Germany: Employee monitoring by keylogger software unlawful except in case of severe suspicions

Written By

henriette picot module
Dr. Henriette Picot

Partner
Germany

I enjoy handling complex technology transactions and disputes for international and domestic clients, with a focus on innovative software and data-driven business models.

The German Federal Labour Court (BAG) held on 27 July 2017 that the hidden use of keylogger software for the purpose of employee monitoring violates data protection law, and that findings obtained by such monitoring are barred as evidence in court proceedings (BAG 2 AZR 681/16). According to the BAG, hidden use of keylogger software in an employment relationship requires a specific suspicion that the specific employee has committed a crime or another serious breach of duty.

Keylogger software captures any keyboard input on the PC on which the software is installed. If used by employers, keylogger software enables to comprehensively monitor an employee’s activities on a business computer, including any use for private purposes. The keylogger software used in the case at hand also created screenshots of the computer screen at regular intervals. In the case, the keylogger recordings revealed that the employee had spent substantial working time using the computer for private purposes. On this basis, the employer dismissed the employee without notice. The BAG held that keylogger recordings created as a “shot in the dark”, i.e. without a specific suspicion against the employee concerned, cannot be used as valid evidence in court proceedings.

The BAG’s position on keylogger software is in line with the recent Opinion of the Article 29 Working Party on data processing at work (WP 249, adopted on 8 June 2017). In this Opinion, the Working Party stated that logging employees’ keystrokes or mouse movements or capturing screenshots in remote working scenarios is highly unlikely to be justified based on legitimate interest of the employer. According to the Article 29 Working Party, using such monitoring technologies is typically disproportionate in order to address the risk of unauthorized access, loss or destruction of information.

By way of background, German data protection law is generally strict in relation to employee data processing, and in particular employee monitoring. As a principle, employers may process personal data for employment-related purposes only where strictly necessary for hiring decisions or carrying out or terminating the employment contract. According to German case law, hidden employee monitoring measures are typically only permissible if they are based on a specific suspicion that an employee has committed a severe breach of contractual duty or a crime, and is subject to a balancing of interest test. Openly communicated monitoring measures can be permitted if required to protect legitimate interests of the employer, depending on the scope and circumstances as well as on available alternatives (e.g., for fleet management purposes). Beyond the strict requirements from a data protection perspective, introducing employee monitoring measures also triggers works council co-determination rights in Germany.

Latest insights

More Insights
Curiosity line teal background

China Cybersecurity and Data Protection: Monthly Update - December 2024 Issue

17 minutes Dec 23 2024

Read More
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
Curiosity line yellow background

Australia’s first standalone cyber security law – the Cyber Security Act 2024

Dec 18 2024

Read More