The conference of the independent federal and state data protection authorities in Germany (“Data Protection Conference”) has published guidelines for employers on the limits of control of email and other Internet services in the workplace on January 27, 2016. Within these guidelines, the data protectionists emphasize their restrictive position regarding the employer’s control rights.
The guidelines summarize the common position of the data protection authorities. The document contains fundamental recommendations for public authorities and companies. While these guidelines will not be legally binding, they contain the basis for the data protection authorities’ examination and evaluation of the processing of personal data. As such, the guidelines provide an indication on how the authorities will most likely decide in specific situations.
The initial question for assessing whether the control of email and other Internet services will be lawful is whether the employer allows private use of the Internet or of the company email account. If it does, according to the data protectionists, the employer is to be considered a provider of telecommunication or telemedia services. This means that it has to comply not only with the Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”), but also with the regulations of the Telecommunication Act (Telekommunikationsgesetz, “TKG”) and of the Telemedia Act (Telemediengesetz, “TMG”). In this case, the employer is subject to the legal principle of the secret of telecommunication whose violation constitutes a criminal offence.