GDPR at the workplace: You should definitely observe these requirements to avoid a data breach!
by Svenja Koch
Data protection in the workplace plays an increasingly important role in times of digitalization. With the GDPR, the General Data Protection Regulation, the European Union has created a set of rules that standardizes the rules for the processing of personal data and the use of data records throughout Europe. The GDPR replaces Directive 95/46/EC from 1995 and, together with the JHA Directives for data protection in the justice and police sectors, has formed the common data protection framework in the European Union since May 2018. On the one hand, the GDPR is intended to ensure the protection of personal data, but on the other hand, it is also intended to ensure the free movement of data within the European single market. Since its introduction in 2018, the GDPR has placed high demands on employers and employees - since then, a data protection breach can be sanctioned with high penalties.
In this article, you will learn what you must pay particular attention to when it comes to data protection as an employer and why you must prevent a data protection breach at all costs.
Data privacy and employment law
There is no separate law that regulates the handling of data protection in the workplace. Rather, employers and employees are faced with the task of compiling the individual regulations in a wide variety of laws. This often leads to unintentional, but nevertheless sanctionable violations of the GDPR - which may mean expensive fines for employers.
Among the most important requirements that data protection places on employers are:
- Employers may only collect personal data of their employees if the data subject has given consent for this. The same applies to the processing and use of the collected data!
- The BDSG (Federal Data Protection Act) allows an employer to collect, use and further process personal data only if the data is necessary for the commencement, implementation and termination of an employment relationship (Section 32, Paragraph 1, Sentence 1 BDSG).
- The consent of an employee to the collection and use of his or her personal data is only effective if the consent has been given voluntarily and recorded in writing (for example, as part of an employment contract).
- A general control of all employees without their consent by means of video surveillance or similar at the workplace is inadmissible!
- All employees have the fundamental right to view the personal data stored by the employer (the so-called "right to information"). This also gives employees the right to inspect their own personnel files at any time.
- Employees have the right to have unlawfully stored personal data deleted at the workplace.
- Data protection prohibits employers from inquiring about the exact health reasons for an employee's inability to work when he or she reports sick.
When the GDPR is violated by employers: These penalties are imminent
With the introduction of the new General Data Protection Regulation in May 2018, mandatory penalties were introduced if data protection is violated in companies. If employers violate the GDPR, fines in the millions are possible! The amount of the fines is based on the annual turnover - up to 4% of the turnover can be imposed as a fine. It is therefore important to know which data may be collected and processed - and which data should not be stored by employees under any circumstances.
The GDPR allows employers to collect and process the following data:
- All data that is mandatory for reporting to social security or the tax office.
- The employee's bank details for the transfer of the monthly salary payment
- Data proving the employee's professional career and skills.
The GDPR prohibits employers from collecting and processing the following data:
- Any data that includes the employee's behavior in the workplace
- Data that includes information about the employee's health status
A data protection officer is mandatory under certain circumstances
Data protection requires employers to ensure that the data collected from employees is secure from unauthorized access at all times - and that the people who work with the data have undergone appropriate training as defined by the GDPR. If ten or more persons are regularly assigned to data processing activities in a company, a data protection officer must be appointed. This company data protection officer has the task of monitoring compliance with all data protection guidelines and ensuring the correct application of the General Data Protection Regulation. According to Art. 37(5) GDPR, the data protection officer may be appointed "on the basis of his professional qualifications and, in particular, the expertise [...] he possesses in the field of data protection law and practice, and on the basis of his ability to perform the [...] tasks specified." The appointment of a competent data protection officer should by no means be taken lightly - because the GDPR also provides for fines of up to 10 million euros or 2% of the global annual turnover.
Is checking my employees' PC use a data protection violation?
Computer workstations are part of the modern workday. While in some companies the use of the company's own PC, Internet and e-mail account for private purposes is permitted, other companies strictly prohibit private use. The basic rule here is: What is not expressly permitted is not permitted. If you as an employer do not want private use of the IT infrastructure, it is your right to prohibit this.
However, the prohibition does not necessarily mean that employers have the right to check the use of IT. There is an interesting court ruling here from the Berlin-Brandenburg Regional Labor Court from 2016. The court made a ruling (Az.5 Sa 657/15) that the evaluation of e-mails and Internet browser data by the employer is permitted even if the employee does not consent to this procedure - and the private use of IT is also permitted. This ruling is in stark contrast to the view of the data protection supervisory authorities! Because the data protection authorities are of the opinion that companies are not allowed to store the private usage data within an electronic communication at all!
What does this mean for employers in terms of the GDPR? Well, if the employer expressly prohibits the private use of PCs and the employees have consented to the prohibition in writing within the framework of a company agreement, the employer may control the employees' data traffic in compliance with the BDSG. However, if consent has not been given, monitoring may only be carried out if this serves to protect the legitimate interests of the company or is relevant to the performance of the employment relationship.
Data protection and termination: As an employer, you must observe the following
Employees may gain insight into highly sensitive data during their employment. The laws are correspondingly strict here with regard to data protection and any violations.
A data protection violation justifies extraordinary termination if
- Personal data is transmitted or accessed without authorization
- Data is collected and processed without authorization for a purpose other than the legitimate fulfillment of the task in question.
However, the GDPR also places special requirements on employers in the context of a termination. In general, after termination of an employment relationship, personal data of the former employee should be deleted - but only if no legal dispute with the employee is to be expected. In this case, the stored data should be retained at least until the legally regulated statute of limitations of three years has expired. It is therefore not possible to make a general statement here on how data protection should generally be implemented in the event of termination. Rather, it depends on the individual case.
What obligations may employers impose on their employees under the GDPR?
Not only employers, but also employees are subject to obligations regarding the implementation of data protection in the workplace. In general, all employees who work with personal data are subject to data secrecy. Employees are not permitted to send the data to third parties outside the company or to use it for purposes other than those for which the data was collected.
Furthermore, employees are required to implement the following rules in the workplace:
- Documents containing personal data that are no longer required must be reliably destroyed. Disposal via the normal wastebasket is not permitted!
- All documents must be protected from inspection by third parties when the employee is not present.
- PCs, hard drives, keys and USB sticks must be secured against access by unauthorized persons.
- If the workplace is left, for example for a break, the screen must be locked.
Data protection places strict requirements on employers and employees. Personal data, as it is processed and handled every day in all companies, has been under special protection since the introduction of the GDPR in 2018. Since its introduction, a data protection violation is no longer a "trivial offense", but can be punished with drastic fines in the millions. Employers must implement the GDPR in their companies in accordance with the law - it may be necessary to appoint a data protection officer to monitor compliance.
However, employees also have a duty to handle the data entrusted to them carefully and in accordance with the GDPR. In the event of a breach of data protection, there is the threat of dismissal - or in serious cases even a criminal action in court. It is therefore advisable for both sides, employee and employer, to set out in writing the principles of the GDPR and their implementation individually tailored to the company. In this way, data protection on the part of the employer is guaranteed - and the employees receive a framework on the basis of which they can carry out their activities in compliance with data protection.