1 Legal framework
1.1 Does the law in your jurisdiction distinguish between ‘cybersecurity', ‘data protection' and ‘cybercrime' (jointly referred to as ‘cyber')? If so, how are they distinguished or defined?
German law distinguishes between ‘cybersecurity', ‘data protection' and ‘cybercrime'.
‘Cybersecurity' can generally be equated with the term ‘security of information technology'. According to Section 2(2) of the Act on the Federal Office for Information Security, ‘security of information technology' refers to compliance with certain security standards in relation to the availability, integrity or confidentiality of information, by means of both security precautions:
- in IT systems, components and processes; and
- for the use of IT systems, components and processes.
The main objective of cybersecurity is to prevent data destruction, loss, alteration or unauthorised disclosure by implementing hardware and software solutions.
‘Data protection' concerns the protection of information relating to an identified or identifiable natural person. While ‘cybersecurity' can refer to any information, ‘data protection' addresses only information that refers to an individual, making data protection part of the fundamental right of personality. Nevertheless, the processing of personal data requires a high level of cybersecurity. Accordingly, the European Data Protection Regulation (GDPR) requires the implementation of, among other things, state-of-the-art technology to ensure a level of security appropriate to the risk of the processing of personal data.
‘Cybercrime' refers to crimes that are committed through or directed against the Internet, data networks and IT systems. Currently, the most common cybercrimes involve the infection and manipulation of computer systems with malware – for example, in order to access and misuse personal data (eg, identity theft) or to encrypt users' data in order to extort ‘ransom money' from them (ransomware).
1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?
Cybersecurity is primarily addressed in the Act on the Federal Office for Information Security (BSI) and its accompanying regulation, which set out specific provisions for facilities that are of vital importance to Germany whose failure to operate may lead to significant supply shortages or endanger national security (so-called ‘critical infrastructure').
Data protection is mainly regulated by the GDPR. For individual matters, the GDPR has provided for opening clauses through which member states can adopt specific national regulations. The most important national regulation is the Federal Data Protection Act. One of the most important opening clauses is Article 88 of the GDPR, which leaves it to member states to establish provisions for data processing in the employment context. Germany has made use of this opening clause by providing employment-related data protection requirements, in particular in Section 26 of the Federal Data Protection Act.
As cybercrimes constitute criminal offences, the German Criminal Code contains the key statutory provisions.
1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?
(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Critical infrastructure: Provisions that address cybersecurity in relation to critical infrastructure are set out in the Act on the BSI and the Regulation for Critical Infrastructure. For instance, under Section 8a of the Act on the BSI, operators of critical infrastructure are obliged to take appropriate technical and organisational measures in order to avoid disruptions to the availability, integrity and confidentiality of their IT systems. Furthermore, operators of critical infrastructure must regularly audit their measures and prove to the BSI that they took appropriate measures to comply with said requirements. As a rule of thumb, operators of critical infrastructure will need to serve 500,000 people to fall under the obligations of the Act on the BSI, but the specifics depend on the sector and the services provided.
Telecommunications services: Providers of telecommunication services (internet access, email accounts, telephone networks) are subject to special data protection regulations which are stipulated in Sections 91 to 107 of the German Telecommunications Act. These provisions aim to safeguard users' personal data, and in particular their traffic and inventory data. In the course of the introduction of the IT Security Act in 2015, several provisions concerning IT security were added to the Telecommunications Act. According to Sections 109(1) and (2) of the Telecommunications Act, for instance, service providers must deploy and maintain state-of-the-art IT security measures, not only to protect personal data, but also to prevent unauthorised interference with IT infrastructure.
Banking: Although the provisions of the Act on the BSI also apply to the banking sector, an additional obligation to establish and maintain IT security is stipulated in Section 25a(1) of the German Banking Act. Credit institutions (eg, companies that conduct banking business commercially or on a scale that requires a commercially oriented business operation) must ensure that they have in place an effective risk management system, which must include an appropriate emergency plan for IT systems. In addition, such companies must have appropriate technical and organisational measures in place.
Insurance: As they play an essential role in the provision of pensions and healthcare, insurance companies are classified as critical infrastructure within the meaning of the Act on the BSI. As a result, they are subject to the general IT security provisions of the Act on the BSI. Additionally, the German Law on the Supervision of Insurance Companies obliges such companies to comply with certain IT security standards, including the requirement to implement a general risk management system (Section 26).
(b) Certain types of information (personal data, health information, financial information, classified information)?
Personal data: Regulations on personal data – including the lawfulness of processing, the duties of controllers and processors, and the rights of data subjects – are predominantly regulated by the GDPR. Key provisions of the GDPR include:
- Article 6 (lawfulness of processing);
- Article 12 (data subject access rights); and
- Article 32 (security of data processing).
Protection of special categories of personal data: The GDPR sets out specific regulations for special categories of personal data. Pursuant to Article 9(1), this is data that reveals the data subject's racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data. The processing of special categories of personal data is generally forbidden. Exceptions to this rule are set out in Article 9(2) of the GDPR.
Cybercrime: The provisions on cybercrime and personal data are supplemented by Section 42 of the Federal Data Protection Act. According to Section 42, for instance, the unlawful provision to third parties of access to personal data concerning a large number of data subjects is punishable by imprisonment for up to three years or by a fine, if this is conducted in an organised and professional way.
1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?
Data protection: According to Article 3(2) of the GDPR, the GDPR has extraterritorial reach under certain conditions. According to Article 3(2), the provisions of the GDPR apply to a data controller or processor that is not established in the European Union where the respective data processing relates to:
- the offering of goods or services to data subjects in the European Union; or
- the monitoring of the data subjects' behaviour, insofar as this takes place within the European Union.
Cybersecurity: In order to implement the requirements of the Network and Information Security (NIS) Directive, in 2017 the legislature extended the powers of the BSI in a cross-border context. Among other things, it tasked the BSI with communicating IT disruptions to its counterparts in other EU member states. Providers of digital services – such as cloud providers, online marketplaces and search engines – which have no establishment in the European Union will generally be subject to IT security requirements deriving from German law when directing their services to Germany.
Cybercrime: Criminal offences committed abroad have extraterritorial reach within the limits of Section 5(7) of the Criminal Code. According to this provision, German criminal law applies to the violation of business or trade secrets of domestic establishments or enterprises. Accordingly, the secrecy regulations stipulated in Sections 201 to 204 of the Criminal Code (see question 1.6) have extraterritorial reach if they are breached by companies that operate in Germany; so-called ‘mailbox companies' are not protected under the aforementioned provisions if they are targeted at Germany from abroad. This extraterritorial reach also applies, among other things, to the offence of (computer) fraud pursuant to Sections 263 and 263a of the Criminal Code, as long as the victim's financial loss has materialised due to a violation of business or trade secrets.
1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?
European laws regulating cyber – such as the NIS Directive and the GDPR – as well as EU bilateral agreements, such as the EU-US Privacy Shield, have direct effect in Germany. Other than these, however, bilateral and multilateral instruments have no major impact in this regard.
1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?
‘Cybercrime' encompasses a variety of different criminal offences, such as:
- violation of the privacy of the spoken word (Section 201 of the Criminal Code);
- data espionage (Section 202a of the Criminal Code);
- phishing (Section 202b of the Criminal Code);
- data manipulation (Section 303a of the Criminal Code); and
- computer sabotage (Section 303b of the Criminal Code).
Cybercrime that causes a financial loss to the victim (eg, phishing) can constitute fraud (Section 263 of the Criminal Code). The Criminal Code also provides for computer fraud (Section 263a of the Criminal Code), which occurs when the offender damages the (financial) property of another person by influencing the result of a data processing operation through:
- the incorrect configuration of the computer program;
- the use of incorrect or incomplete data;
- the unauthorised use of data; or
- the exercise of other unauthorised influence on the processing operation.
In addition to the provisions of the Criminal Code, individual codifications in different statutes address cybercrime. One example is Section 23 of the German Law on the Protection of Business Secrets, which protects business secrets from unlawful disclosure or transmission. Furthermore, according to the draft IT Security Act 2.0, numerous new criminal offences will be introduced, such as the unauthorised use of IT systems.
Depending on the individual offence, the criminal penalties available range from fines to imprisonment for up to three years. Where government entities are targeted, there could be felony charges of treason (Section 94 of the Criminal Code) or the disclosure of state secrets (Section 95 of the Criminal Code), which can incur a sentence of imprisonment for up to five years or more. In the case of (computer) fraud, the penalties range from fines to imprisonment for up to five years – or in particularly severe cases, up to 10 years.
2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?
Data protection: There are 16 state authorities for data protection (one for each state) and one Federal Data Protection Authority. Generally, the supervision of states' public authorities and the private sector falls within the responsibility of the individual state authorities; while the supervision of federal authorities and bodies falls within the responsibility of the Federal Data Protection Authority. The data protection authorities have both:
- investigative powers (eg, the power to order the provision of documents or to obtain information); and
- corrective powers (eg, the power to issue warnings or to impose fines).
Generally, these measures can be taken against:
- the data controller (ie, the person that determines the purposes and means of the data processing); and
- the data processor (ie, a person that processes personal data on behalf of the controller), which may be a natural or legal person, a public authority, agency or other body.
The measures that may be taken by the data protection authorities do not include criminal penalties. Measures can also be taken extraterritorially, although extraterritorial enforcement of orders may be difficult.
Cybersecurity falls under the competence of the Federal Office for Information Security (BSI). The BSI investigates IT security risks and develops preventive security measures. It can issue warnings, examine and certify IT products and services, and advise individuals and companies. Furthermore, it sets out the criteria under which operators of critical infrastructure must fulfil the IT requirements in the Act on the BSI. The BSI has both:
- investigative powers (eg, the power to order the provision of documents); and
- corrective powers (eg, the power to impose fines).
The BSI can also – at least to some extent –take extraterritorial measures, although extraterritorial enforcement of the measures may be difficult in practice.
Cybercrimes are prosecuted by the German criminal prosecutors. Criminal penalties ranging from fines to imprisonment may be imposed. To some extent, prosecution is also possible at an extraterritorial level.
2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?
Data protection: According to Article 77 of the General Data Protection Regulation (GDPR), a data subject has the right to lodge a complaint with a supervisory authority if he or she considers that the processing of his or her personal data infringes the GDPR – in particular, if the controller does not comply with the data subject's rights under Articles 13 and following of the GDPR. Furthermore, Article 78 of the GDPR grants the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning the data subject. Notwithstanding Article 77 of the GDPR, Article 79 grants the right to an effective judicial remedy against a controller or processor in cases where the data subject considers that his or her rights under the GDPR have been infringed. Furthermore, the data subject can claim damages under Section 823 of the German Civil Code and apply for an injunction under Section 1004 of the Civil Code. Under certain circumstances, the data subject can file a criminal complaint (see questions 1.4 and 1.6).
Cybercrime: If a natural or legal person's rights protected under German criminal law are violated, that person can generally file a criminal complaint with the authorities. Cybercrimes that are sufficiently far reaching to constitute a public interest may be prosecuted without a criminal complaint when the authorities become aware of them. For instance, cybercrime that results in a victim's financial loss can constitute fraud, for which a formal complaint is not required if the loss exceeds at least €50.
2.3 What defences are available to companies in response to governmental or private enforcement?
Generally speaking, companies can always appeal against governmental enforcement actions. The remedies may be divided into administrative and juridical remedies. In the former case, the act of enforcement will be reviewed by the authorities themselves, such as data protection authorities or the BSI (so-called ‘objection'). In the latter case, the act of enforcement will be reviewed before the courts. While it is always possible to have a governmental enforcement reviewed before the courts, the possibility of administrative review depends on the executing authority, among other things.
When the public prosecutor's officer has filed a criminal suit against a defendant due to alleged cybercrime, the defendant will need to appear before the court. The power to impose a criminal penalty generally rests with the judge. In case of conviction, the defendant can appeal the decision to the high court.
3 Landmark matters
3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?
On 30 October 3 2019 the commissioner for data protection of Berlin imposed a fine of around €14.5 million on Deutsche Wohnen SE for violations of the General Data Protection Regulation (GDPR). The supervisory authority found that, between June 2017 and March 2019, the real estate company used an archive system that did not provide for the option to delete tenants' data when it was no longer required. In some cases, the company preserved sensitive data (eg, salary statements, self-disclosure forms, extracts from employment contracts, health insurance and social security data), even though the data was no longer necessary for the purposes for which it was originally collected,
In December 2019 1&1 Telecom GmbH was fined €9.55 million for not complying with GDPR regulations concerning the security of processing (Article 32 of the GDPR). Customers calling 1&1's customer service department were able to obtain extensive information on other customers simply by giving their names and dates of birth. According to the Federal Data Protection Authority, this constituted a violation of Article 32 of the GDPR, according to which a company is obliged to implement appropriate technical and organisational measures to systematically protect the processing of personal data. This infringement was not limited to a small proportion of customers, but posed a risk to the entire customer base.
In addition, the Federal Office for Information Security has recently become more active in enforcement measures, and has commenced administrative proceedings with respect to non-privacy-related cybersecurity measures against several companies.
3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?
Germany has announced that it will pass an IT Security Act 2.0, which will significantly expand the scope of the current security laws and lead to increased cybersecurity requirements for many companies. Fines for non-compliance will also be significantly increased: even non-privacy-related cybersecurity breaches shall be subject to fines in amounts that resemble those under the GDPR.
4 Proactive cyber compliance
4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.
Subject to the Act on the Federal Office for Information Security (BSI), industry-specific security standards may be passed and be officially recognised by the BSI (so-called ‘B3S' standards). Such industry standards have been passed for the water, nutrition, IT and telecommunications, energy, health, transportation, finance and insurance sectors.
The BSI has also published its so-called IT Grundschutz guidance (IT baseline protection), oriented at the ISO 27001 requirements and giving an overview of security best practices.
4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.
With regard to cybersecurity, the BSI provides guidance on both maintaining IT security and complying with the cybersecurity regime, in particular the Act on the BSI.
With regard to data protection, the data protection authorities regularly issue statements in which they both comment on their legal view and advise on compliance with the data protection regulations.
4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?
Regardless of the legal form of a corporate entity, proactive cyber-compliance falls within the responsibility of corporate officers and directors. This follows from Section 91(2) of the Stock Corporation Act, which primarily applies to stock corporations (see question 4.4), but also to other corporations. In essence, Section 91(2) obliges the management board to conduct diligent corporate management and organisation. This results in a duty to achieve and maintain a high level of IT security. Corporate officers and directors may be in breach of this duty where they fail to adhere to their duties as outlined in question 4.4
4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?
Managing the company and complying with legal obligations, including proactive cyber-compliance, fall within the responsibility of the management board. No special cyber-regulations are explicitly directed at listed entities. However, general provisions stipulated in the Stock Corporation Act specify the general scope of the management board's duties. These provisions may be used to determine the scope of its obligations regarding IT security and cyber-compliance.
The duty to establish and maintain IT security derives from Sections 76(1) and 91(2) of the Stock Corporation Act. In practice, a member of the management board must be appointed with responsibility for IT compliance, who will be monitored by his or her fellow board members. Proactive cyber-compliance requires the establishment of an IT risk management system that proactively monitors and detects IT security risks that could endanger the company's entire existence (see Sections 91(2) and 93 of the Stock Corporation Act).
The duty to manage the company, stipulated in Section 76(1) of the Stock Corporation Act, imposes further cyber-compliance obligations, including:
- the duty to act in accordance with the general legal system (particularly with regard to the use of IT systems);
- monitoring obligations (in order to identify IT security risks as early as possible); and
- the obligation to exercise due diligence (which requires appropriate responses to identified IT security risks in order to prevent damage to the company).
The implementation of specific measures ensuring compliance with these duties is generally at the discretion of the management board.
4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?
There is generally no requirement for companies to share such details with industry or other stakeholders. However, if a cybersecurity threat has materialised, affected companies must share details with the BSI and data protection authorities under different cyber-statutes (see question 5).
5 Cyber-incident response
5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?
Article 33 of the General Data Protection Regulation (GDPR) imposes a mandatory notification requirement in the case of a personal data breach. A ‘personal data breach' is defined in Article 4(12) of the GDPR as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed". Pursuant to Article 33(1) of the GDPR, the data controller must generally give notice to the supervisory authority within 72 hours of the breach. This notification requirement applies to all personal data (regardless of its sensitivity), unless the breach is unlikely to present a risk to the rights and freedoms of the data subject.
Additionally, Article 34 of the GDPR provides for the "Communication of a personal data breach to the data subject", which requires that notification be given to affected data subjects when their rights and freedoms are at risk. In this case, the controller is obliged to communicate the personal data breach to the data subject without undue delay.
Furthermore, notification requirements exist for operators of critical infrastructure. These must inform the Federal Office for Information Security of disruptions to the availability, integrity, authenticity and/or confidentiality of their IT systems that have or may have led to a failure or significant impairment of the functionality of respective critical infrastructure.
So-called ‘providers of digital services', such as cloud providers, must report security incidents which have a significant impact on their services; and telecommunications service providers must report impairments of telecommunications networks that have or may have led to significant security breaches, as well as privacy violations.
5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?
Personal data breach: In case of a personal data breach, Article 33(1) of the GDPR stipulates that the controller must give notice to the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. If the notification is not made within 72 hours, this delay must be justified.
The information to be provided is set out in Article 33(3) of the GDPR and includes:
- a description of the nature of the personal data breach, including the categories and approximate number of data subjects concerned;
- details of the likely consequences of the personal data breach; and
- the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Additionally, the controller must communicate the personal data breach to affected data subjects without undue delay if the breach is likely to present a significant risk to their rights and freedoms. This communication must describe in clear and plain language the nature of the breach and at least:
- the name and contact details of the relevant data protection officer or contact point;
- the likely consequences of the data breach; and
- the measures taken or proposed by the controller to address the breach and/or mitigate its effects.
In theory, the controller should notify every affected data subject individually. Where this involves disproportionate effort, however, the controller may consider group notifications.
Article 34(3) of the GDPR stipulates exceptions from the communication requirement. These apply if, among other things:
- technical and organisational measures have been applied to the personal data which render it unintelligible to unauthorised persons (eg, encryption); or
- the controller has taken steps to ensure that an originally high risk is no longer likely to materialise.
Several additional notification requirements apply to providers of critical infrastructure and similarly exposed providers in various industries (see question 5.1). Notification in these cases must be provided as soon as is reasonably possible.
5.3 What steps are companies legally required to take in response to cyber incidents?
Apart from complying with the duties outlined in questions 5.1 and 5.2, the company must analyse the risks that led to the materialisation of the cyber incident. Depending on the results of this risk assessment, the company must take steps to mitigate such risks and take all additional measures that are necessary to prevent further damage.
5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?
The legal duties of corporate officers and directors with respect to cyber incident response are similar to those discussed in question 4.3. Corporate officers and directors must diligently manage and organise the company. This duty requires compliance with relevant laws and consequentially also with notification obligations relating to cyber incidents. The aforementioned duties also entail a requirement to:
- identify the risks that led to a respective cyber incident;
- mitigate those risks through appropriate measures; and
- take measures to mitigate the incident's possible adverse effects.
5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?
Yes, some companies maintain cyber-incident insurance policies, although as yet this is still relatively uncommon in Germany as compared to other countries. Due to the rise in cyber-incidents, however, companies are becoming increasingly aware of the need to adequately insure against these risks.
6 Trends and predictions
6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
The most significant legislative reform concerning cybersecurity is the draft IT Security Act 2.0. In 2015, Germany enacted the IT Security Act, which was updated in 2017 in accordance with the Network and Information Security (NIS) Directive. The German Federal Ministry of the Interior now aims to improve cybersecurity still further with the introduction of the IT Security Act 2.0. The NIS Directive allows EU member states to adopt provisions aimed at establishing a higher level of security for NIS systems. Accordingly, in March 2019 the German Federal Ministry of the Interior proposed the draft IT Security Act 2.0, which would introduce some significant changes to the cybersecurity regime.
First, the range of companies affected by the regime will be expanded. The number of the companies classified as operators of critical infrastructure will be increased (eg, operators in the waste management sector will be added); and further categories will be introduced that will be subject to the same obligations as operators of critical infrastructures (‘infrastructure of special public interest', such as defence companies and stock exchange infrastructure; and ‘operators with cyber-criticality'). Additional obligations will further be introduced for operators of critical infrastructure, such as a requirement to use certain systems to detect attacks and to provide the Federal Office for Information Security (BSI) with the information needed to fulfil its tasks.
Second, the BSI will be given additional tasks and sweeping additional powers. Among other things, the BSI will support the constitutional organs of the federal government in securing their IT infrastructure. The BSI will also be given access to the data of federal service providers (if necessary, to protect government networks), and will be authorised to obtain inventory data information from telecommunications providers in order to inform affected individuals of IT attacks and security vulnerabilities.
Last but not least, additional criminal offences will be introduced and the possibilities of law enforcement will be enhanced. For example, the unauthorised use of IT systems shall constitute a criminal offence under Section 202e of the Criminal Code. Furthermore, the range of penalties for numerous data crimes will be drastically increased (up to five years' imprisonment). Amendments to the Code of Criminal Procedure will allow law enforcement authorities to use telecommunications interception, online searches and traffic data interrogation to investigate and prosecute certain cybercrimes.
7 Tips and traps
7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?
Failure to invest and organisational obstacles: Medium-sized companies and so-called ‘hidden champions' (larger but relatively unknown companies which are market leaders in their industry) play an important role in the German economy. Nevertheless, many of these companies do not invest sufficiently in their IT security infrastructure, which can put both themselves and – due to their economic importance – the German economy as a whole at greater risk. Furthermore, in order to implement IT security software, employment law principles and provisions must be taken into account. Many companies have works councils, which must be consulted and involved in this implementation.
Private use of employers' IT infrastructure: Some employers allow their staff to use their IT infrastructure (eg, computers, email accounts, mobile phones, internet access) for private purposes. However, the prevailing legal opinion qualifies such employers as telecommunications service providers; as such, they are bound by the principles on the secrecy of telecommunications (Section 88 of the Telecommunications Act). This would preclude the employer from accessing employee data – in particular, data in business email accounts. As employers depend on such access for their ordinary business operations, this could lead to a severe legal conflict with their obligations under the General Data Protection Regulation (GDPR). In order to avoid such a conflict, employers in Germany should consider whether to prohibit the private use of company IT infrastructure in their policies. If such policies nonetheless allow for private use, additional measures should be taken to ensure that the employer can access relevant data as needed.
Clash between privacy rights and cybersecurity: According to Article 32 of the GDPR, the data controller and processor must implement appropriate technical and organisational measures to protect personal data that ensure a level of security which is appropriate to the risk (ie, sensitivity and volume of personal data processed). Several IT security solutions are state of the art, such as endpoint detection and response, data loss prevention and security information and event management solutions. However, some functions of these tools allow employers to directly or indirectly monitor their employees. Having detailed insight into system and user behaviour (eg, tracking visited websites, sent and received mails, or simply partially private data on devices) can constitute a grave infringement of employee privacy. For this reason, the German data protection authorities recommend that security software be implemented which allows the administration panel to adjust the scope of the data processing. If employers want to introduce such a solution, they should implement technical and organisational measures to minimise the risks. This could be achieved by limiting access to the administration panel or by pseudonymising personal data. In any case, the employer should consider whether the implementation of a solution might require a data processing impact assessment pursuant to Article 35 of the GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.