Personal data must be handled with particular care
At the very latest following what happened at Deutsche Bahn and
Lidl, the handling of employee data has become a particular
sensitive topic. The legislator has reacted and will most likely
introduce new provisions to protect such data; its proposals are
the subject of hefty debate. For this reason, many IT officers are
currently hesitant to send their employee data off into the cloud,
especially into a public one. Alan Hippe, CIO at the Basel
pharmaceutical group Roche, is doing so nevertheless: More than
90,000 employees throughout the world will be obtaining their
e-mail and calendar applications from Google out of the public
cloud in future. Applications can now be released for use using a
simple dashboard, data can be retrieved by employees worldwide via
the standard internet browser. Could it be that the cloud is safe
E-mails sent and received by employees and their calendar data
are personal data in the sense of the German Federal Data
Protection Act. According to the Act, an employer may process this
data to the extent it is necessary to execute the employment
relationship. This does not smooth the way into the cloud,
Employers may, however, also make use of the services of
commissioned data processors, i.e. IT service providers, provided
that these act according to the directions and subject to the
control of the employer. Service providers such as Google will have
to curb their own appetite for data, for data may not be accessed
for the processor's own purposes. If data is to be processed
outside of the EU, the employer must ensure a reasonable level of
data protection. To this end, pan-EU standard contractual clauses
(issued by the EU Commission) are usually agreed.
However, further restrictions apply if an employer permits
private e-mail correspondence, as it becomes a telecommunications
service provider. In this case, the employer's knowledge of the
content of private e-mails, for example, is prohibited. With the
corresponding preventative measures, however, at least within the
EU, the use of cloud computing services is also possible in these
Another point to be borne in mind is co-determination: already
prior to reaching the decision on the introduction of cloud
computing services, the works council must be informed of the
company's plans and planning documentation must be presented in
good time. The works council can also enforce its rights to be
notified and consulted by way of an injunction. The introduction of
cloud computing services could also be seen as a change of
business, resulting in further rights of consultation and
Also subject to co-determination are the introduction and
application of technical installations which are objectively suited
to monitor the conduct and performance of employees –
which is, as a rule, the case with cloud computing applications.
The fact that the enterprise itself has no control over the
technology is not decisive in this connection, according to the
courts. A shop agreement will therefore have to be concluded with
the works council on "whether" the system is to be
introduced and "how" such system would be structured and
If the transfer into the cloud entails staff cutbacks, the
employer is even obliged to endeavour to reach a compromise of
interests with the works council and, if possible, subsequently
conclude a social plan.
Hence, the legal aspects triggered by transferring employee data
into the cloud need to be carefully planned. Of help here are
certificates such as those of EuroCloud Germany. Once successfully
started, the use of cloud computing services should be monitored
and regularly controlled within the company. A survey conducted by
the service provider Avanade amongst 570 IT officers showed that
64% of the persons interviewed feared that they would suffer
disadvantages through the uncontrolled growth of cloud services.
Firstly, these can be avoided through application-blockers at the
IT level and, secondly, however, it is also sensible for employers
to issue clear labour-law related instructions. If the cloud
computing application is legally permissible, the employer can
oblige the employee to use the new technology within the scope of
its employer's right of direction.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In this article Filippo Noseda examines the impact of the Common Reporting Standards (CRS), based on practical examples of data transfer and data breaches and analysed in the light of general tax law principles.
Brexit will have fundamental implications for the UK data protection regime. Until Brexit takes place, there will be a period during which its precise form and implications for UK data protection laws are not clear.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
The EU Commission has now formally adopted the EU-US Privacy Shield arrangement for the legal transfer of personal data from the EU/EEA to the US.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).