On February 5, 2016 the Data Protection Conference, an association of the German data protection authorities, issued a guidance on the use of emails and other Internet services in an employment relationship (“Guidance”). The Guidance contains instructions and recommendations on the monitoring of Internet use and accessing company email accounts.
When employees use their employer’s Internet and email systems, a substantial amount of personal data is generated (email content, email addresses, URLs, the date(s) of the respective activity, the computer used, etc.). The collection, processing and/or use of of such personal data is subject to the German Federal Data Protection Act (“FDPA”), e.g. when the employer monitors the legitimate use of company email accounts and/or the Internet use. It is not yet finally decided whether an employer qualifies as provider of telecommunication services under the German Telecommunications Act (“TCA”) if the employer permits the use of company email accounts and the Internet for private purposes. In such case, the employer would be prohibited from disclosing any private communications content or related personal data without appropriate consent under penalty of criminal law.
Content of the Guidance
The German Data Protection Authorities take the following position:
- If private use is prohibited: (Only) the FDPA applies. With regard to the Internet, the employer may make spot checks of protocol data in order to check whether the Internet is used for company purposes only. In the first instance, this should be done without collecting personal data, e.g. the IP-address – blacklist and/or whitelists are preferable. With regard to emails, the employer may take note of incoming and outgoing company emails. But the employer may not ask for an auto-forwarding of all emails (=prohibition of permanent control), unless an employee is absent and an out-of-office reply is insufficient. When the employer recognizes the private character of an email, the employer must stop reading the respective email. A full monitoring of Internet use and/or emails is only permitted to investigate crimes in case of a concrete suspicion of misuse, and if the principle of proportionality is met.
- If private use is permitted: If the employer permits the use of the company IT systems (also) for private purposes, the employer qualifies as provider of telecommunication services, respectively telemedia services. Thus, the employer must comply with the strict provisions of the TCA (e.g. the provisions on the telecommunications secrecy), respectively the German Telemedia Act (“TMA”). Data subject to the telecommunications secrecy may only be accessed with the employee’s consent, unless one of the very narrow statutory exceptions applies. With regard to monitoring the Internet use, a works council agreement should be concluded, addressing the private use of the company IT systems. In addition, the employer should obtain the employees’ consent which must include type and scope of the monitoring. Even in such case, the processing of protocol data is only permitted if there is a concrete suspicion (e.g. of a violation of the works council agreement). The same applies for accessing emails. In addition, it should be stipulated if and how the employer may access emails stored in an email account that contains company emails and private emails. Accessing an employee’s email account (e.g. in case of sudden absence) is only permissible if necessary and with the employee’s prior consent.
Employees must be able to refuse their consent without facing any disadvantages. If they refuse their consent, they are not allowed to use the Internet or email account for private purposes.
- Persons entrusted with confidential information: Certain employees, such as members of the works council, data protection officers or company physicians may not be monitored at all, i.e. the Internet use may not be monitored and emails must be excluded from monitoring/accessing. The same applies to emails of employees communicating with those persons.
- Spam-filter and anti-virus software: Employees must be notified on the use of spam-filters in advance and the employer should implement a solution that respects data protection law (e.g. suspicious messages should be marked rather than deleted and the recipients should as far as possible be able to decide on their own how to handle such emails). Anti-virus software may be used for security reasons. Filtering and investigating virus-infected private emails, including gaining knowledge of the content is, however, only permitted if the requirements of Sec. 100 TCA are met.
To dos for companies
Companies are free to decide whether they want to permit the use of the company IT systems for private purposes. However, if a company permits the private use, it should comply with the Guidance. This is also true once the General Data Protection Regulation enters into force because the Member States are entitled to enact stricter provisions for the protection of employee data.