Data protection of employees in connection with service PCs

In a ruling dated February 7, 2020, the Cologne Regional Labor Court decided that an employer can terminate without notice an employee who uses his company laptop excessively for private purposes during working hours, contrary to a prior agreement (case number 4 Sa 329/19). The case in question involved several months in which the employee used the company laptop on several days in a row and for several hours each time for private Internet research, private e-mail traffic and other activities outside of his employment relationship.

From a purely practical point of view, it is of course understandable that such far-reaching working time fraud constitutes a special reason, as required for termination without notice. However, the trial also raised the question of whether the Employer the employee's browser and email history and use it as evidence in court.

Procedural prohibitions on the use of evidence?

The use of the employee's browser and email history could be prohibited by a procedural prohibition on the use of evidence. Procedural prohibitions on the use of evidence prohibit the use of certain existing evidence per se in accordance with the applicable procedural law.

If the employee and employer are in court, the Code of Civil Procedure and the Labor Court Act are applied. These laws only prohibit the use of evidence as exceptions that require justification. In other words, anything that one of the parties introduces as evidence may also be used in the trial, unless reasons are given to the contrary.

The use of the browser and email history would therefore have to be prohibited by a special law, otherwise it may be used as evidence.

Constitutional prohibition of exploitation?

The prohibition of exploitation could result from the fact that fundamental rights of the employee are violated.

Browser and email history are personal data within the meaning of the GDPR. Finally, the browser history can be used to identify when the user has accessed which website. A service laptop can also be assigned to a specific person, so that a determinable personal reference exists. In the case of email history, this is of course already evident from the recipient and sender details.

Personal data are primarily protected by the fundamental right to informational self-determination. Within this framework, however, the employer's interest in the utilization and in the functioning administration of justice must outweigh the interest in protecting the employee's fundamental right to informational self-determination so that the employer is allowed to utilize the data. The severity of the interference must also be taken into account.

If the employer processes the data secretly, this speaks for a considerable violation of the employee's fundamental right. The same applies if the employer has a purely evidentiary interest in the processing. It must prove from the further circumstances just the kind of the information procurement and evidence collection as justified and thus as in need of protection, so that he may use the data.

If the employer processes the employee's browser and email history precisely in order to prove working time fraud (purely evidentiary interest), the fundamental right to informational self-determination is unjustifiably violated here. Accordingly, the data may not be used as evidence.

Justification under data protection law?

If, as is the case here, the processing personal datadata protection law could provide a remedy. After all, this law recognizes a number of justifications for data processing.

...by consent?

First of all, consent pursuant to Art. 6 I 1 lit. a DSGVO must be considered. In the case decided by the court, the employee and the employer had agreed in a contract on the provision of the laptop that "the employer shall check and evaluate the data located on the work equipment for purposes of allocation to business or private transactions". However, this "consent" is formulated too imprecisely and too broadly. The employee was unable to recognize the scope of the declaration because it was not clear which data would be checked and whether, for example, private emails would also be affected.

The consent is legally invalid.

...by other permissions?

The employer could base the processing of the browser and email history on § 26 I BDSG.

Accordingly personal data of an employee is collected, processed or used for the purposes of the employment relationship if this is necessary for the decision on the establishment of an employment relationship or, after its establishment, for its implementation or termination.

It was clear from the signed agreement on the transfer of use that data would have to be stored for monitoring purposes. The stored data is then subjected to an abuse check, for example in order to private uses that violate the contractual agreement. The storage and evaluation of the data is therefore necessary for the performance of the employment relationship. The employer has a legitimate interest in collecting this data.

The employer can base the processing on Section 26 I BDSG and also introduce the data as evidence in the process.

Conclusion

If an employee is provided with resources through which the Employer personal data If the company collects data, there are many (data protection) legal pitfalls to consider. In any case, explicit regulations on the use and verification of the funds should be recorded. A number of regulations and areas of law intertwine here. Expert advice is essential here.