Trust is good, but control is better?
At least according to a study by the software comparison platform GetApp, this is how many SMEs in Germany seem to see it:
27% of the managers surveyed stated that they had already used employee monitoring software before the corona pandemic.
As a result of the pandemic — and the associated sharp increase in working from home — the use of such software increased significantly once again and rose to a total of 38%.
The topic of employee monitoring is therefore very topical and, in light of the increasingly established location-independent work models, it will probably continue to be so in the future.
But beware: Not everything that is technically possible is also legally admissible!
On the one hand, employee monitoring finds its limits in Basic Law (GG), in particular in the employee's personal rights (Art. 2 para. 1 in conjunction with Art. 1 para. 1 GG), and on the other hand in Federal Data Protection Act (BDSG) as well as the General Data Protection Regulation (GDPR).
Fully qualified lawyer & data protection expert Gina Bleckmann from Fresh Compliance in the following interview on:
Dear Gina, are there cases where monitoring is permitted in the workplace? Which requirements must be met?
In principle, the employer is prohibited from carrying out any form of monitoring, unless permission is obtained from Laws, legislations or from express consents by affected employees to process personal data.
As part of the employment relationship, the legal basis is the employment contract in conjunction with Section 26 (1) BDSG.
According to this, personal data of employees may be processed for employment purposes (monitoring measure) if this is necessary to establish, carry out or terminate the employment relationship.
For example, if the employer wants to upload a picture of the employee to the company website, this is usually not necessary to carry out the employment relationship.
In this case, he requires the consent of the employees in accordance with Section 26 (2) BDSG.
The use of a chat tool for groups such as Microsoft Teams also generally requires information about the functions and regular consent of the employees using it, in particular if the employer has such functions available to control the employees in their work.
For larger companies with a works council, this requirement can be met through a works agreement.
If consent is necessary, however, it should be noted that it must always be given voluntarily.
The degree of dependence of the employee on the employer and the circumstances under which the employee should give his consent are decisive for the assessment of voluntariness.
In addition, the monitoring measure must legitimate purpose follow and the Principle of proportionality suffice.
This means that the employer's interest, such as the protection of data, must be balanced with the employee's right to informational self-determination.
However, if the employer has a specific suspicion that the employee is harming the company (serious breach of duty) or wants to commit a criminal offence, he can monitor this without having to obtain his consent beforehand.
This is because processing is then necessary to protect the legitimate interests of the person responsible and the interests or fundamental rights of the employee must withdraw therefrom, Art. 6 para. 1 f) GDPR.
To what extent or why are data protection requirements relevant for employee monitoring?
Not only are there regulations in the BDSG, but the GDPR has also addressed data protection in employee monitoring.
Although the employer is subject to data protection limits when monitoring the employee, he is also forced to control his employees under certain circumstances.
Increased work from home plays a special role here, as the employer has less insight into the day-to-day work of employees outside the office; as a result, his desire for control has increased.
In both cases, i.e. not only in the office but also when working at home, the environment should be equipped in such a way that both confidentiality as well as the availability that data is guaranteed.
What is decisive here is how the work environment Is designed which hardware is used or how paper documents are handled.
Ideally, the workplace is selected in such a way that no third parties have access to the computer and telephone calls take place in a separate room.
In particular, for the Home office a business notebook will be provided.
However, it should be noted that the general standards of the GDPR on the admissibility of employee monitoring (employment protection) can only be applied if the national legislator has not made its own rules (see Art. 88 GDPR).
But even within this framework, a variety of means of monitoring and control are possible.
For example, logging in and out of a computer or activity on the company network.
However, permanent monitoring of employees by the employer is prohibited - even when working from home.
Even the use of a monitoring software comes into consideration.
In this case, the first step is to check the purpose of monitoring.
The employer's interest in monitoring must then be balanced with the intensity of intervention in the interests and fundamental rights of the employee.
A fair balance must also be found here.
Can only be used to a limited extent, is a video surveillance, on which personal data of employees is processed.
For example, this is always prohibited in changing rooms or toilets.
The situation is different at a bank branch counter, as monitoring there is usually in the interest of both parties.
After all, an employee also strives for the greatest possible protection against attacks.
However, should the protection of their data and image be more important to the employee, a balance must be made again.
However, the employer's interest in video surveillance will usually prevail.
Video surveillance is only permitted in publicly accessible areas if the requirements of Section 4 BDSG are met.
These are met if they are necessary to fulfill the duties of public authorities or to exercise house rights or to exercise legitimate interests for specifically defined purposes.
However, monitoring may never serve to spy on employees.
Even the use of a Software keyloggers is inadmissible without suspicion of a criminal offence or serious breach of duty.
This is because a keylogger records all keystrokes on the employee's work computer, saves them and takes screenshots.
It is important to know that random checks of Internet browser history data are permitted in order to verify compliance with a complete ban on private use of IT facilities set by the employer.
However, even such findings cannot be used in court proceedings.
The recommendation of the data protection authorities is particularly interesting professional email accounts prohibited for private use, as employee consent in the event of an acute internal investigation can be both practical and legally problematic.
This is because employees have the option to withdraw their consent at any time.
Data protection authorities therefore often regard such consents as inadmissible, as they are generally not given freely and without coercion.
What are important rules in the area of data protection that employers must pay attention to in this context?
The most important rule in the area of data protection is that employers should always inform themselves in advance to what extent they may use monitoring measures - in a permissible manner.
Because without a corresponding permission — usually the consents by the person concerned — processing of personal data is prohibited.
This is because the employer must always comply with data protection principles such as necessity, proportionality, data minimization, transparency and permission provided by a legal basis.
This results in limiting the measures to what is absolutely necessary and documenting the legal basis for the data protection law for the search, the restriction of access rights and a transparent information to employees.
In particular, determining the correct data protection law requires legal basis a careful analysis.
If the employee suspects a criminal offence or serious breaches of duty, a legal basis is no problem.
However, this also requires documented evidence of a criminal offence, that the search is necessary and that the interests of the employee worthy of protection do not outweigh those of the employer.
Because the employer will often IT tools use confidential customer data, trade secrets and personal data unauthorised third parties to protect.
The purpose of these tools is therefore primarily to prevent access to personal data.
They are classified as technical and organizational measures within the meaning of Article 32 GDPR.
The use of such IT tools is problematic, for example, when the company email account can also be used privately, as the above-mentioned data protection principles must also be complied with in this case.
It is therefore recommended to use pseudonyms instead of full names of employees.
It is also recommended to integrate an automated warning system, which points out possible misconduct.
What happens in the event of violations?
A violation of the GDPR can result in fines of up to 20 million euros be punished if employee data protection is violated.
Should general personal rights be violated as a result of employee monitoring, the employee may also assert claims for compensation in accordance with Section 823 (1) BGB.
In addition, the affected employees, for example when uncovering illegal monitoring, are entitled to immediate omission and elimination of continuing effects.
In the event of an action for protection against dismissal, it is interesting that unauthorized surveillance measures, which usually contain personal data, can be attacked as evidence and are usually not usable in court.
In such cases, the employer's dismissal fails.
This is because such unauthorised monitoring measures represent an unlawful encroachment on the right to informational self-determination.
Conclusion:
Finally, it can be stated that employee monitoring is generally only permitted on the basis of permission — usually consent.
Exceptions to this include, for example, the existence of the employer's legitimate interest (weighing up with the interests of the employees) or the suspicion of serious breaches of duty or the commission of criminal offences by the employee.
Thank you Gina!
Are you particularly interested in data protection issues? We are also happy to recommend this Blog articles!