© Andrew Czap | Flickr
This practical guide is dedicated to German laws and official documents dealing with a system of employee monitoring. In this paper, all legal peculiarities concerning personal data protection are described including the rights of employees to agree on or reject of being monitored by employers as well as to be primarily informed about such working principles. In addition, this guide discovers the existing restrictions and prohibitions of checking communications systems if they are owned by employers; issues of tracking employees’ gadgets, implementing CCTV monitoring on companies’ premises, keeping track of workers in their off-hours; the notion of co-determination right in the modern employment system and possible penalties and fines for violation of the requirements and laws.
Employers cannot do without employee monitoring for achieving many purposes, such as controlling and improving their performance, tracking the fulfillment of enterprise working principles, supervising the quality of work, standing up for employees’ security and providing reliable company assets. In Germany, there are no laws that control employee monitoring. However, this process can be regulated by other official documents, such as the GDPR (short for the General Data Protection Regulation), various regulations that protect personal information on federal or state levels as well as the Telemedia Act and the Telecommunications Act.
All these regulations act in accordance with:
This practical guide is concentrated exclusively on those documents concerning private and federal public companies. It does not cover laws addressed to monitoring activity conducted by non-federal public entrepreneurs.
The guide deals with:
The General Data Protection Regulation that is known in the European Union as GDPR was developed to change the European Data Protection Directive. It was introduced on May 25, 2018, and is mandatory in all member-countries of the European Union. According to Article 1 of the GDPR, personal information includes all data that can be applied for the identification of a certain natural person. In other words, personal information represents a set of data that either together with other aspects found by an organization or independently can describe a personal data owner in a direct or indirect way. This document regulates the protection of data collected by a company through tracking activity.
A sizeable portion of European policy on data protection has not changed if compared with the principles stated in the EU Directive. Nevertheless, new specific aspects have been taken into consideration in the process of compiling the GDPR. Furthermore, this official document does not prohibit passing laws that:
You can get more information about the GDPR fundamentals, especially regulations that allow bringing in changes to the EU member-countries legislation on the base of GDPR, from practical guides dedicated to allowed GDPR variations and requirements in the EU.
Germany has recently introduced a new version of the Federal Data Protection Act (BDSG from its original title “Bundesdatenschutzgesetz”). It deals with the protection of personal information on a level with the GDPR. However, this new version has certain features that are not congruent with the GDPR fundamentals. Nevertheless, the main part of requirements devoted to employee tracking and personal information processing has not been subject to noticeable modifications. Since May 25, 2018, employers are obliged to meet all the requirements of both documents, GDPR and BDSG, in the process of employee monitoring unless other official regulations define more detailed peculiarities (see Other Regulations).
If you are interested in getting more information about data protection in Germany, pay attention to Data Protection in Germany: Overview, Country Q&A or go the Federal Data Protection site. In case you need more info concerning the difference between the GDPR and BDSG documents, address the practical guide German Implementation of the GDPR.
There are some other regulations that deal with personal information protection and can make a considerable impact on the monitoring policy of employers. A list of these laws includes:
According to German legislation, those employers who allow employees using their communications systems for personal purposes are referred to as either providers of telecommunication services based on the TKG or providers of telemedia services based on the TMG. Both documents limit or forbid monitoring, collecting and processing data taken from private communications and activity of individuals on websites by employers who serve as providers.
The Telemedia Act conditions, which regulate the processing of data related to an employee’s access to sites by their employers in the role of telemedia service providers, were initially determined by the European Directive.
Nowadays, the TMG terms are not officially congruent with the GDPR principles. Nevertheless, this practical guide takes them into consideration. The TKG conditions, in their turn, are more based on the ePrivacy Directive and have no relation to the EU Directive. Therefore, they officially regulate employee monitoring activity (Article 95 of the GDPR).
In case the usage of communications systems for personal purposes is forbidden by employers, the TMG and TKG provisions do not make any influence on the tracking policy. If you are interested in more detailed information concerning this issue, pay attention to the section Peculiarities of Using Communications Systems Owned by Employers.
Some authorities in Germany have developed special instructions on the process of tracking communications systems in companies. All these guides are not linked with each other, but they explain the authorities’ point of view concerning data protection laws functioning in Germany. A good example of such activity is the introduction of a guideline on tracking and applying electronic communications means in a company represented by the Conference of Federal and State Authorities of Data Protection in 2016. This instruction describes those terms according to which:
This instruction is represented in German and uploaded to websites of data protection authorities.
According to Article 88 of the GDPR, all member-countries of the European Union have the right to implement specific regulations related to processing personal information of employees. As a result, the BDSG contains more extended rules for data processing. The 26th section of this document allows entrepreneurs to collect, process and utilize personal information of employees in case it is necessary for the employment process including:
As far as Section 26 (1) of the BDSG is concerned, employers can also gather, process and utilize personal data of workers for the purpose of crime investigation if the following four conditions are observed:
According to this section of the BDSG, employee tracking cannot be legal if there is no need:
If an employer cannot justify his or her actions based on the 26th Section of the BDSG, it is possible to appeal to Article 6 of the GDPR. According to the first part of this article, it is allowable to process information if it is necessary for protecting the legal interests of an employer. However, they cannot be outweighed by employees’ confidentiality interests. This article is actually not applicable to personal information of employees if compared with the BDSG Section 26. But in some cases, entrepreneurs’ actions can still be justified in accordance with the sixth Article of the GDPR, for instance, when the processing of workers’ personal information can help avoid fraud in a company. In this example, it is necessary for safeguarding the employer’s legal interests that have no direct connection with the labor relationship.
Business owners should not be dependent on employees’ agreement for justifying monitoring activity aside from cases when workers can provide legal consent. Such a situation is possible when employers allow employees to use their IT systems for personal purposes. Then the employers can require legal consent for limited tracking.
The BDSG does not allow or forbid business owners to practice tracking in their companies for controlling their employees in the explicit form. However, it is strictly prohibited to monitor them in some locations where a high level of privacy should be guaranteed. This refers to changing rooms, WC, etc. It is reasonable enough for employers to use tracking only in specific cases while ensuring that such actions are completely congruent with the BDSG, GDPR and other legal regulations.
If the legal requirements on employee tracking are not met by employers, it is considered a violation of data protection law. This can finally lead to opening a case against an employer for the illegal usage of personal information. The German Federal Labor Court has recently conducted a trial concerning the usage of a key-logger for the purpose of employee tracking. Applying this program was not justified even if it showed that an employee had excessively used employer’s communication systems and access to the Internet. Therefore, this could not be considered as grounds for dismissal. In addition, this tracking activity was not specifically conducted for the purpose of crime investigation but only for checking, which was inappropriate according to that version of the BDSG, Section 32. A new variant of this law also has the same requirements stated in the 26th Section.
In case a business owner allows employees to use communications systems and access to the Internet for personal purposes, he or she does not need to rely on workers’ agreement for conducting monitoring activity according to the German legislation.
If an employer provides workers with free access to communications systems, they are entitled:
German authorities who deal with protecting personal data believe that employee tracking cannot be considered legal even if a worker gives the full agreement on an employer’s actions. The point is that the employment relationship stipulates that there is a certain kind of hierarchy between an employer and employee that influences the worker’s decision. Therefore, his or her agreement cannot be absolutely voluntary. The consent can be considered legal only if it corresponds to all the requirements of the GDPR. They are stated in the 4th (11) Article that contains the definition of agreement, the 7th Article in which terms for consent are determined, and the 6th (1) (a) Article which includes requirements for providing an agreement in certain cases.
If an employer justifies his or her monitoring as well as the processing of employees’ personal data relying on the workers’ consent, it is important to take into account its validity. The question of agreement validity depends on the following aspects:
This is regulated by the 26th (2) Section of the BDSG.
According to Article 7(1) of the GDPR, employers can rely on consent in the process of employee monitoring, but they have to:
According to the GDPR, all individuals who undergo monitoring conducted by business owners are entitled to:
According to the GDPR, every employee, as well as any other personal data owner, is entitled to be primarily informed about existence of the actual process of personal information monitoring, collecting and processing apart from specific cases stated in the 13th and 14th Articles of the GDPR and the 32nd and 33rd Sections of the BDSG.
In most cases, the information warning about conducting monitoring activity is represented in the form of:
It is also possible to place a warning about monitoring, collecting and processing personal data in a works council contract (go to Labor Contracts and Collective Agreements).
After providing employees with a notice about tracking activity, an employer is able to process the received personal information exclusively for the purposes stated in that notice. In case, he or she has another aim, a new notice should be developed according to the 13th (3) and 14th (4) Articles of the GDPR (go to Data Storage).
The GDPR determines a set of data any notice has to contain including:
According to the 13th (4) and 14th (5) Articles of the GDPR and the 32nd and 33rs Sections of the BDSG, there are certain exceptions from the main requirements on notice content. They are not applicable in the following cases:
According to Article 17 of the GDPR, workers are entitled to express their objections to the illegal tracking activity of employers and demand the deletion of all data collected in an illegitimate way. However, their rights are rather restricted when monitoring is carried out on legal grounds. In case the tracking is conducted legally relying on Article 6 (1)(e) of the GDPR that allows data processing in the interests of society or Article 6 (1) (f) that permits processing for the protection of an employer’s or third person’s legal interests and an employee rejects being monitored under certain circumstances, the employer has to cease this tracking activity.
Under the 21st (1) Article of the GDPR, a business owner is obliged to cease monitoring unless:
The BDSG Section 36 claims that employees’ abilities to protest against being monitored can be restricted if urgent interests of society overriding the legal interests of workers are observed or if the tracking is necessary according to current laws and regulations.
Tracking of an employee’s activity cannot be conducted without collecting certain types of information about non-employees because of checking workers’ emails, recording their phone calls or just implementation of CCTV monitoring. Therefore, the BDSG and GDPR are also applicable to collecting, applying and processing of personal data of those people who are not members of a company’s staff. Under these regulations, an employer is obliged to inform non-employers about probable tracking activity. The processing of non-employees’ personal information should be based on compelling legitimate grounds. Those laws and regulations that allow employee tracking do not justify the infringement of the rights of non-employers.
In case personal information about non-employees can be monitored through recording of phone calls, an employer has to provide them with a specific message notifying non-employees as both callers and recipients about the fact that:
However, it is important to mention that even such a warning cannot fully permit to collect and particularly process personal information of non-employees. It is compulsory for business owners to be supported by legitimate sources for justifying the tracking of non-employees because of conducting workers monitoring. In this case, even a specific notification about recording phone conversations is not enough.
All non-employees who happen to appear at the premises of a company should be informed in case CCTV monitoring is applied (go to Implementation of a CCTV Monitoring System at Companies’ Premises).
There are several solid legitimate reasons for monitoring non-employees’ activity and collecting their personal information according to the GDPR, such as:
Even if a person who does not work for a company communicates with a business owner or employees and is informed about carrying out monitoring activity, it is not advisable to use a tacit consent as a solid ground for justifying tracking.
According to the GDPR, all workers are entitled to limit the processing of their personal information under certain conditions. This also refers to situations when an employee expresses objections to data processing grounded on an employer’s legal interests (go to Ability to Protest against Being Monitored) (GDPR, Article 18). It is possible to read more about the issue of data processing limitations in other practice guidelines.
All employers and non-employers are entitled to get free access to data collected by an employer. They can also edit their personal information which was recorded and even delete it taking into consideration specific exceptions under the GDPR Articles 15, 16 and 17. According to this regulation, personal information owners also obtain new rights, such as:
The GDPR binds business owners to give a quick response to data owners’ inquiry. The term for giving an answer does not usually exceed one month but in some cases, it can be prolonged according to Article 12 (3). You can get familiarized with detailed information dedicated to the rights of personal data owners, as well as responsibilities of information controllers, reading other practice guidelines. The new version of the BDSG also claims that there are certain exceptions to the rights of data owners.
According to the 32nd Article of the GDPR, companies are obliged to:
Other laws and regulations in Germany also pay attention to the issue of protecting personal information.
There are some cases when it is necessary to send monitored personal information to third-party service providers, which can be situated in Germany as well as somewhere abroad, or when a foreign company conducts the tracking in the name of an employer. Those employers who decided to transmit collected personal data to some service providers or other companies are obliged to:
The demand to sign an agreement concerning information processing in the process of data transmission will not be applicable in case a third party who should receive these data wishes to obtain the information for reaching its personal aim. This subject is not considered a dependent service supplier but acting in his or her own interests. Therefore, an employer is obliged to:
The point that an employer serves as a part of a joint company structure cannot be a legal reason for transmitting employees’ personal data to other joint or holding companies situated outside the EEA, no matter whether it is sharing among two information controllers or between information processors and controllers. There are also other practical guidelines dedicated to the issues of data transmission between different companies.
There is no specific period for keeping the information collected in the process of tracking activities according to German law. Therefore, employers have the right to store personal information about employees as long as they need in order to achieve those goals for which the tracking was used taking into consideration current laws and regulations according to which a period of data keeping can be prolonged (The 5th (1 (e) and 17th (3) Articles of the GDPR). The periods of data storage can be different because of varying reasons for monitoring. In case an initial goal is achieved, an employer is obliged to delete the collected information. It can be kept for a longer time if employers are entitled to process this data.
In most cases, a period for data storage is not long. For instance, if CCTV monitoring is organized for providing a higher level of employees’ and company’s assets security and records do not show suspicious incidents, all the data should be immediately deleted. According to German authorities dealing with personal information protection, all video records should be deleted by employers within 48 hours. In case an employer needs those camera records for the purpose of crime investigating, the storage period can be prolonged.
In some cases, an employer can have other grounds for conducting monitoring activity, for example, to handle tax, archiving or accounting issues. Then it is necessary to block this personal data to prevent information processing for other intentions.
If camera tracking is based on the 4th Section of the BDSG (go to Implementation of a CCTV Monitoring System at Companies’ Premises), employers are restricted in the ability to utilize the collected video for reaching new goals. New or modified purposes are allowed only if it is necessary for:
The main laws, regulations, and guidelines dedicated to employee tracking rely on the peculiarities of using communications systems owned by employers for personal purposes of employees. The business owners can either allow or forbid the usage of these systems at their own discretion.
The prohibition to utilize employer-owned communications systems for personal purposes of employees is absolutely appropriate according to German legislation. Those employers who forbid personal usage of IT systems and the Internet:
If employers do not manage to ensure compliance with the prohibition of using communications systems for personal purposes, the TKG and TMG can be applicable.
Those business owners who forbid personal usage of telecommunications systems:
Those employers who allow employees to use IT systems and the Internet for their own purposes are targeted by the TKG as telecommunications service suppliers and by the TMG as telemedia service suppliers.
According to the TKG, business owners as service suppliers do not have the right to track employees’ private conversations. The same situation is observed with the TMG that forbids processing of the employees’ personal information, their access to sites and history of pages usage. In case the TKG and TMG are taken into account, the rights of business owners for tracking activity are strictly limited. They are able to get access to some personal data after receiving an employee’s agreement and meeting all the TKG and TMG requirements. Another way is to access some data in case of legal exceptions, for instance, when it is necessary to provide some services or detect and repair certain technical failures in IT equipment.
Those employers who allow employees to use telecommunications systems for personal purposes have to:
Employers are also entitled to conduct random checks to make sure that workers meet all the requirements and do not overuse the Internet and other IT systems. These inspections should be conducted using anonymized information unless the employers have grounds to suspect employees of the rules violation.
If employers allow employees to use communications systems for personal purposes, they have no right to track private messages sent to or from an email address that belongs to the employer. This rule is regulated by the TKG and TMG (go to Other Regulations and Allowing the Usage for Personal Purposes). According to German legislation and the TKG, the privacy of telecommunications regulations:
Even though a worker can take advantage of a corporate computer, laptop or network as well as a working email address to send a private message, employers cannot track these emails.
Those business owners who forbid employees to use IT systems and the Internet for personal purposes have more extended rights for tracking workers’ activities and can easily check their working email accounts (go to Other Regulations and Forbidding the Usage for Personal Purposes).
In case an employee utilizes a gadget for working purposes, an employer is entitled to track the use of this gadget if it:
The BYOD scheme should be organized in a proper way so that employees’ privacy rights would be congruent with the information supply requirements of a company. Introducing software that deals with mobile device management can be helpful in:
A document that informs about the BYOD approach or an employment agreement should contain an explanation about the employer’s rights and abilities to monitor and collect data from employees’ gadgets.
Employers cannot monitor employees’ own gadgets which they utilize for business goals and collect personal data from them without the workers’ agreement. Employees are legally able to agree on the tracking of their own gadgets in exchange for the right to use them for carrying out business tasks. However, German authorities claim that these employees’ agreements are not always valid (go to Agreement).
It is important to mention that employees cannot be forced to use their own gadgets for business tasks and to give consent to the tracking activity of employers. However, employers can give workers the right to make a choice. For example, if they want to use their gadgets for work, they need to agree on certain terms, including tracking and following required rules.
According to the 4th Section of the BDSG, video monitoring is allowable in places open to the public if required in case there are no grounds to consider that employees’ legal interests override the employer’s interests of tracking. CCTV monitoring can be used to:
Taking into consideration the fact that the GDPR is considered to be of a higher priority than the BDSG, those rules under the 4th Section are applicable only for using camera surveillance for society interests or according to official authorities requirements (The 6th (1) (e) and 6th (3) Articles of the GDPR).
According to German legislation, it is forbidden to implement CCTV monitoring covertly. There are only several reasons based on which it is allowed, for example, when a notification about camera monitoring can frustrate initial plans. Hidden CCTV monitoring can be justified in case of certain crime investigation because a notification about tracking can serve as a warning for a potential criminal. It is especially important for employers to find a balance between their legal interests and privacy rights of employees, particularly when hidden monitoring is applied.
It is forbidden for employers to place cameras in locations where employees have a legal right for absolute privacy, such as changing rooms, WC, and other private places. If employers fail to meet these requirements, it will be considered a violation of the German criminal legislation (Section 201a (1) of the Criminal Code).
Employers are obliged to have solid grounds for implementing CCTV monitoring. For instance, camera surveillance can be necessary to defend a company against criminals. In this case, it is usually located only at all entrances and does not violate employees’ rights.
The general requirements on CCTV tracking and notice providing do not differentiate from the rules for other types of monitoring (go to Notice and Agreement).
Business owners are able to add a notification about CCTV monitoring to a:
In case CCTV tracking is conducted in places open to the public, employers are obliged to identify the exact area of camera locations in a notification under the 4th Section of the BDSG. For this purpose, it is necessary to locate specific messages in places of surveillance for informing people about the tracking activity. This rule can be violated in case hidden monitoring is allowed.
The notification signs have to contain:
These notification signs should also explain to people where they can get more detailed information about tracking activities according to the 13th and 14th Articles of the GDPR.
The monitoring of employees’ activities in their off time is covered by the same regulations as other kinds of tracking. However, the process of employees’ off-time activity tracking stipulates that employers are more involved in the workers’ private life. Therefore, it is necessary to find a balance between the employer’s interests and employees’ rights. As a rule, the privacy and security rights of workers override the legal interests of business owners and such kind of tracking is forbidden.
But in some rare cases, it is appropriate to monitor the activities of employees in their off time, for instance, when:
Under the Works Constitution Act, works committees are entitled to practice joint determination prior to business owners starting to utilize various gadgets or programs for tracking employees’ activities. Collective labor agreements may also influence tracking provided the right of joint determination is appropriate.
The basic aim of joint determination is to provide employees with a right of voting in the process of making some business decisions. Employees have to select some representatives for taking part in discussions of the works committee. The joint determination right is applicable even if the main aim of some gadgets or programs is not employee monitoring.
Labor contracts can also include information about tracking. For instance, a business owner can allow using IT systems and the Internet for personal purposes if an employee agrees on being monitored.
Premeditated or careless violation of laws and regulations on personal data protection is considered an administrative offense and leads to paying a fine in the sum of €20, 000, 000 according to the 83rd Article of the GDPR. Furthermore, there are cases when even criminal sanctions can be applied. For instance, the illegal procession of personal information that was not open to the public is a crime that can be punished with up to two years of imprisonment in case those actions were conducted for obtaining certain property or money or doing harm to employees or other people.
A failure to meet the requirements of privacy of communications (go to Other Regulations) is also a criminal offense and leads to a fine or an up to five years imprisonment under the Criminal Code of Germany.
CCTV monitoring in private areas such as changing rooms or WC is a criminal offense and can be punished by a 2-year sentence or fine according to the Criminal Code (go to Placing Video Cameras).