Germany - German Data Protection obligations on private email and internet usage in the workplace
Published 19 April 2016
The Conference of the Data Protection Commissioners of the Federal Government and the Federal States (Datenschutzkonferenz der Datenschutzbeauftragten des Bundes und der Länder) has published guidelines for employers and employees on the usage of business email and internet services in the workplace in line with national data protection laws (the "Guidelines").
The Guidelines summarise the German data protection supervisory authorities' position and provide recommendations for public authorities and companies, pursuant to which they are allowed to access employees' work email inboxes or to observe the browser history of employees’ internet use (the "Recommendations"). The application of the Recommendations will depend on whether employers permit the private usage of internet services and/or work emails in the workplace.
Where the use of internet and email is restricted to business use only, the employer may conduct random checks to verify compliance with applicable regulations. These checks should be conducted anonymously, i.e. without collecting personal data, in particular IP addresses should not be recorded. Personal data should only be collected if there is a reasonable suspicion of criminal action. Where a strictly business related use of work emails is applied, an employer may monitor in and outgoing work emails if they are forwarded by the respective employees.
The employer is not allowed to install automatic forwarding procedures for every email. The data protection supervisory authorities recommend that in cases of employee absence, an out of office functionality may be used. In any case, if the employer recognises that an email has private content, it is not allowed to take any further notice of it.
If the employer allows for the private usage of the internet or work email services, it will be considered as a provider of telecommunications or telemedia services. Accordingly, it will have to comply not only with the Federal Data Protection Act, but also with the regulations of the Telecommunications Act and the Telemedia Act. This means that the employer is bound by the secrecy of telecommunications and the violation of any such secrecy obligations will constitute a criminal offence.
The employer has to inform the employees that there will be a log of data which may be accessed and assessed to determine if private use restrictions are being complied with. Access to this log is only allowed if the employee gives their express approval. However, the employer may make the private usage conditional upon further requirements. The data protection supervisory authorities recommend that organisations put into place, in compliance with the works council's codetermination rights, specific regulations addressing private use of the Internet and work emails. The employer should then obtain the employees’ consent.
Employers’ access to employee' emails or Internet usage remains admissible where it is necessary to detect, isolate, or eliminate errors or malfunctions.
To read the conference of data protection commissioner's press release, please click here (German).
To read the Guidelines, please click here (German).
Submitted by Clemens Wieder – Associate in the IP/IT law department of Luther Rechtsanwaltsgesellschaft - Frankfurt am Main, Germany