authors
Walter Ahrens | Partner, Frankfurt
Christopher Hitchins | Partner, London
Ashley Brown | Associate, London
Kristen Fox | Associate, London

Prior to the general elections in September, data protection in employment had become again a topic on the German Federal Parliament’s agenda – due to several incidents of actual or suspected mishandling of employee data that attracted much attention. Large retailers had extensively video-monitored their employees and excessively collected employee health data. A leading telecom operator and a large bank had undertaken undercover investigations against board members and senior managers in order to identify leaks through which confidential information had been disclosed to company critics. And a leading transportation company had secretly and routinely screened addresses and bank account details of all of its employees and run them against those of its suppliers, as part of its anticorruption efforts. The transportation company was recently fined by the competent state data protection commissioner and agreed to pay a total fine in excess of €1 million.

Accordingly, the data protection reform project that was already under way was amended by a section explicitly dealing with data protection in employment. The reform came into force on 1 September 2009. New section 32 of the Federal Data Protection Act (the Act) provides that personal data of an employee may be collected, processed, or used for purposes of the employment relationship if this is necessary for the decision on whether or not to establish an employment relationship (e.g., questions concerning professional qualifications, abilities, and experience), for the implementation of the employment relationship, or for its termination.

In addition, Section 32 provides that personal data of employees may be collected, processed, or used for the purpose of investigating criminal acts only under the following circumstances:

(1) Facts (that need to be documented) must establish the suspicion that the employee committed a criminal act in the course of the employment relationship

(2) The collection, processing, or use is necessary for the investigation

(3) The employee’s legitimate interests in the omission of such collection, processing, or use do not prevail. They will in particular prevail if the nature or the extent of such collection, processing, or use is unreasonable in view of the circumstances

Notwithstanding new Section 32, the legislative materials indicate that Parliament wanted to clarify and to consolidate existing (case) law regarding data protection in employment. Therefore, no significant changes in practice are envisaged at this point. In particular, employers may continue to collect, process, or use personal data of their employees for their own business purposes under Section 28 Para. 1 No. 2 of the Act. This statutory provision allows such collection, processing, or use if it is necessary to safeguard the employer’s justified interests, provided that there is no reason to assume that the employee’s interests in the omission of such processing or use prevail.

What has changed, however, are the fines for unauthorized collection or processing of personal data that are not publicly accessible. The former maximum fine of €250,000 has been increased to €300,000, and even this amount can be exceeded if the profit from the wrongdoing is higher (the fine shall exceed such profit).

Consequences for U.S. Companies
German data protection law plays a role in all circumstances where personal data are transferred from Germany to the United States, e.g., from a subsidiary to its parent entity or vice versa. Such transfers may occur in various circumstances, e.g., in connection with the operation of a global employee database in the United States, U.S. litigation, investigations by authorities (e.g., the SEC or FTC), or the operation of whistleblower hotlines under SOX. While the new legislation does not bring significant changes, U.S. companies with activities in Germany should be aware that the media and the general public in Germany are increasingly sensitive to suspected misuse of personal data and that fines for data protection offences have reached a level where they really hurt.

We advise employers to review their rules regarding the collection, processing, and use of employee data and, if appropriate, seek legal advice to implement any necessary changes.