On August 25 the German Federal Government approved a draft bill (click here for the German version) on employee data protection to be implemented in Sec. 32 – 32l of the German Federal Data Protection Act (Bundesdatenschutzgesetz – FDPA). This draft is disappointing from a business perspective. It includes some reasonable and acceptable provisions, yet fails to achieve its own goals, i.e. to provide practicable guidance: Many open questions of utmost importance for businesses remain unanswered. In fact, the draft bill consists of a sequence of reactions to each of the German "data protection scandals" over recent years. It is hard to see systematic solutions that will work permanently. In some cases, the drafting seems poor and new undefined terms and restrictions are introduced that certainly will cause new problems.
In this Newsflash we present to you the most important rules and possible weaknesses of the draft bill (hereinafter "D") from a business perspective. We will keep you informed about further developments and the final bill.
The relationship to other legal permissions:
The relationship to other legal permissions remains unclear.
- Based on the reasoning of the draft, it will still be possible to make use of the general justifications (e.g. the legitimate interest exemption) as in Sec. 28 FDPA; however, the bill does not contain an explicit provision on this.
- In general, the draft clarifies that shop agreements may be concluded with works councils on data protection (Sec. 4 para. 1 sentence 2 D); however, the important question of whether or not it is possible to deviate from statutory exemptions by shop agreements, has not been answered.
- Employee consent will be invalid unless explicitly allowed by the FDPA (Sec. 32l D); this will even apply to cases where consent has been accepted to date, such as stock option plans or the consent with respect to certain conditions for the private use of telecommunications services.
Handling personal data in the course of applications:
Specific rules (Sec. 32, 32a, 32b D) will be introduced on job applications regulating which personal data may be processed, from what sources data may be collected and when medical tests or other tests are permissible.
- A remarkable provision of the draft on the collection of personal data on the internet distinguishes between social networks that are primarily used for the presentation of professional qualifications and which, hence, may be accessed by an employer when evaluating applications (Sec. 32 para. 6 D), and other social networks which employers may not use. This distinction will be hard to put into practice, since it neither accounts for future technical developments nor for the fact that search engines will show content from protected social networks.
- The provision on the deletion of the applicants' data in case of a denial of the application (Sec. 32b para. 3 D) is misleading and does not provide guidance on how long data may be stored, e.g. for purposes of proving compliance with anti-discrimination laws.
- The draft bill combines restrictive provisions with unclear terms. For example, based on Sec. 32b para. 5 D, it will be prohibited to combine "life data and HR data" to create an "overall picture of the essential mental capacity or character" of an individual. How a well-based decision on the application should be made or how, later on, a well-based letter of reference should be produced, is left unanswered.
Handling personal data in the course of existing employment relationships:
Numerous general provisions exist on collection and processing for purposes of the employment relationship (Sec. 32c, 32d D), without material changes to the currently applicable law. The draft bill contains more specific rules on the use of positioning (Sec. 32g D) and biometric (Sec. 32h D) systems.
Internal investigation and monitoring:
There will be more detailed rules on internal investigations and the monitoring of employees. The currently applicable rule on investigations based on an actual suspicion, as contained in Sec. 32 FDPA, will be amended (Sec. 32e D) by adding rules on the retention period, admissible investigative measures and an absolute barrier for data concerning the core of an employee's privacy. In particular:
- Hidden video surveillance will no longer be permissible, not even when complying with the strict rules of current case law. Hence, in some cases, employers may not have any possibility of investigating. The draft bill provides new rules for open video surveillance within the employers' premises (Sec. 32f D).
- The limitations on the scope of investigations in Sec. 32e para. 4 D are unreasonable in practice. In particular, the draft provides that any surveillance shall be limited to a maximum of four days or 24 hours non-stop. The investigation of complex white-collar crime or corruption under these conditions will often prove impossible.
- The prohibition on the use of data relating to the core of privacy is likely to pose more questions than answers (Sec. 32e para. 7 D).
The draft specifically regulates internal controls without specific cause for purposes of detecting crimes or other infringements (Sec. 32d para. 3 D). Any such control is only permissible if, in the first step, only anonymous or aliased data are used.
- However, these provisions do not comply with business reality. The daily tasks of internal audit or compliance departments will often relate to other purposes which are not mentioned in the draft bill or the underlying reasoning of the draft bill).
The use of telecommunications services at the work place:
In relation to telecommunications services which are exclusively used for business purposes, there will be a provision (Sec. 32i D) corresponding largely to current practice and case law. The content of telephone calls is regulated more strictly than the content of email and internet; apart from any monitoring based on actual suspicions, it will only be possible to carry out controls in some limited scenarios.
- The biggest failure of the draft bill is that regulations on the handling of data derived from the private use of telecommunications services at the work place are missing entirely. Neither the draft bill nor its reasoning include a single word (!) on the private use of telecommunications services at the work place. Based on the background paper of the German Interior Secretary (please click here for the German version), the current law shall continue to apply, according to which the employer is considered to be a telecommunications services provider vis-à-vis the employees and is thus subject to the stricter data protection rules of the German Telecommunications Act and telecommunications secrecy and, hence, may neither access the content of private email communications nor, if no separation can be ensured, of work-related emails. It is doubtful whether or not the solution commonly proposed so far, based on shop agreements with works councils and individual consents, will still be available because employees' consent, in general, will be considered invalid. In practice, this will mean that any private use of telecommunications services should be prohibited (the control of such restrictions will be possible under the new law).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.