Guidelines of the German DPAs: Use of internet and email at the workplace

One of the most disputed matters in German employee privacy law is related to the use of internet and email services by employees. In particular was unclear if surveillance of employees in this respect would potentially lead to a personal criminal liability of the person who conducted the surveillance activities.

Now, the German Data Protection Authorities have provided a guideline on the use of internet and emails at workplaces (German only).

In summary, the authorities follow with their strict recommendation the pro-employee approach causing some trouble:

  • Until otherwise decided by a high court (German Federal Supreme Court or Federal Labor Law Court for example), permission of private use of employer’s internet and/or email services triggers applicability of the secrecy of telecommunication services according to Sec. 88 TKG (German Telecommunications Act);
  • Explicit and implied permission of private use are regarded the same;
    Implied permission means tolerance of private use;
  • Secrecy of telecommunications applies also on emails which have already been received by the employee but are still stored on employer’s servers;
  • Breach of secrecy of telecommunications is a criminal law, Sec. 206 StGB (German Criminal Act).
  • The guidelines include also a set of templates for works council agreements.
    Companies should follow the guidelines to prevent any criminal liability.

However, there are still uncertainties regarding access to employees’ inboxes for compelling reasons of the employer (e.g. if the employee cannot be reached and access to specific pure business related emails is urgent).

  • The guidelines refer on page 9 to the mandatory requirement of consent of the respective employee for such access.
  • However, the recommendation on page 11 describes a proceeding for such access which is limited by business needs instead.
    As a result, collection of consent is still the preferred solution in such scenarios.

Practical approach: Clear distinction between business and private use. Why not offering a free WiFi for private internet use to your employees? If this WiFi is separated from your regular IT systems, misuse and exposure of your crucial infrastructure will not happen. More important, you may access email inboxes and internet logfiles without the strict limitations due to the secrecy of telecommunications.