The German Federal Labor Court (BAG) ruled by judgment of January 31, 2019 (ref. no. 2 AZR 426/18) that, under certain circumstances, the employer may lawfully review data on an employee's work computer even if there is no suspicion based on factual evidence of a breach of duty. This applies to minor encroachments on personal rights, for example, in the case of actions carried out openly and restricted to files that are not marked as "private". In a case of lawful collection, there is no prohibition of exploitation with regard to court proceedings.
The verdict was based on a legal dispute over the effectiveness
of a dismissal on grounds of suspicion. The defendant, as the
employer, provided the plaintiff with a company car and fuel card.
The plaintiff's service laptop was to be examined by the
internal audit department within another context. The plaintiff was
suspected of having shared the contents of an audit report with
third parties without permission. The plaintiff cooperated,
voluntarily handed over his laptop at the request of the defendant
and provided his passwords. He informed the defendant that there
were some private files on the computer which he specified in
further detail. When investigating the laptop, the defendant
discovered a file called "Tankbelege.xls" [petrol
receipts]. It contained a list compiled by the plaintiff of the
refueling of the company car carried out with the fuel card. Based
on the refueling data collected, the fuel quantity and the
frequency, there was an urgent suspicion that, in the past, the
plaintiff had refueled not only his company car, but also vehicles
of third parties, at the defendant's expense. For example, the
plaintiff had repeatedly fueled more than 100 liters in a single
refueling, although the petrol tank of his company car only had a
nominal volume of 93 liters. As a result, the defendant
extraordinarily, in the alternative ordinarily, terminated the
employment relationship because of the strong suspicion of a breach
The BAG regarded the dismissal as socially justified and rejected the plaintiff's appeal.
In the present case, it was crucial that the file, "Tankbelege.xls", on which the suspicion was based, was not subject to a prohibition of exploitation. The BAG stated that a prohibition of exploitation did not apply if the employer had obtained and used the relevant findings in accordance with the relevant data protection regulations. In the present case, the admissibility of the inspection of the file "Tankbelege.xls" as well as the further use of the knowledge gained from it resulted from Sec. 32 (1) sentence 1 German Federal Data Protection Act (BDSG) Old Version (Section 26 BDSG New Version).
According to the provision, data processing is possible if it is necessary to carry out or terminate the employment relationship. "Carrying out" also includes the employer checking if the employee fulfills his or her employment obligations. Under certain circumstances, in the case of non-intensive encroachments on personal rights, the employer could collect data in this regard, even if there is no initial suspicion based on factual evidence. Termination includes, inter alia, the disclosure of a breach of duty to prepare for dismissal as well as the winding-up of the employment relationship. Under the preconditions of Section 32 (1) sentence 1 BDSG, the employer may therefore store and use all lawfully collected data which it requires in order to prove the breach of duty in potential dismissal protection proceedings. This also applies to data establishing the suspicion of a breach of duty.
However, whenever data is collected and processed pursuant to Section 32 (1) sentence 1 BDSG Old Version, a proportionality check must always be carried out. Data collection and processing should not be an excessive burden on the employee and should correspond with the importance of the employer's interest in information.
In the opinion of the 2nd Senate, the interests of the employer
prevail here. With regard to the refueling fraud, no initial
suspicion based on factual evidence was required either. The
investigation was announced to the plaintiff and was not arbitrary.
The plaintiff had the opportunity to exclude folders and files from
being inspected before the inquiry by marking them as
"private". Nonetheless, the plaintiff had not provided
such a designation. The folder had not obviously been of a private
nature either. The plaintiff had been aware of the possible scope
of the investigation. He knew that the entire hard disk was to be
analyzed. With this knowledge, he had specified certain files as
private for the internal audit. However, the file
"Tankbelege.xls" as well as the folder in which it was
located were not included. The defendant could therefore assume
that the file "Tankbelege.xls" related to business
In addition, the BAG states that when weighing interests, it is not decisive whether the works council or the company data protection officer was present when the data was inspected. Participation in itself does not constitute a more moderate means, as it would not have been able to avert or "moderate" data collection.
As long as the employer lawfully collects data, they are not subject to any prohibition of exploitation. In its decision, the BAG describes in detail under what conditions the employer may collect the employee's data during labor controls. According to the judges, the case decided according to "old data protection law" would also come to the same conclusion under the new legal situation, i.e. after the entry into force of the GDPR. The BAG expressly pointed out in its judgment that the disputed data collection and processing would also be lawful in accordance with the GDPR and the BDSG in the version in force since May 25, 2018. The relevant provision of Section 32 (1) BDSG Old Version was adopted verbatim in Section 26 (1) BDSG New Version. The judgment is therefore also relevant for future cases.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.