Personal data must be handled with particular care

At the very latest following what happened at Deutsche Bahn and Lidl, the handling of employee data has become a particular sensitive topic. The legislator has reacted and will most likely introduce new provisions to protect such data; its proposals are the subject of hefty debate. For this reason, many IT officers are currently hesitant to send their employee data off into the cloud, especially into a public one. Alan Hippe, CIO at the Basel pharmaceutical group Roche, is doing so nevertheless: More than 90,000 employees throughout the world will be obtaining their e-mail and calendar applications from Google out of the public cloud in future. Applications can now be released for use using a simple dashboard, data can be retrieved by employees worldwide via the standard internet browser. Could it be that the cloud is safe after all?

E-mails sent and received by employees and their calendar data are personal data in the sense of the German Federal Data Protection Act. According to the Act, an employer may process this data to the extent it is necessary to execute the employment relationship. This does not smooth the way into the cloud, however.

Employers may, however, also make use of the services of commissioned data processors, i.e. IT service providers, provided that these act according to the directions and subject to the control of the employer. Service providers such as Google will have to curb their own appetite for data, for data may not be accessed for the processor's own purposes. If data is to be processed outside of the EU, the employer must ensure a reasonable level of data protection. To this end, pan-EU standard contractual clauses (issued by the EU Commission) are usually agreed.

However, further restrictions apply if an employer permits private e-mail correspondence, as it becomes a telecommunications service provider. In this case, the employer's knowledge of the content of private e-mails, for example, is prohibited. With the corresponding preventative measures, however, at least within the EU, the use of cloud computing services is also possible in these scenarios.

Another point to be borne in mind is co-determination: already prior to reaching the decision on the introduction of cloud computing services, the works council must be informed of the company's plans and planning documentation must be presented in good time. The works council can also enforce its rights to be notified and consulted by way of an injunction. The introduction of cloud computing services could also be seen as a change of business, resulting in further rights of consultation and participation.

Also subject to co-determination are the introduction and application of technical installations which are objectively suited to monitor the conduct and performance of employees – which is, as a rule, the case with cloud computing applications. The fact that the enterprise itself has no control over the technology is not decisive in this connection, according to the courts. A shop agreement will therefore have to be concluded with the works council on "whether" the system is to be introduced and "how" such system would be structured and used.

If the transfer into the cloud entails staff cutbacks, the employer is even obliged to endeavour to reach a compromise of interests with the works council and, if possible, subsequently conclude a social plan.

Hence, the legal aspects triggered by transferring employee data into the cloud need to be carefully planned. Of help here are certificates such as those of EuroCloud Germany. Once successfully started, the use of cloud computing services should be monitored and regularly controlled within the company. A survey conducted by the service provider Avanade amongst 570 IT officers showed that 64% of the persons interviewed feared that they would suffer disadvantages through the uncontrolled growth of cloud services. Firstly, these can be avoided through application-blockers at the IT level and, secondly, however, it is also sensible for employers to issue clear labour-law related instructions. If the cloud computing application is legally permissible, the employer can oblige the employee to use the new technology within the scope of its employer's right of direction.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.