Data protection of employees in connection with service PCs

In a ruling dated February 7, 2020, the Cologne Regional Labor Court decided that an employer can terminate without notice an employee who uses his company laptop excessively for private purposes during working hours, contrary to a prior agreement (case number 4 Sa 329/19). The case in question involved several months in which the employee used the company laptop on several days in a row and for several hours each time for private Internet research, private e-mail traffic and other activities outside of his employment relationship.

From a purely practical point of view, it is of course understandable that such far-reaching work time fraud constitutes a special reason as required for termination without notice. However, the question also arose in the trial whether the employer is allowed to view the employee's browser and email history and use it as evidence in court.

Procedural prohibitions on the use of evidence?

The use of the employee's browser and email history could be prohibited by a procedural prohibition on the use of evidence. Procedural prohibitions on the use of evidence prohibit the use of certain existing evidence per se in accordance with the applicable procedural law.

If the employee and employer are in court, the Code of Civil Procedure and the Labor Court Act are applied. These laws only prohibit the use of evidence as exceptions that require justification. In other words, anything that one of the parties introduces as evidence may also be used in the trial, unless reasons are given to the contrary.

The use of the browser and email history would therefore have to be prohibited by a special law, otherwise it may be used as evidence.

Constitutional prohibition of exploitation?

The prohibition of exploitation could result from the fact that fundamental rights of the employee are violated.

Browser and email history are personal data in the sense of the GDPR. After all, it is possible to tell from the browser history when the user accessed which website. A service laptop can also be assigned to a specific person, so that there is a definable personal reference. In the case of the email history, this is of course already evident from the recipient and sender details.

Personal data is primarily protected by the fundamental right to informational self-determination. Within the scope of this, however, the employer's interest in exploitation and in the functioning administration of justice must outweigh the interest in protecting the employee's fundamental right to informational self-determination, so that the employer was allowed to exploit the data. The severity of the interference must also be taken into account.

If the employer processes the data secretly, this speaks for a considerable violation of the employee's fundamental right. The same applies if the employer has a purely evidentiary interest in the processing. It must prove from the further circumstances just the kind of the information procurement and evidence collection as justified and thus as in need of protection, so that he may use the data.

If the employer processes the employee's browser and email history precisely in order to prove working time fraud (purely evidentiary interest), the fundamental right to informational self-determination is unjustifiably violated here. Accordingly, the data may not be used as evidence.

Justification under data protection law?

If, as here, personal data is being processed, data protection law could provide a remedy. After all, data protection law provides a number of justifications for data processing.

...by consent?

First of all, consent pursuant to Art. 6 I 1 lit. a DSGVO must be considered. In the case decided by the court, the employee and the employer had agreed in a contract on the provision of the laptop that "the employer shall check and evaluate the data located on the work equipment for purposes of allocation to business or private transactions". However, this "consent" is formulated too imprecisely and too broadly. The employee was unable to recognize the scope of the declaration because it was not clear which data would be checked and whether, for example, private emails would also be affected.

The consent is legally invalid.

...by other permissions?

The employer could base the processing of the browser and email history on § 26 I BDSG.

According to this, personal data of an employee may be collected, processed or used for purposes of the employment relationship if this is necessary for the decision on the establishment of an employment relationship or, after its establishment, for its implementation or termination.

Due to the signed agreement on the transfer of use, it was clear that data must be stored for control purposes. The stored data is then subjected to abuse control, for example, to determine private uses that violate the contractual agreement. Thus, the storage and evaluation of the data are necessary for the performance of the employment relationship. The employer has a legitimate interest in collecting this data.

The employer can base the processing on Section 26 I BDSG and also introduce the data as evidence in the process.

Conclusion

If an employee is provided with means by which the employer collects personal data, there are many (data protection) legal pitfalls to consider. In any case, explicit regulations on the use and verification of the means should be recorded. A number of provisions and areas of law intertwine here. Expert advice is essential in this regard.