Risks and best practices for companies
Failing to set clear rules for the private use of company communications media can have far-reaching consequences for both employers and employees alike. For example, if employers monitor employees’ e‑mails without their knowledge and then fire them for engaging in private use without having expressly prohibited it, they may be violating data protection law. In the worst case, they may not only face claims for damages, but would also be prevented from using the e‑mails as evidence. Companies should therefore consider the following:
When is private use allowed?
Private may use may be considered to be allowed in all cases where it is not expressly prohibited. In some cases, courts have even ruled that, if employers allow or tolerate private use of one communications medium, employees are entitled to assume that other communications media may also be used for private purposes. For example, allowing private use of company cell phones may result in allowing private use of company e‑mail, or vice versa.
May companies monitor private use regardless of whether they suspect an offense?
In accordance with the case law, companies which allow private use generally cannot monitor employees’ communications regardless of suspicion unless they announce their monitoring action in advance and give employees an opportunity to protect their private communications from being accessed by the company. Very strict requirements apply with respect to the proportionality of such measures.
Does telecommunications secrecy apply for company communications?
The question as to whether telecommunications secrecy applies in accordance with §§ 88 of the old Telecommunications Act and § 3 of the Telecommunications and Telemedia Data Protection Act, as amended, is disputed. Fortunately, opinion in both the case law and the legal literature is increasingly trending towards the view that employers are not obligated to maintain telecommunications secrecy. If private use is allowed, however, monitoring employee communications is subject to stricter requirements in data protection law.
Should private use be prohibited?
Prohibiting private use is the simplest course of action from a legal viewpoint, and one which conforms to recommendations from the data protection authorities. But here as well, there are some things to consider. Namely, companies which prohibit private use must ensure that they actually monitor employee communications and enforce this prohibition. If they fail to do so, their effective toleration of private use may establish a company practice contrary to the actual prohibition. Monitoring may be performed e.g. by keeping a log of employees’ internet use. Companies would also be well-advised to establish rules for the handling of minor cases and violations. The company’s working environment should also be taken into account. It should be kept in mind that, even though no specific standards have been established in this regard in the case law, not every case of prohibited private use justifies a dismissal. If private use of company communications media is prohibited, a “bring your own device” (BYOD) rule could make life easier for employees. But here as well, clear rules need to be established.
Is a prohibition of private use absolutely necessary?
Each company can decide for itself how it wants to handle private use. There are arguments both in favour of private use (e.g. the benefits for employees) and against it (e.g. higher risk of cyberattack). Regardless of what the company decides, clear rules must be established and those rules must actually be enforced. Allowing private use of company communications media to get out of the control is not only toxic for IT compliance, but will quickly result in violations of data protection law.
What should employers keep in mind?
Companies which have not yet established clear rules for the private use of company communications media should absolutely do so now, as this is the only way to avoid detrimental consequences in data protection and labour law. For example, by Judgment of 27 January 2023 (Case No. 12 Sa 65/21), the District Labour Court of Baden-Württemberg ordered an employer to pay damages in the amount of 3,000 Euros for improperly monitoring private communications, as well as preventing the employer from using those communications as evidence in the ongoing proceedings for protection against unfair dismissal. Companies also should not forget that private use of company communications media can have a far-reaching impact on cybersecurity, in that it increases vulnerability to attack while at the same time limiting the company’s ability to monitor communications due to stricter requirements in data protection law.back