Heuking
  September 6, 2019 - Germany

Search of a Company Computer by the Employer - Prohibition of Exploitation for Court Submissions?

The German Federal Labor Court (BAG) ruled by judgment of January 31, 2019 (ref. no. 2 AZR 426/18) that, under certain circumstances, the employer may lawfully review data on an employee's work computer even if there is no suspicion based on factual evidence of a breach of duty. This applies to minor encroachments on personal rights, for example, in the case of actions carried out openly and restricted to files that are not marked as "private". In a case of lawful collection, there is no prohibition of exploitation with regard to court proceedings.

The verdict was based on a legal dispute over the effectiveness of a dismissal on grounds of suspicion. The defendant, as the employer, provided the plaintiff with a company car and fuel card. The plaintiff's service laptop was to be examined by the internal audit department within another context. The plaintiff was suspected of having shared the contents of an audit report with third parties without permission. The plaintiff cooperated, voluntarily handed over his laptop at the request of the defendant and provided his passwords. He informed the defendant that there were some private files on the computer which he specified in further detail. When investigating the laptop, the defendant discovered a file called "Tankbelege.xls" [petrol receipts]. It contained a list compiled by the plaintiff of the refueling of the company car carried out with the fuel card. Based on the refueling data collected, the fuel quantity and the frequency, there was an urgent suspicion that, in the past, the plaintiff had refueled not only his company car, but also vehicles of third parties, at the defendant's expense. For example, the plaintiff had repeatedly fueled more than 100 liters in a single refueling, although the petrol tank of his company car only had a nominal volume of 93 liters. As a result, the defendant extraordinarily, in the alternative ordinarily, terminated the employment relationship because of the strong suspicion of a breach of duty.The BAG regarded the dismissal as socially justified and rejected the plaintiff's appeal.

In the present case, it was crucial that the file, "Tankbelege.xls", on which the suspicion was based, was not subject to a prohibition of exploitation. The BAG stated that a prohibition of exploitation did not apply if the employer had obtained and used the relevant findings in accordance with the relevant data protection regulations. In the present case, the admissibility of the inspection of the file "Tankbelege.xls" as well as the further use of the knowledge gained from it resulted from Sec. 32 (1) sentence 1 German Federal Data Protection Act (BDSG) Old Version (Section 26 BDSG New Version).

According to the provision, data processing is possible if it is necessary to carry out or terminate the employment relationship. “Carrying out” also includes the employer checking if the employee fulfills his or her employment obligations. Under certain circumstances, in the case of non-intensive encroachments on personal rights, the employer could collect data in this regard, even if there is no initial suspicion based on factual evidence. Termination includes, inter alia, the disclosure of a breach of duty to prepare for dismissal as well as the winding-up of the employment relationship. Under the preconditions of Section 32 (1) sentence 1 BDSG, the employer may therefore store and use all lawfully collected data which it requires in order to prove the breach of duty in potential dismissal protection proceedings. This also applies to data establishing the suspicion of a breach of duty.

However, whenever data is collected and processed pursuant to Section 32 (1) sentence 1 BDSG Old Version, a proportionality check must always be carried out. Data collection and processing should not be an excessive burden on the employee and should correspond with the importance of the employer's interest in information.

In the opinion of the 2nd Senate, the interests of the employer prevail here. With regard to the refueling fraud, no initial suspicion based on factual evidence was required either. The investigation was announced to the plaintiff and was not arbitrary. The plaintiff had the opportunity to exclude folders and files from being inspected before the inquiry by marking them as "private". Nonetheless, the plaintiff had not provided such a designation. The folder had not obviously been of a private nature either. The plaintiff had been aware of the possible scope of the investigation. He knew that the entire hard disk was to be analyzed. With this knowledge, he had specified certain files as private for the internal audit. However, the file "Tankbelege.xls" as well as the folder in which it was located were not included. The defendant could therefore assume that the file "Tankbelege.xls" related to business data.In addition, the BAG states that when weighing interests, it is not decisive whether the works council or the company data protection officer was present when the data was inspected. Participation in itself does not constitute a more moderate means, as it would not have been able to avert or "moderate" data collection.

CONCLUSION

As long as the employer lawfully collects data, they are not subject to any prohibition of exploitation. In its decision, the BAG describes in detail under what conditions the employer may collect the employee's data during labor controls. According to the judges, the case decided according to "old data protection law" would also come to the same conclusion under the new legal situation, i.e. after the entry into force of the GDPR. The BAG expressly pointed out in its judgment that the disputed data collection and processing would also be lawful in accordance with the GDPR and the BDSG in the version in force since May 25, 2018. The relevant provision of Section 32 (1) BDSG Old Version was adopted verbatim in Section 26 (1) BDSG New Version. The judgment is therefore also relevant for future cases.