The Federal Labour Court prohibits the use of data collected on the basis of a permanent storage of internet activities by so-called keyloggers.

The case

For security reasons, employees may use the hardware and software for business purposes only. The employer informed his employees by e-mail that, in the future, internet traffic would be recorded and permanently stored in order to prevent misuse of internet. Those who did not agree with this should have informed him within one week’s time.
The employer then installed software on the employee’s PC that logs all keystrokes and regularly takes screenshots (keylogger). Based on the data collected by the keylogger, the employer determined that the employee had programmed a computer game during working hours and was managing e-mail correspondence for his father’s company. The employer’s decision to terminate the employment contract without notice was not valid.

The ruling

According to the Federal Labour Court, the data collected by the keylogger may not be used by the employer in the protection against dismissal proceedings. It is incompatible with the plaintiff’s fundamental right to informational self-determination. The data collected by the keylogger is not justified and the employee has not consented to the data being recorded. As per § 32 BDSG (Bundesdatenschutzgesetz; German Federal Data Protection Act), an employee’s personal data may be collected in order to verify whether the employee fulfils his or her duties. In the event that admissible data leads the employer to suspect a breach of duty, he may store and use all data that he needs in a potential protection against dismissal lawsuit. In addition, data collection is authorised if there are indications that a criminal offence committed within the scope of employment is suspected. However, the undercover investigations in this case were carried out in an arbitrary fashion. Temporary storage and random control of an internet browser’s history data is permitted in order to control the prohibiting or restriction of private use of IT equipment. Addresses, titles and the time of the pages visited are logged on a random basis. Nonetheless, the use of a keylogger for an unlimited period of time and covert use of a keylogger has a massive impact on the right to informational self-determination. All entries made using a computer’s keyboard are recorded and stored. With the data obtained, an almost comprehensive and complete profile can be created for both private and business use of the PC. Additionally, highly sensitive data such as user names, passwords for protected areas, credit card data, PIN numbers etc. can be logged. Moreover, the employee in question does not have the possibility to mark certain content as private or personal and thus cannot revoke the employer’s access if necessary. This is even more pronounced if screenshots are taken regularly. Therefore, the data collected in this case is inadmissible and may not be used by the employer.

Recommendation for practice

The use of computers and mobile devices is an integral part of the daily working world. This is accompanied by a legitimate interest on the part of the employer to ascertain any misuse or prohibited conduct. The present case illustrates the relevance of admissible agreements for this purpose. Making these regulations legally compliant will present employers with even more challenges in view of the forthcoming EU-wide new data protection regulations. Otherwise, there is a risk of being unable to sanction violations of labour law.

By Dr. Klaus Neumann