Menu
undefined undefined
My dashboard
My Content
My products (0) My insights (0) My events (0) My contacts (0)

Update on private internet and email use at work

An update on the orientation guide that was recently published by the Data Protection Conference to provide guidance on private internet and email use at work.

04 March 2016

Publication

A few weeks ago, the Data Protection Conference, a conference held by the independent federal and state data protection authorities, published an orientation guide on private internet and email use at work compliant with data protection requirements. For the most part, the legal situation presented and the recommendations released by the Data Protection Conference already conform to common practice.

However, clarifications were made in two subject areas, dispelling some uncertainties which had been caused by several court decisions within the last few years:

  1. Contrary to a trend one could observe in recent court decisions the orientation guide argues for employers who allow private use of electronic devices to be regarded as service providers within the meaning of the German Telecommunications Act. In the absence of case law of the highest courts or relevant legislation the orientation guide recommends regarding employers as service providers being subject to the secrecy of telecommunications.
  2. According to the orientation guide it is possible to link the permission of private use of electronic devices provided with the declaration of consent to give limited access to recorded personal data. Together with a bargaining agreement concerning private use of the internet and the internal email program to which the declaration of consent refers, the data protection authorities regard this practice as a solution consistent with data protection requirements.

When is private use of the internet and the internal email program allowed?

Private use of both the internet and the internal email program via electronic devices provided by the employer is allowed in three cases:

  1. If the employer explicitly permits private use of the internet and the internal email program via electronic devices provided by the employer.
  2. If the employer does not explicitly permit private use, but neither enforces the prohibition nor tries to prevent misconduct (corporate practice).
  3. If the employee obtains a conditional permission for private use through his/her declaration of consent to give the employer access to recorded personal data in a clearly defined and proportionate way.

What effect does the prohibition of private use of the internet and the email program have on the access to accumulated personal data in the context of data protection?

When considering to allow private use of the internet and the email program employers are frequently confronted with the dilemma that in case of private use no absolutely secure access to recorded data and email account is given. For that reason, many employers explicitly prohibit private use of the internet and the email program via electronic devices provided by the employer. As a result thereof, they only have to pay attention to the requirements as defined by the German Data Protection Act when they want to access protocol or email data. This does not allow for a permanent monitoring of employees. Random inspections, however, and in suspicious cases even closer monitoring are possible in order to ensure that the prohibition of private internet and email use is complied with. Nevertheless, even in such cases the measure has to be proportionate and there is no possibility of using data which are obviously of a private nature.

This approach would enable the employer to filter personal data of certain employees out of internet and email protocols during internal investigations.

What effect does the permission of private use of the internet and the email program have on the access to accumulated personal data in the context of data protection?

The permission of private internet and email use granted explicitly or otherwise results in the employer’s classification as a service provider within the meaning of the German Telecommunications Act. As a result of this, the employer is subject to the secrecy of telecommunications and might incur a penalty if it violates the privacy of posts and telecommunications. This is a particular constellation under German data protection laws posing specific problems to companies with affiliates or subsidiaries in Germany.

Being subject to the secrecy of telecommunications means being given no access to telecommunication data. This pertains to any protocol data on internet and email use. According to the data protection authorities the employee’s declaration of consent enables the employer to access the data. However, both the exact wording and the constant possibility of revocation lead to certain problems (although the revocation does not have a retroactive effect).

Conclusion

The clarifications made within the orientation guide do not seem to lead to a change in classifying employers as service providers. However, in providing the approach of acknowledging private use of the internet and the email program under the condition of the employee’s consent the orientation guide presents a reliable course of action for employers leading to a gain in data protection and security.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.

Related insights

This website uses cookies and other similar technologies to ensure you get the best experience on our website. Please review our cookie policy and our data protection privacy notice for more information on how the data that is collected is used.