Search for:

A company used a keylogger software to secretly monitor how the employees used their computers. The keylogger software tracked all key strokes and made screen shots of computer screens in certain intervals. The company did not have any specific and documented suspicion of wrongdoing against one or more of its employees but used the software for the purpose of monitoring internet traffic as such as well as the general computer usage of its employees. The company informed its employees of this practice.

Based on the information gathered by the keylogger software, the company determined that an employee made excessive personal use of the internet during working hours. The company terminated the employment relationship based and relying on the facts gathered by the keylogger software. The employee challenged this decision in court.

In its judgment deciding about the lawfulness of the dismissal, the German Federal Labor Court (BAG) held on 27 July 2017 (File Record 2 AZR 681/16 – as of today, only the press release is available) that:

  1. The installation and usage of the keylogger software violated German data protection law and the employee’s constitutional right of informational self-determination. In particular, Section 32 (1) sentence 2 German Federal Data Protection Act (“FDPA”) could not justify the collection, processing and use of the employee’s personal data via the keylogger software. Section 32 (1) sentence 2 FDPA permits the collection, processing and use of employee data if (i) factual and documented indications lead to the suspicion that the employee committed a criminal offence in the course of the employment relationship, (ii) the collection, processing and use is necessary for the investigation of the criminal offence, and (iii) the legitimate interest of the employee in not being subject to such data collection, processing and use does not prevail, in particular form and extent must not be disproportionate with regard to the cause.
  2. However, the BAG held that Section 32 (1) sentence 2 FDPA must be interpreted broadly to apply not only to suspected criminal offences but also to suspected serious violations of a contractual duty. In the case at hand, the company did not have any factual and documented indications before using the tracking software that would have resulted in a sufficiently specific suspicion that the employee was in serious breach of his contractual duties. As such, the conditions of Section 32 (1) sentence 2 FDPA were not satisfied.
  3. As the company obtained the facts proving the extensive personal use of the internet unlawfully, the employee’s constitutional right of informational self-determination (Art. 2 (1) in conjunction with Art. 1 (1) German Constitution) required that the evidence was not admissible court.

The BAG therefore held that the company did not have good cause to terminate the employment relationship.

Conclusion

This decision of the BAG is relevant for two reasons:

  1. The BAG held that the very strict monitoring requirements imposed by Section 32 (1) sentence 2 FDPA, requiring amongst others a factual and documented indication for an employee’s wrongdoing, does not only apply if an employee is suspected of having committed a crime relating to the employment but also if the employee is suspected of having committed a serious breach of contractual duty. It is unclear whether these strict requirements of Section 32 (1) sentence 2 FDPA shall also apply if the employee is suspected of having committed a less serious violation of a contractual duty. Until this question is clarified by case law, any investigation into an employee’s wrongdoing must pass Section 32 (1) sentence 2 FPDA, and the employer should not rely on the lower bar of Section 32 (1) sentence 1 for potential wrongdoings below a suspected crime / serious breach of duty. As the new FDPA, which will come into effect on 25 May 2018, will retain the concept and wording of Section 32 (1) sentence 2 FDPA (in the future governed in Section 26 (1) sentence 2 FDPA-new), we do not expect that this broad interpretation and application will change (also see Schmidl/Tannen, Der Betrieb, 2017/1633).
  2. The BAG held that evidence gathered in violation of German data protection law are not admissible in court.

Further details on the court’s reasoning will be available once the BAG publishes the full text of the court decision.

Author

Julia Kaufmann is a partner in Baker McKenzie's Munich office. She has been admitted in Germany since 2006 and in New York, USA, since 2009. In addition to her studies in Germany, Mrs. Kaufmann obtained her Master of Laws degree at the University of Texas at Austin, USA. Mrs. Kaufmann worked in the Firm’s Dallas office from 2011-2012 and handled matters primarily for US clients.

Author

Prof. Dr. Michael Schmidl is an honorary professor at the University of Augsburg and specialist lawyer for information technology law (Fachanwalt für IT-Recht). He is a partner at Baker McKenzie´s Munich office and advises in all areas of contentious and non-contentious information technology law, including internet, computer/software, data privacy and media law. Mr. Schmidl also has a general commercial law background and has profound experience in the drafting and negotiation of outsourcing contracts and in carrying out compliance projects.

Author

Dr. Holger Lutz is co-head of the German Information Technology Group and is based in Baker McKenzie's Frankfurt office. He studied law at the Johann Wolfgang Goethe-University in Frankfurt/Main. He also studied at the University of Edinburgh and gained an "LL.M. in Innovation, Technology and the Law". During his legal clerkship he worked for a German data protection authority as well as international law firms. In 2008 he obtained his Doctor of Law degree on a topic related to software licenses in Frankfurt/Main.