Employee's Data Protection
Veröffentlicht von Dr. Andreas Kaiser am 20.04.2018
Covert surveillance of employee - non-competition duty
Pursuant to current section 32 para 1 Federal Data Protection Act (FDPA) personal data of an employee may be collected, processed or used (1) for employment-related purposes where necessary for hiring decisions or, after hiring, for performing or terminating the employment contract, and (2) to detect criminal offenses only if there is a documented reason to believe the data subject has committed a criminal offense while employed.
In its judgment of 29 June 2017 (2 AZR 597/16) the Federal Labour Court held that a covert surveillance measure initiated by the employer to uncover a concrete suspicion of a serious breach of duty (here a suspected infringement of non-competition duty) on the part of the employee based on facts may be permissible under section 32 para 1 sentence 1 FDPA.
In this case the employer suspected that his employee was competing in the company of the employee's sons. The employer had the employee monitored by detectives who collected evidence that led to the dismissal of the employee.
Furthermore, where the data collection neither serve the detection of criminal offenses within the meaning of § 32 para 1 sentence 2 FDPA nor other purposes of employment within the meaning of sec. 32 para 1 sentence 1 FDPA, such measure may also be initiated by the employer "for the protection of legitimate interests" within section 28 para 1 sentence 1 no. 2 FDPA.
The covert surveillance of an employee suspected of serious breach of duty is only permissible under conditions comparable to those for the detection of a criminal offense, namely must be necessary, not outweighed by employee’s interest and proportionate.
Covert surveillance - key logger
In another judgment on covert surveillance the Federal Labour Court held the use of a software key logger, with all keystrokes recorded on a business computer for covert surveillance and control of the employee, is inadmissible under sec 32 para 1 FDPA, if not based on employee related specific facts that support reasoned suspicion of a criminal offense or other serious breach of duty. The knowledge gained by the key logger about the private activities of the employee may not be used in court proceedings (Federal Labour Court, Judgment 27 July 2017 – 2 AZR 681/16).
"Deputy" data protection officer - special termination protection
If an entity that is subject to the obligation to appoint a data protection officer in accordance with sec 4f para 1 FDPA has several internal data protection officers, they can all acquire special protection against termination pursuant to sec 4f para 3 sentences 5, 6 FDPA (Federal Labour Court, Judgment 27 July 2017 – 2 AZR 812/16).
Co-determination of the works council on the Facebook appearance of the employer
An employer-operated Facebook page that allows users of Facebook to post about the behaviour and performance of employed workers through the Visitor Posts feature is a technical tool used to monitor workers. Sec 87 para 1 no. 6 Works Constitution Act. The provision of the function "Visitor Posts" is subject to the co-determination of the works council (Federal Labour Court, Order 13 December 2016 -1 ABR 7/15 -).
Section 26 of new FDPA 2018
The new Federal Data Protection Act, adapted to the EU Data Protection General Regulation 2016/679 (GDPR), will be effective as of 25 May 2018. With regards to employee’s data protection, section 26 is relevant. The new section 26 "Data processing for employment purposes" will replace the current section 32 FDPA and reads as follows :
(1) Personal data of employees may be processed for the purpose of employment if this is necessary for the decision to establish an employment relationship or after establishment of the employment relationship for its implementation or termination or insofar necessary for the exercise or fulfilment of the rights and obligations of the employee’s interest groups deriving from statute or bargaining agreement, business or service agreement (collective agreement). In order to detect criminal offenses, personal data of employees may only be processed if the factual evidence to be substantiated justifies the suspicion that the person concerned has committed an offense in the employment relationship, the processing is necessary to detect the offence and the legitimate interest of the employee or employees to exclusion of processing does not predominate, in particular its nature and extent are not disproportionate to the occasion.
(2) If the processing of personal data of employees is based on consent, the judgment on the voluntary nature of the consent shall take into account, in particular, the dependence of the employed person in the employment relationship and the circumstances in which the consent was granted. Voluntariness may in particular exist if the employed person has a legal or economic advantage or if the employer and employed person pursue equal interests. The consent must be made in writing unless another form is appropriate due to special circumstances. The employer shall inform the employed person of the purpose of the data processing and of its right of withdrawal in accordance with Article 7 (3) of Regulation (EU) 2016/679 in text form.
(3) By way of derogation from Article 9 (1) of Regulation (EU) 2016/679, the processing of special categories of personal data within the meaning of Article 9 (1) of Regulation (EU) 2016/679 for employment purposes shall be allowed if it is necessary for the exercise of rights or to fulfil legal obligations arising from employment, social security and social protection legislation and there is no reason to believe that the data subject's legitimate interest in excluding processing is outweighed. Paragraph 2 also applies to consent to the processing of special categories of personal data; the consent must explicitly refer to this data. Section 22 (2) shall apply accordingly.
(4) The processing of personal data, including special categories of personal data of employees for employment purposes on the basis of collective agreements is authorized. The negotiating parties must comply with Article 88 (2) of Regulation (EU) 2016/679.
(5) The controller must take appropriate measures to ensure that, in particular, the principles for the processing of personal data set out in Article 5 of Regulation (EU) 2016/679 are respected.
(6) The participation rights of employees' interest groups remain unaffected.
(7) Paragraphs 1 to 6 shall also apply when personal data, including special categories of personal data, are processed of employees without their being stored in a file system or intended being stored.
(8) Employees within the meaning of this Act are: [...]
Zuletzt geändert am: 15.06.2018 um 05:17