Employee data protection

from Wikipedia, the free encyclopedia

Employee data protection is the protection of general personal rights and, in particular, the right to informational self-determination of persons in their capacity as employees in the company. Synonymously also the terms employee privacy , employee privacy and protection of personal data and operating data protection ( DGB used -Design).

Basics

The employee data protection takes into account the special features of the employment relationship with regard to the data protection of the employee. Although the employer and employee are legally equal partners, the employer is economically and structurally superior to the employee. The employer determines the specific form of the employment contract and defines the working conditions. It directs when, where and how the employee must act. As a rule, the employee cannot evade these requirements. If there is a unilateral decision-making power in a contractual relationship, the constitution requires special protection for the weaker contractual partner, in particular for the content of the contract, which allows encroachments on general personal rights.

General legal background

It is a widespread misconception that the employer is allowed to interfere with the employee's right to informational self-determination at his reasonable discretion. Both the provisions of the legislature in Section 75 (2) sentence 1 of the Works Constitution Act (BetrVG) and Article 2 (2) sentence 3 of the Basic Law (GG) and the decisions of the Federal Constitutional Court do not offer any discretion:

The right to informational self-determination is accessible to restriction in the predominant general interest. However, this requires a legal basis which corresponds to the rule of law requirement of clarity of norms and is proportionate (see BVerfGE 65, 1 <43 and 43>; 120, 378 <401 et seq.>; BVerfGK 10, 330 <337>). The reason, purpose and limits of the interference must be specified in the authorization in a specific, precise and standardized manner (see BVerfGE 65, 1 <44 ff.>; 100, 313 <359 and 359>; BVerfGK 10, 330 <337 and 337>) .

In addition to the interventions in the right to informational self-determination authorized by the legislator, for example through fiscal legal norms ( HGB , AO ) and social legislation ( SGB ), restrictions on general personal rights can arise where they conflict with the same or higher-ranking fundamental rights of other fundamental rights holders. In addition, interventions and restrictions by means of contracts can be agreed individually and legally, as long as the contract content in question does not constitute a de facto external determination by unilateral determining power. Permissible interventions on a formal legal basis or individually contractual agreements, as well as restrictions on general personal rights through competition with other fundamental rights holders, are accessible to the regulatory authority of the parties to the company.

Personnel files

The basic right of the employee to informational self-determination is only partially equal to the right of the employer to collect, process and use information relevant to the employment relationship about the personality of the employee, as well as his abilities, skills and internal behavior, if this is to justify Implementation or termination of an employment relationship is necessary. This right has been standardized in Section 32 of the Federal Data Protection Act (BDSG) since 2009 . The earmarking of personal data obliges the employer to keep the personnel files carefully and to treat their contents confidentially. Since no legal norm allows the employer to collect and use detailed information on the health of an employee, such information, insofar as the employer gains knowledge of this through the consent of the employee , may not be a regular part of a personnel file due to its strict purpose limitation. They must be kept separate from the other content of the personnel file and specially secured against unauthorized access.

Regulations

Basic rules are already determined by the Basic Law (GG) and the Works Constitution Act (BetrVG) with regard to the participation rights of the employee representatives . Individual contractual regulations are then ineffective if the regulation is subject to the BetrVG and there is no individual agreement. This participation applies exclusively to the so-called regulatory behavior , i.e. the special social behavior of the employees, but not to the work behavior , such as with occupational safety . Thus, essential sub-areas remain open so far. This can hardly be remedied by individual contractual provisions in collective agreements . In the meantime, thanks to the DGSVO, the legislature has made its own regulation with Section 26 BDSG-new.

Provisional regulation

Despite its great practical importance, employee data protection was not explicitly regulated by law in Germany until 2009. Since 1978, the practice has therefore resorted to the general regulations of the Federal Data Protection Act . Demands for the creation of a special employee data protection law were not met.

In 2008/2009 it became known that important German companies such as the food discounter Lidl and Deutsche Bahn had monitored their employees using sometimes illegal methods. The Deutsche Telekom surveillance affair received particular attention . As a result of these incidents, the federal government decided in February 2009 to resume work on an employee data protection law. As an "immediate measure", the Federal Data Protection Act was supplemented by Section 32 BDSG. This regulation is a regulation for the collection, processing and use of data for the purposes of the employment relationship. It came into force on September 1, 2009.

In addition to the new § 32 BDSG , which has been in force since September 1, 2009, there are currently various area-specific regulations that (also) regulate the employees' right to informational self-determination, for example in the Telemedia Act , the Federal Officials Act , the VDU Work Ordinance , the Works Constitution Act and the Staff Representation Acts . Genetic examinations in working life have been regulated in the Genetic Diagnostics Act since February 2010 .

More recent legislative activities in employee data protection

On September 4, 2009, Federal Labor Minister Olaf Scholz presented the draft for a law on data protection in employment (Employee Data Protection Act - BDatG) . According to Scholz, the planned law should standardize the existing regulations and court rulings on employee data protection and close existing gaps. The draft and its submission shortly before the 2009 federal election received both praise and criticism. The coalition agreement of the second Merkel government provides for an expansion of the Federal Data Protection Act to include a separate area of ​​employee data protection; there should no longer be a separate law. At the beginning of April 2010, the Federal Minister of the Interior introduced a first draft bill for the expanded section 32 BDSG, which provides for a separate subsection of data collection, processing and use for the purpose of employment with 14 digits to section 32 BDSG. The change in data protection regulations in this area has been discussed for some time. The aim is to unite the inconsistent jurisprudence of the labor courts and thus create more legal certainty for employees and employers. The basis for the legal structure should be both operational practice and the previous case law of the labor courts.

On August 25, 2010, the federal cabinet passed the draft of the law regulating employee data protection. In the meantime, on December 15, 2010, Bundestag printed matter 17/4230 with a new, revised draft of an Employee Data Protection Act was published.

DGB proposals

There is a proposal from the German Trade Union Federation (DGB) on employee data protection. In particular, movement profiles and monitoring of break rooms are prohibited.

Individual regulations

As long as there is no new law on employee data protection, many rules will be decided by courts according to the principle of proportionality and on the basis of the Basic Law, the BetrVG and other individual regulations of the higher courts , the Federal Labor Court and the Federal Constitutional Court and thus determined on a case-by-case basis.

Judicial law

Since the laws regulate data protection in the employment relationship only very incompletely and not all details are clarified by company agreements, many questions are decided by the labor courts . These include, for example, the fundamental rulings of the Federal Constitutional Court on unlawful eavesdropping on non-public communications and the Federal Labor Court on video surveillance at the workplace and eavesdropping on business telephone calls.

Works agreements

In larger companies, issues relevant to data protection are often regulated in company agreements according to the BetrVG, and in the public sector in service agreements . Such an agreement can not justify interference with the employee's right to informational self-determination , but it can regulate it. In doing so, however, it also stipulates the limits that the employer may not exceed. Typical cases are company agreements that govern the use of e-mail and Internet services in the company , the use of trouble ticket systems , advertisements on telephone systems and the like. regulate and stipulate when and how the employer may monitor compliance with these usage rules.

Data protection in performance and behavior controls

Points of contact between employee data protection and the interests of the employer arise in particular when the employer carries out performance and behavior controls. If the employer has a justified interest in the controls and if the controls do not affect the rights of the employee at all or only slightly, the employer usually acts lawfully. If the employer uses technical equipment for monitoring purposes, for example video cameras, time recording systems or electronic access controls, the works or staff council has a right of co-determination, Section 87 (1) No. 6 BetrVG.

Process descriptions required for data protection in accordance with Section 4e BDSG can often be reused in company agreements or service agreements for performance and behavior control by technical facilities, thereby considerably simplifying the cooperation between the works council and the management.

Telecommunication surveillance

The Federal Constitutional Court already specified the constitutional framework for access to communication content in its decision of October 9, 2002:

  1. The protection of telecommunications secrecy ( Article 10, Paragraph 1 of the Basic Law) extends to telecommunications systems operated by private individuals.
  2. Article 10 (1) of the Basic Law establishes a right of defense against the state's knowledge of the content and the more detailed circumstances of telecommunications and an order to the state to provide protection also to the extent that private third parties gain access to the communication.
The basic right of telecommunications secrecy serves the free development of personality through an exchange of communication with the help of telecommunications. It is irrelevant what the content is and whether it is of a private, business or political nature (see BVerfGE 100, 313 <358>). The protection is not limited to the technologies and telecommunication services previously used by the Deutsche Bundespost (such as telephone, fax or teletext), but includes all information transmitted using the available telecommunication technology. The specific type of transmission (such as via cable or radio, analog or digital communication) and form of expression (such as language, images, sounds, characters or other data) are irrelevant. In view of the technological development that has taken place in the meantime, the previously common concept of telecommunications has now been replaced by that of telecommunications in other provisions of the Basic Law (cf. Art. 73 No. 7, Art. 87f GG).

According to the provisions of the BVerfG, the constitutional protection provided by Article 10, Paragraph 1 of the Basic Law applies to all content (private as well as business) and to all types of transmission (telephone, fax, Voip , email , SMS , MMS , instant messaging / XMPP , Skype , Facetime etc.).

Video surveillance in the workplace

A video surveillance by the employer is due to the affiliated monitoring pressure a distinct change in the general personal rights of the workers affected. Therefore, it is only permitted in exceptional cases. Recognized reasons for permitted video surveillance are a special security requirement (e.g. video surveillance of the counter in a bank). Apart from the last resort in a self-defense or self-defense-like situation, video surveillance must be "open". The video surveillance is also subject to the codetermination of the works council .

In its decision of June 29, 2004, the Federal Labor Court dealt in great detail with a company agreement of a conciliation body for video surveillance in a company and canceled this company agreement due to serious deficiencies. In the decision of August 26, 2008, the Federal Labor Court again analyzed a company agreement on video surveillance in the company and presented the security measures on the basis of which the agreement presented (apart from a few minor errors) is acceptable. In contrast, the older BAG judgment of March 27, 2003 describes the special conditions under which unauthorized, clandestine video surveillance by the employer can be exempt from a ban on the use of evidence in a specific individual case. See also the analysis in the BAG judgment of December 16, 2010, paragraph 29ff.

In March 2008, the Stern magazine reported on secret surveillance measures at the Lidl discount chain . Employees and customers were filmed and bugged without their knowledge. The company admitted that it worked “with camera systems and in branches with extremely high inventory losses for a limited time with detective agencies”. This is done to "avoid inventory losses caused by theft". Systematic spying was not wanted. In September 2008, the supervisory authorities responsible for Lidl imposed data protection fines totaling 1.462 million euros.

Networks and PC monitoring

Access rules and access rules are an essential part of data security. Therefore, every user has to identify himself on a secure network. Anonymous access is generally not permitted; access to protected and secured data and changes to it are also logged individually. This is already required by the internationally standardized process model according to ISO 15408 ( Common Criteria ).

Regulations regarding the monitoring of the PC activities of employees can be found in the VDU Ordinance and the Works Constitution Act, among others . According to section 22 of the annex to the VDU regulation, "[without the knowledge of the user [...] no device for qualitative or quantitative control may be used". This means that employers are prohibited from secretly using surveillance software and hardware such as keyloggers . Section 87 (1) no. 6 BetrVG also stipulates that "the introduction and use of technical facilities that are designed to monitor the behavior or performance of employees", the co-determination of the works council or the public service of the staff council , see. Section 75 (3) No. 17 BPersVG.

Section 26 BDSG

Section 26 BDSG integrates numerous already known regulations into the law. Employers can therefore process personal data that are necessary for the implementation, termination or commencement of an employment relationship without the consent of their employees.

History of employee data protection in Germany

1984-2000

The country Hesse took in 1986 in the Hessian Data Protection Act (HDSG) a provision for employee data protection. Section 34 HDSG stipulates that employee data may only be processed if this is necessary for entering into, carrying out, terminating or processing the service or employment relationship or for carrying out internal, planning, organizational, social and personal measures or a legal provision, a collective agreement or a Service agreement provides it. This regulation was the first of its kind in Germany. With some changes, it is still valid today, but only in the state of Hesse and only for authorities and other public employers.

In 1984 the data protection officers of the federal and state governments demanded sector-specific statutory provisions on employee data protection for the first time. In 1992 they established principles for an employee data protection law. The trade unions also campaigned for a legal regulation. For example, in 1999 the German Federation of Trade Unions presented key points for a law on employee data protection.

The German Bundestag and the Bundesrat also saw a need for action. The Bundestag passed several resolutions in which it called on the respective federal government to draw up a corresponding bill.

In 2000, the federal government led by Gerhard Schröder planned, according to its own admission, the submission of a corresponding law, which should have the designation "Law on information and communication in employment". However, the project was not carried out. Work on the law was stopped.

2001-2010

A part of employee data protection is regulated by the Genetic Diagnostics Act (GenDG) passed in 2009 . Section 5 of the Act regulates the conditions under which genetic examinations are permitted in working life. The principle here is that an employer may not require that an employee or applicant have genetic tests or analyzes carried out on them. The employer is also not allowed to receive or use test results ( Section 19 GenDG). Diagnostic genetic examinations as part of preventive medical examinations for employees at certain workplaces are excluded from this ban ( Section 20 GenDG). The labor law provisions of the Genetic Diagnostics Act came into force on February 1, 2010.

In 2008/2009 it became known that important German companies such as the food discounter Lidl and Deutsche Bahn had monitored their employees using sometimes illegal methods. The Deutsche Telekom surveillance affair received particular attention . As a result of these incidents, the German government, now led by Angela Merkel, decided in February 2009 to resume work on an employee data protection law. The Federal Ministry of Labor and Social Affairs then drew up the draft for a “law on data protection in employment relationships (Employee Data Protection Act - BDatG)”, which was brought up for discussion by Federal Labor Minister Olaf Scholz in September 2009. In view of the upcoming general election, the draft was no longer approved by the CDU / CSU-SPD federal government.

After the change of government in autumn 2009, the CDU / CSU and FDP agreed not to create a separate law on employee data protection , but instead to add a chapter on data protection for employees to the Federal Data Protection Act. The Federal Ministry of the Interior is responsible for this legislative proposal. On April 1, 2010, Federal Interior Minister Thomas de Maiziére presented the key points for a new employee data protection law.

literature

  • Bergmann, Möhrle, Herb: Commentary on data protection law. Boorberg publishing house. Stuttgart: As of: 55th Liefg. August 2018 ISBN 978-3-415-00616-4 . Detailed commentary on § 26 BDSG-2018.
  • Wolfgang Däubler: Transparent workforces? The manual on employee data protection. 5th edition. Bund-Verlag, Frankfurt am Main 2010, ISBN 978-3-7663-3919-5 .
  • DGB Federal Board (Ed.): Employee data protection. 2009. Download (PDF; 634 kB)
  • Hans Gliss, Philipp Kramer: Employee data protection. Fields of action for works councils. Bund-Verlag, Frankfurt am Main 2006, ISBN 3-7663-3660-6 .
  • Hans Gliss, Philipp Kramer: Employee data protection in the public service. Bund-Verlag, Frankfurt am Main 2005, ISBN 3-7663-3640-1 .
  • Peter Gola, Georg Wronka: Handbook on employee data protection. Legal questions and practical help taking into account the BDSG amendments 5th newly revised and expanded edition. Datakontext-Verlag, Frechen 2010, ISBN 978-3-89577-550-5 .
  • Peter Gola: Data protection and multimedia in the workplace. Datakontext-Verlag, Frechen 2006, ISBN 3-89577-360-3 .
  • Johannes Habermalz: The data protection consent of the employee , JurPC Web-Doc. 132/2011, paras. 1 - 92
  • Dirk Hammann, Karl Schmitz, Wolfgang Apitzsch: Monitoring and employee data protection. Action aid for works councils. 1st edition. Bund-Verlag 2009, ISBN 978-3-7663-3912-6 .
  • Britta Mester: Employee data protection. Necessity and content of a legal regulation. Oldenburger Verlag for Economics, Computer Science and Law, Oldenburg 2008, ISBN 978-3-939704-29-4 .
  • Patrick Pfalzgraf: Employee monitoring. 1st edition. Publishing house Dr. Kovač, Hamburg 2003, ISBN 978-3-8300-1099-9 .
  • Julian Schenten: The tension between data protection requirements and the establishment and operation of an internal control system - the permissibility of automatic data analysis from the point of view of an IT service company. Sofia studies for institutional analysis, Darmstadt 2010. ISBN 978-3-933795-99-1 .
  • Gregor Thüsing: Employee data protection and compliance. CH Beck, Munich 2010. ISBN 978-3-406-60497-3 .
  • Peter Wedde: Employee data protection. Applicable law and tips for practice. Bund-Verlag, Frankfurt am Main 2011, ISBN 978-3-7663-3965-2 .
  • Elmar Weißnicht: IT risk management and online monitoring of employees in the group. Telecommunications and data protection aspects in Germany and the United Kingdom. 1st edition. Joseph Eul Verlag, Lohmar, Cologne 2008, ISBN 978-3-89936-658-7 .
  • Stephan Weth, Maximilian Herberg, Michael Wächter (eds.): Data and privacy protection in employment. Practical manual on employee data protection . 1st edition. CH Beck, Munich 2014, ISBN 978-3-406-63194-8 .

Web links

Individual evidence

  1. see BVerfG, decision of October 23, 2006, Az. 1 BvR 2072/02 , paragraphs 33-40.
  2. z. B. BVerfG, decision of August 11, 2009, Az. 2 BvR 941/08 , paragraphs 16-19.
  3. see above. 1 BvR 2072/02 of October 23, 2006 , paragraphs 33-40.
  4. ^ BAG, judgment of September 12, 2006, Az. 9 AZR 271/06 .
  5. a b Federal Cabinet adopts a basic regulation on data protection for employees. ( Memento of the original from September 14, 2009 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. Press release from the Federal Ministry of the Interior of February 18, 2009. @1@ 2Template: Webachiv / IABot / www.bmi.bund.de
  6. Scholz wants to protect employees better. ( Memento of July 1, 2011 in the Internet Archive ) Press release of the Federal Ministry of Labor and Social Affairs of September 4, 2009.
  7. Data protection on the fly. Der Tagesspiegel, September 5, 2009.
  8. Federal Minister of the Interior: Draft of a law regulating employee data protection
  9. Data protection in the world of work - key issues paper on employee data protection. Publication by the Federal Ministry of the Interior of April 1, 2010.
  10. Federal cabinet adopts draft law regulating employee data protection ( memento of the original dated June 29, 2013 in the Internet Archive ) Info: The archive link has been inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / www.bmi.bund.de
  11. German Bundestag: Draft law of the federal government: Draft of a law regulating employee data protection , BT-Drs. 17/4230 of December 15, 2010 (PDF; 839 kB).
  12. DGB position
  13. DGB brochure
  14. 1 BvR 1611/96 of 9 October 2002
  15. BAG, 1 ABR 16/07 of August 26, 2008
  16. BAG, 6 AZR 189/08 of April 23, 2009
  17. BVerfG, 1 BvR 1611/96 of October 9, 2002 , headings 1 and 2, as well as paragraphs / paragraphs 19-21.
  18. 1 ABR 21/03 decision of June 29, 2004
  19. 1 ABR 16/07 decision of August 26, 2008
  20. 2 BAG-Urtei of March 27, 2003
  21. The Lidl scandal. ( Memento from March 29, 2008 in the Internet Archive ) Reporting at www.stern.de
  22. ^ Lidl statement from March 2008.
  23. Press release of the Ministry of the Interior of Baden-Württemberg from September 11, 2008. PDF file
  24. Employee data protection | DSGVO & BDSG-new 2020. In: Data protection. Retrieved on May 5, 2020 (German).
  25. ^ Resolution of the 43rd Conference of the Federal and State Data Protection Commissioners on 23/24 March 1992. ( Memento from September 8, 2012 in the web archive archive.today )
  26. Key points for an employee data protection act. DGB federal executive decision of September 7, 1999.
  27. Bundestag printed matter 13/7699 of May 16, 1997; Bundestag printed matter 14/4329 of October 13, 2000; Bundestag printed matter 16/4882 of March 28, 2007.
  28. ^ Patrick Pfalzgraf: Employee monitoring. Publishing house Dr. Kovač, Hannover 2003, ISBN 978-3-8300-1099-9 , p. 237.
  29. Scholz wants to protect employees better. ( Memento from July 1, 2011 in the Internet Archive ) Press release from the Federal Ministry of Labor from September 4, 2009.
  30. Growth, education, solidarity. Coalition agreement between the CDU, CSU and FDP of October 26, 2009. p. 106.
  31. Data protection in the world of work - key issues paper on employee data protection. Report from the Federal Ministry of the Interior dated April 1, 2010.