According to a recent decision of the German Federal Labor Court (Bundesarbeitsgericht – BAG), the use of a keylogger software, which records all keyboard entries on a workplace computer for covert monitoring and control of the employee, is prohibited if there is no suspicion of a criminal offense or severe breach of duty.

Legal Background

Although severely exceeding the limits of permissible private use of the workplace computer and Internet may in principle constitute such a grave infringement of the obligations under the employment relationship that a dismissal with immediate effect may be justified, it must be kept in mind that the employer bears the burden of proof for the employee’s misconduct in case of a claim for unfair dismissal.

If evidence is achieved in breach of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), this generally indicates that its utilization in legal proceedings may infringe the employee’s right on informational self-determination and, therefore, is not admissible evidence.

Employees are protected by their general right of privacy, which is enshrined as a fundamental right in the German Constitution. This also comprises the employees’ fundamental right on informational self-determination and the fundamental right on confidentiality and integrity of IT systems as significant constitutional guarantees.

The Federal Data Protection Act permits the employer to utilize personal data of employees without their consent generally only with regard to the collection and processing of personal information that is relevant for the establishment and administration of the employment relationship, for personnel planning and for job performance measurement (e.g. times of absence, sickness). Further investigations with regard to a criminal offense or severe breach of duty require a respective fact-based suspicion.

Facts of the Case

In the present case, the employee had been working with the company as a web developer for several years. When releasing a network in 2015, the company informed its employees that the entire internet traffic and the use of their systems will be logged. As they suspected their employee to pursue other activities during his working time, the company installed software on his workplace computer without his consent, recording all keyboard entries and producing screenshots on a regular basis.

After evaluating the files created with the help of the keylogger, the company confronted the employee. He admitted having used his workplace computer for private purposes during working hours, in particular for programming a computer game and writing emails for his father’s company. However, he claimed that such activities only took place to a very limited extent and mostly during his breaks.

Contrary to the employee’s allegation, the company gathered from the data collected by the keylogger that he had in fact pursued a considerable amount of private activities at the workplace during working time. The company provided notice of termination with immediate effect.

At previous instances, the courts already ruled in favor of the employee who had raised an unfair dismissal claim.

The Ruling

On July 27, 2017, the Federal Labor Court ruled that the evidence gained by the keylogger with regard to the employee’s private activities must not be used in the judicial proceedings.

Since the company did not have any factual suspicion of a criminal offense or other serious breach of duty justifying the use of the software against its employee, the gathering of information was not permitted under the Federal Data Protection Act. The random measure without just cause was held disproportionate by the court. It was considered an infringement of the employee’s right to informational self-determination as a part of the general personality right.

Further Implications

In case of a suspected breach of duty by employees, companies are recommended to assess in-depth which monitoring measures are permitted. If the monitoring is found to be disproportionate, not only may the evidence not be used in the legal proceedings, but there is also a risk of penalty fees imposed by the data protection supervisory authorities or even claims for damages by the concerned employees.

Although this case was decided under the current Federal Data Protection Act, the principles laid down by the Federal Labor Court are fully transferable to the legal situation under the EU General Data Protection Regulation (GDPR) and the new Federal Data Protection Act, which will both enter into force on May 25, 2018.

Additionally, it should be noted that the monitoring of employees triggers a co-determination right by the works council under the Works Constitution Act (Betriebsverfassungsgesetz – BetrVG). In particular, the works council’s right of co-determination has to be observed in the event of the introduction and application of technical systems which are suitable for monitoring the conduct or performance of the employees.