Germany: Bundesarbeitsgericht ruling on keylogging monitoring “in line with existing jurisprudence”

Germany: Bundesarbeitsgericht ruling on keylogging monitoring “in line with existing jurisprudence”
August 03 14:52 2017 Print This Article

The Federal Labour Court (‘Bundesarbeitsgericht’) issued, on 27 July 2017, its decision in an employment dispute regarding the termination of an employee’s contract following data collected by his employer through keylogging software. In particular, the Bundesarbeitsgericht ruled that the use of keylogging software was unlawful under Section 32(1) of the Federal Data Protection Act 2003 (‘the Act’), given that the employer had no reason to believe that the employee had committed a criminal offence.

Dr. Marc Hilber, Partner at Oppenhoff & Partner, told DataGuidance, “The judgement is in line with the existing jurisprudence according to which full online monitoring (such as keylogging or video taping) is only permissible in extraordinary cases. Such a strong intrusion into the employee’s sphere of privacy requires a specific suspicion based on facts. Employers should therefore firstly establish a suspicion by [gathering facts]; attempt to apply less intrusive means to monitor the employee, such as background or other checks; and involve a data protection officer and/or workers’ council.”

Section 32(1) of the Act allows employers to collect and process employees’ personal data or use it to detect crimes, only where there is a documented reason to believe the data subject has committed a crime while employed; the collection, processing or use of such data is necessary to investigate the crime and is not outweighed by the data subject’s legitimate interest in restricting the collection, processing or use; and in particular the type and extents of investigation are not disproportionate to the reason.

Hilber continued, “Precautionary monitoring is permissible within strict limits, for example, it is permissible to conduct precautionary compliance checks (i.e. checks without a specific suspicion). The employer also has to conduct the monitoring in the most limited scope possible and by using the least intrusive means. Any monitoring by way of software requires the consent of a workers’ council and monitoring cannot be based on the employees’ consent because, as a rule, such consent is not deemed to be provided voluntarily. Monitoring can thus be based on statutory rights (most importantly on legitimate interest) or, from a practical perspective, on a shop agreement concluded with the workers’ council. Further restrictions apply in the case of email and telephone monitoring where the employer has allowed private use.”

[E]mployers should […] think about the prevention of internet misuse rather than about technologies to detect misuses

The approach adopted by the Bundesarbeitsgericht is in line with that considered by the Article 29 Working Party (‘WP29’) in its opinion on employee monitoring, and in particular the deployment of software that has the capability to log keystrokes and mouse movements. The WP29 stated that the processing involved in such technologies is disproportionate and an employer is unlikely to have a legitimate interest in recording an employee’s keystrokes and mouse movements.

Dr. Karsten Krupna, Partner at PLANIT // LEGAL, commented, “As a general rule, permanent monitoring of employee behaviour, in contrast to temporary checks, would always be considered an encroachment on the fundamental rights of the employee. This legal assessment will also apply under the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), since Germany, under Article 88 of the GDPR, established a provision equivalent to Section 32 of the Act in Section 26 of the [new] Federal Data Protection Act 2017. Regardless of the specific provisions in Germany, employers within the EU should bear in mind that the monitoring of electronic communications in the workplace […] always requires careful consideration of the purpose of the processing and the fundamental rights of the employee. Therefore, any actions to mitigate or reduce the scale and impact of such data processing should especially be taken into account. As a consequence employers should, for instance, think about the prevention of internet misuse rather than about technologies to detect misuses.”

Cristina Ulessi | Privacy Analyst

This article and associated image was originally published here:

  Article "tagged" as:
view more articles

About Article Author

GDPR Associates
GDPR Associates

View More Articles
write a comment

1 Comment

  1. bennett mayo
    August 21, 03:43 #1 bennett mayo

    Have you ever thought about including a little bit more than just
    your articles? I mean, what you say is valuable and everything.

    But imagine if you added some great images or video clips to
    give your posts more, “pop”! Your content is excellent but with images and videos,
    this website could undeniably be one of the greatest in its field.
    Very good blog!

    Reply to this comment

Add a Comment