Germany’s Long Way to Tighter Employee Data Protection Laws
By Ute Krudewagen
Baker & McKenzie
During the past year, several employee data protection scandals have caught the public attention in Germany. Deutsche Bahn, Germany’s state-owned railway company, got into the focus of the media as its headquarters automatically crosschecked all suppliers’ account data with the data of its employees to discover cases of bribery.
In October 2009, the company agreed to pay a fine of more than Euro 1.1 million. Meanwhile, Deutsche Telekom, Germany’s telecom giant, received negative publicity for monitoring private telephone bills of several members of its supervisory board who happened to be employee representatives and union members. And in 2006, as a result of an internal investigation, Deutsche Telekom’s CEO Rene Obermann had to confess the loss of personal account data of 17 million clients. Another worst-case-scenario in data security was presented by Lidl, a German supermarket chain. The company got into the headlines for monitoring its employees by detectives at their workplace, in the dressing rooms, and in their private homes. The investigation reports included information about tattoos, possible love affairs among employees, and the cleanliness of employees’ underwear. The public outrage was immense and Lidl was fined to pay Euro 1.5 million. The company apologized to the public and promised to do better. However, a few months later, the company once again violated data protection laws. A woman had found dozens of files containing confidential employee data in a trash bin in front of a public car wash. The files contained information about sick days, illnesses, mental disorders, and the names, private addresses, and social security numbers of Lidl employees.
Sparked by the scandals and due to the fact that in 2009, federal elections were held in Germany, all public parties published their own proposal for modified employee data protection laws. As a first step, however, a new provision of the German Data Protection Act entered into force on 1 September 2009. Accordingly, employee personal data, including personal data revealed by applicants, may only be collected, processed or used if it is either necessary for the application procedure or for the execution or termination of an existing employment relationship. The Federal Agency for Data Protection emphasizes in a statement on its website that these provisions apply to all data carriers, including electronic files, paper files or hand written notes. Data that is irrelevant for the employment relationship may not be collected at all. Furthermore, employee personal data may only be collected, processed or used for the purpose of identifying criminal action committed within the context of the employment relationship if the employer has hard facts supporting a reasonable suspicion that the employee was involved in criminal actions. Employers not respecting these new rules face severe fines.
Despite the new provision, there are still a number of practical questions when it comes to employee personal data not yet sufficiently answered by the legislator: For example, under which circumstances is it legal that employers check the employee’s e-mail account? To which extent can an employer monitor the private use of the internet during working time? May data be used in court if it was collected non-compliant with data protection laws? Can company cars be tracked by GPS or company mobile phones by the service provider? How long may the data of a job applicant be stored?
The newly elected German government has agreed to a codification of specific employee’s data protection laws to enter into force presumably in autumn 2010. One thing is sure: The new legislation will bring about further limitations and sanctions for non-compliant employers.