Update Data Protection No. 13
Guidance Notes of the Supervisory Authority on Email Use at the Workplace
Managing the use of IT systems by employees has always created legal and practical challenges for companies. If they prohibit private use of email or Internet and also enforce this rule, HR will complain of competitive disadvantages when recruiting. On the other hand, if they allow or tolerate this, Compliance will complain of hindrances to internal investigations. The Conference of Data Protection Commissioners at Federal and State Level has published guidance notes on the long-running issue "Email and Internet at the workplace".
BDSG (Federal Data Protection Act) and TKG (Telecommunications Act)
In principle, operating resources such as the office computer must only be used for company purposes. If the employer then wishes to take a look at an employee's email in-box - for example in the context of internal investigations - it must "only" comply with the regulations of the Federal Data Protection Act when doing so. In this respect, it must however also enforce the restriction to company use. If the employer has allowed private use of the Internet or even merely tolerated it over an extended period, some supervisory authorities will already regard it as being a provider of telecommunication services. Under Section 206 Subsection 1 Subsection 5 Sentence 2 StGB (Criminal Code), the employer, or its employees, can be liable to prosecution if the employer forwards the content of the employee's emails or merely a list of the Internet sites visited by the employee. In this respect, it is sufficient if such information is communicated to another person in the same company, for example the Compliance Officer. Even if an advancing case-law opinion rejects the classification of the employer as a provider of telecommunications, there is a residual risk here for the time being. The employer requires the consent of its employee for the infringement of the latter's telecommunications secrecy.
Rules of conduct for private use
The guidance notes suggest linking private use of the Internet to conditions. The employee should consent in particular to the employer checking when which Internet site has been called up. Additionally, the employer could define detailed rules of conduct in a works agreement, in the contract of employment or through instructions. Clear separation of private and company data could be achieved for example by means of the employee undertaking to store private files exclusively in a "Private" folder. It would be possible to exclude for example the calling up of Internet sites that cause costs for the employer, or of sites that endanger the security of the IT system. Blocking of specific Internet sites via a so-called blacklist also creates facts here without affecting data protection.
Control of emails only in exceptional cases
The recommendations concerning email are similar. If "necessary for company purposes", the employee should consent to the employer also calling up the email account in his/her absence. In this respect, it must however be made clear that obviously private emails will not be opened. Any such access should only be a last resort. A milder method is the automatic forwarding of emails during absence. However, even this should only be set up in emergencies. The recommendation simply suggests an absence notification for the standard case of an employee being absent. The employee must be informed before using a spam filter. Automatic deletion must be preferred to marking as spam, which allows the employee to decide on deletion. An interesting approach for controlling email use is the division of several employees into groups. Checks are then only carried out concerning which sites the group has called up as a whole, without the individual person being identified. This reflects the trend towards the evaluation of anonymized instead of personalized data, as also to be found in the EU General Data Protection Regulation. Only given a specific suspicion of misuse should the employer be allowed to identify the employee concerned in this individual case. The anonymization does not therefore open the door to misuse, but rather creates a balance between Compliance and data protection.
Summary
It is hardly possible any more to imagine company practice without the phenomenon of private use of the Internet. The underlying rulings in the form of works agreement, employment contract or instructions must create compromises between Compliance and the protection of employee data. The new guidance notes of the Conference of Data Protection Commissioners at Federal and State Level provide interesting food for thought in terms of what form these compromises could take.
Please click on Guidance Notes for further information on this subject (Source in German).