There are strict legal limits to the monitoring of employees.
A general suspicion of employees does not justify comprehensive monitoring.
Violations of data protection requirements in the monitoring of employees can be punished with heavy fines.
The surveillance of employees is a frequently discussed topic that has already led to landmark rulings by German courts. Investigating a suspected crime or preventing misconduct, for example, may require surveillance measures to be taken.
But surveillance of employees can become a serious corporate risk: recently, a fashion company and an electronics retailer were fined for violating data protection requirements for surveillance activities.
Disregard for data protection in the monitoring of employees
Employees are often monitored as a way of observing their performance and behaviour. This was the intention of the call centre in one fashion company. The call centre recorded the content of calls, stored them and thus collected comprehensive data to assess the performance of its employees. This also involved data on private life circumstances, such as holiday and sickness data, family circumstances and religious data of several hundred employees being retrieved, stored and evaluated.
The intention was to assess individual work performance and create comprehensive profiles to provide information to take measures and decisions relating to the employee. This practice became known through a configuration error that exposed the data throughout the company. The competent data protection supervisory authority saw this as a particularly severe encroachment on the rights of the data subjects and imposed a fine of 35 million euros on the fashion group.
The circumstances were similar in a recently announced fine imposed on an electronics retailer. In this case, too, the performance or behaviour of workers was monitored. Video cameras had been installed to track the flow of goods in the warehouses and prevent offences. However, in addition to the workplaces, the sales rooms and the warehouses, the cameras also filmed in common rooms. For two years, both employees and customers were filmed. The data protection supervisory authority criticised the lack of a legal basis and an excessively long storage period. It therefore imposed a fine of 10.4 million euros.
What requirements need to be observed?
The amount of the fines alone shows that strict limits under data protection law must be observed, especially for the monitoring of employees.
The EU General Data Protection Regulation (GDPR) states that personal data may not be processed unless consent is provided. This means that the processing of personal data, and thus the recording of moving images in the context of video surveillance, is generally prohibited unless there is a legal basis for such activity.
When surveillance is permitted
With regard to the monitoring of employees, Section 26 of the Federal Data Protection Act (BDSG) must be observed. According to this requirement, personal data of employees may be processed for purposes of the employment relationship if (among other things) this is necessary to decide upon or implement the employment relationship. Implementation of the employment relationship also includes monitoring whether the employee is fulfilling his or her obligations under labour law. In this context, a balancing of interests is always necessary. The more intensively a measure interferes with the employee's personal rights, the more legitimate the employer's reasons for doing so must be. To weigh the interests, it must be examined in particular whether the processing is necessary or whether milder, equally suitable means may suffice to achieve the purpose of monitoring performance and conduct.
The use of video surveillance may be permissible, for example, if documented factual indications justify the suspicion that the person concerned has committed a criminal offence in the employment relationship and no milder means of clarification are available, such as random bag checks on employees. In the past, labour courts have sometimes considered particularly intrusive (covert) video surveillance to be permissible if there was a concrete suspicion that criminal offences had been committed. However, this typically required that the video surveillance could be limited to a certain group of employees and that it was practically the only remaining means of investigation. A general suspicion or even the mere assumption that criminal offences could occur, on the other hand, does not constitute a sufficient basis for the use of extensive surveillance measures. In addition, an employer's monitoring activities must never go so far as to exert permanent monitoring pressure on employees or to turn the individual employee into a mere "object of assessment".
If monitoring of employees by means of video is permissible by way of exception, further requirements under data protection law must be observed. These include, for example, conducting a data protection impact assessment or deleting the data collected by means of video recording. Some supervisory authorities are of the opinion that the recordings must be deleted within 48 to (a maximum of) 72 hours. In addition, special features of labour law must be taken into account, such as the involvement of the works council.
What does this mean in practice?
Employers are allowed to monitor the performance and behaviour of their employees in certain cases. Indeed, they sometimes must do in order to prevent or detect criminal offences and misconduct. Nevertheless, the legal limits have to be observed, which are primarily defined by data protection law. Ensuring this requires the specific circumstances of the individual case to be considered. It is therefore necessary to establish processes for checking the permissibility of the specifically planned monitoring measure in the company, to carry out necessary data protection impact assessments and to implement deletion concepts. Otherwise, in case of doubt, there is not only the risk of the monitoring results not being usable in (labour) court, but also - as recent examples have shown - severe fines and sometimes massive damage to the company's reputation.