Amendments have been made to the Federal German Data Protection Act. Georg Meyer-Spasche reports from Osborne Clarke’s Cologne office on the imminent changes and explains what companies with German offices need to consider where data protection and their employees are concerned.
Topic: Data protection
Who: German parliament
Where: Germany
When: 1 July 2009
Law stated as at: 31 July 2009
What happened:
The German legislator has passed changes to the Federal German Data Protection Act (Bundesdatenschutzgesetz – BDSG) against the background of recent data infringement scandals in Germany. The changes will come into effect on 1 September 2009 – they are not optional.
Dismissal protection for DPOs
One area of law that has been clearly tightened is the issue of dismissal protection for Data Protection Officers ("DPO"). Every company that has at least 10 employees who process personal data is obliged to appoint a DPO. As the DPO role tends to be risky when it comes to addressing data protection shortcomings in a company, the BDSG now provides for a better protection against dismissal for individuals who have operate such a role. Thus, the only justification for dismissal of an employee taking the DPO role is now "good cause" (i.e. material, severe and objective personal wrongdoing of the respective employee). Such protection continues for one year after revocation of the DPO appointment (i.e. after giving up the DPO role). Some have queried whether, given these recent changes, the possibility for businesses to appoint an external DPO rather than promoting one of their own employees to such a role is more tempting than ever.
New and Problematic General Clause
The legislator also introduced a new Section 32 BDSG to protect employees’ personal data. Intended to clarify prerequisites, this new section also introduces new ambiguity. Section 32 par. 1 sent. 1 BDSG only allows for use of such personal data that is necessary for exercise of the employment, for the decision on such employment, or for termination of such employment. Section 32 par. 1 sent. 2 BDSG provides for the right to collect and process data concerning employees who are under suspicion of having committed a criminal offence under employment. However, since this provision only grants entrepreneurs such rights regarding crimes committed in the past, ambiguity exists regarding prevention of future crimes. Without any explicit provision, compliance measures would have to be deemed unlawful when using employee’s personal data. While such a result would clearly not meet the legislator’s intention, the question for the legal basis of such compliance actions is unclear at present.
A recent ruling of the Federal Constitutional Court aggravates this situation. The court decided that e-mails stored on a third party's server are to be deemed as telecommunication, regardless whether they are unread or read for several years.
Therefore, a company allowing or tolerating company IT-systems to be used for private e-mails is obliged to respect the secrecy of telecommunications regarding such e-mails without any differentiation. This provides for even further limited possibilities to monitor employee's e-mails.
Our Recommendation
- Companies should check whether they are obliged to appoint a DPO. Not complying with the statutory requirement to appoint a DPO could render the company liable for fines;
- Companies that have to appoint a DPO but are concerned regarding the protection against dismissal should consider appointing an external DPO. Osborne Clarke can help German companies to find external DPO resources; and
- To prevent unlawful usage of personal data for compliance measures, a strict policy prohibiting usage of company IT for private data such as private e-mails should be established and spot-checked. Osborne Clarke can help to identify technologies that still allow employees to send/receive private e-mails if that is desired.
Why this matters:
The amendment of the Federal Data Protection Act does not fully solve but rather partially obscures the mutual tension between employee’s personal rights and legitimate interests of entrepreneurs in Germany. Observers expect rising demands for legal advice regarding data protection in connection with employment.
Georg Meyer-Spasche
Partner
Osborne Clarke, Cologne
georg.meyer-spasche@osborneclarke.com