to conduct random checks to make sure that workers meet all the requirements and do not overuse the Internet and other IT systems. These inspections should be conducted using anonymized information unless the employers have grounds to suspect employees of the rules violation.

Tracking of Private Communications

If employers allow employees to use communications systems for personal purposes, they have no right to track private messages sent to or from an email address that belongs to the employer. This rule is regulated by the TKG and TMG (go to Other Regulations and Allowing the Usage for Personal Purposes). According to German legislation and the TKG, the privacy of telecommunications regulations:

• Stipulates that it should be confidential information that a certain individual participated in a specific conversation, not to speak of the subject and details of this communication;
• Means that employers may be prevented from checking employees’ working email boxes in case they are used for personal communication, which can lead to the leak of private info.

Even though a worker can take advantage of a corporate computer, laptop or network as well as a working email address to send a private message, employers cannot track these emails.

Those business owners who forbid employees to use IT systems and the Internet for personal purposes have more extended rights for tracking workers’ activities and can easily check their working email accounts (go to Other Regulations and Forbidding the Usage for Personal Purposes).

Keeping Track of Employees’ Gadgets

In case an employee utilizes a gadget for working purposes, an employer is entitled to track the use of this gadget if it:

• Corresponds to the demands which can be applied for tracking communications systems and equipment owned by employers;
• Gives effect to an agreement with workers on practicing a BYOD program (short for Bring Your Own Device) according to which employees utilize their gadgets for work purposes, which gives employers the right to monitor workers’ activities.

The BYOD scheme should be organized in a proper way so that employees’ privacy rights would be congruent with the information supply requirements of a company. Introducing software that deals with mobile device management can be helpful in:

• Controlling personal gadgets that work due to IT systems and networks of the company;
• Forming a strict boundary between private information and business data as well as limiting their overlapping;
• Permitting an employer to track and collect exclusively those data that are connected to work;
• Providing an employer with more extended rights concerning tracking the employees’ gadgets since they can check all work-oriented information, even in incoming and outgoing emails.

A document that informs about the BYOD approach or an employment agreement should contain an explanation about the employer’s rights and abilities to monitor and collect data from employees’ gadgets.

Consent to Tracking Employees’ Gadgets

Employers cannot monitor employees’ own gadgets which they utilize for business goals and collect personal data from them without the workers’ agreement. Employees are legally able to agree on the tracking of their own gadgets in exchange for the right to use them for carrying out business tasks. However, German authorities claim that these employees’ agreements are not always valid (go to Agreement).

It is important to mention that employees cannot be forced to use their own gadgets for business tasks and to give consent to the tracking activity of employers. However, employers can give workers the right to make a choice. For example, if they want to use their gadgets for work, they need to agree on certain terms, including tracking and following required rules.

Implementation of CCTV Monitoring System at Companies’ Premises

Application and Limitations

According to the 4^th Section of the BDSG, video monitoring is allowable in places open to the public if required in case there are no grounds to consider that employees’ legal interests override the employer’s interests of tracking. CCTV monitoring can be used to:

• Conduct tasks for public interests;
• Implement the right to decide who should or should not get access;
• Meet legal interests based on solid grounds.

Taking into consideration the fact that the GDPR is considered to be of a higher priority than the BDSG, those rules under the 4^th Section are applicable only for using camera surveillance for society interests or according to official authorities requirements (The 6^th (1) (e) and 6^th (3) Articles of the GDPR).

According to German legislation, it is forbidden to implement CCTV monitoring covertly. There are only several reasons based on which it is allowed, for example, when a notification about camera monitoring can frustrate initial plans. Hidden CCTV monitoring can be justified in case of certain crime investigation because a notification about tracking can serve as a warning for a potential criminal. It is especially important for employers to find a balance between their legal interests and privacy rights of employees, particularly when hidden monitoring is applied.

Placing Video Cameras

It is forbidden for employers to place cameras in locations where employees have a legal right for absolute privacy, such as changing rooms, WC, and other private places. If employers fail to meet these requirements, it will be considered a violation of the German criminal legislation (Section 201a (1) of the Criminal Code).

Employers are obliged to have solid grounds for implementing CCTV monitoring. For instance, camera surveillance can be necessary to defend a company against criminals. In this case, it is usually located only at all entrances and does not violate employees’ rights.

Notice and Agreement on CCTV Tracking

The general requirements on CCTV tracking and notice providing do not differentiate from the rules for other types of monitoring (go to Notice and Agreement).

Business owners are able to add a notification about CCTV monitoring to a:

• Extended employee security notice;
• Specific notification about tracking;
• Separate document about the IT and communications systems usage requirements.

In case CCTV tracking is conducted in places open to the public, employers are obliged to identify the exact area of camera locations in a notification under the 4^th Section of the BDSG. For this purpose, it is necessary to locate specific messages in places of surveillance for informing people about the tracking activity. This rule can be violated in case hidden monitoring is allowed.

The notification signs have to contain:

• A precise message that cameras are located in the territory of the company and people’s images can be recorded;
• The contacts of an information controller in case any person will have a wish to receive his or her images from cameras or just clarify some details of monitoring;
• The contacts of an information protection officer, if such a position exists in the company;
• The reasons for monitoring and laws or regulations which serve as a base for it;
• The employer’s legal interests;
• The terms for collected data storage.

These notification signs should also explain to people where they can get more detailed information about tracking activities according to the 13^th and 14^th Articles of the GDPR.

Tracking Employees’ Activity in Their Off Time

The monitoring of employees’ activities in their off time is covered by the same regulations as other kinds of tracking. However, the process of employees’ off-time activity tracking stipulates that employers are more involved in the workers’ private life. Therefore, it is necessary to find a balance between the employer’s interests and employees’ rights. As a rule, the privacy and security rights of workers override the legal interests of business owners and such kind of tracking is forbidden.

But in some rare cases, it is appropriate to monitor the activities of employees in their off time, for instance, when:

• A worker asks an employer for a health leave, but he or she has solid reasons to doubt the honesty of the employee. Nevertheless, it is necessary to carry out tracking activity in a reasonable way. For instance, it is appropriate to take photos of an employee in some public areas. But is forbidden to do monitoring when an employee is at home.
• A worker obtains a vehicle for business tasks, but an employer has serious suspicions that the employee uses the car in their off time, which is prohibited. Therefore, GPS monitoring can be applied to clarify the matter.

Labor Contracts and Collective Agreements

Under the Works Constitution Act, works committees are entitled to practice joint determination prior to business owners starting to utilize various gadgets or programs for tracking employees’ activities. Collective labor agreements may also influence tracking provided the right of joint determination is appropriate.

The basic aim of joint determination is to provide employees with a right of voting in the process of making some business decisions. Employees have to select some representatives for taking part in discussions of the works committee. The joint determination right is applicable even if the main aim of some gadgets or programs is not employee monitoring.

Labor contracts can also include information about tracking. For instance, a business owner can allow using IT systems and the Internet for personal purposes if an employee agrees on being monitored.

Probable Penalties and Sanctions

Premeditated or careless violation of laws and regulations on personal data protection is considered an administrative offense and leads to paying a fine in the sum of €20, 000, 000 according to the 83^rd Article of the GDPR. Furthermore, there are cases when even criminal sanctions can be applied. For instance, the illegal procession of personal information that was not open to the public is a crime that can be punished with up to two years of imprisonment in case those actions were conducted for obtaining certain property or money or doing harm to employees or other people.

A failure to meet the requirements of privacy of communications (go to Other Regulations) is also a criminal offense and leads to a fine or an up to five years imprisonment under the Criminal Code of Germany.

CCTV monitoring in private areas such as changing rooms or WC is a criminal offense and can be punished by a 2-year sentence or fine according to the Criminal Code (go to Placing Video Cameras).

Article Photo © Andrew Czap | Flickr

Share a post