By Flemming Moos

Flemming Moos explores the workplace spying scandals that have rocked German businesses in recent months and have led to a hastened cry for passage of an Employee Privacy Act.

The cat was set among the pigeons when it was revealed last year that the major German retail chain, Lidl, which employs about 53,000 people in the nation, had systematically monitored its employees with hidden cameras. And what seemed to be a regrettable singular case at first glance quickly turned out to be just the first in a series of employee-spying scandals among German companies. Prestigious and well-established businesses such as national rail operator Deutsche Bahn, Airbus, and Deutsche Telekom, Europe’s biggest phone company, all confirmed they had conducted clandestine surveillance on their staff. The companies defended many of these activities as part of their efforts to root out corruption. In the case of the Deutsche Bahn, for example, the personal details—including names, addresses, and bank details of some 173,000 employees (including train conductors and others)—were compared with approximately 80,000 suppliers. In the case of Deutsche Telekom, officials tracked senior executives’ phone calls in order to identify the source in leaks of sensitive financial information to journalists.

Sanctions for unlawful spying on staff

In the wake of these privacy scandals, political leaders held an emergency summit in Berlin in February 2009. They agreed that an “Employee Privacy Act” should be included in an update of current data protection laws. This new law is expected to be accepted soon after the new German government is elected this fall. In the course of this legislative action, statutory provisions will be introduced which shall, inter alia, regulate if and under which conditions monitoring employees can be carried out lawfully.
Yet, even current applicable German data protection laws do not permit spying on employees in any case. Rather, many monitoring practices are unlawful and can be punished by harsh fines. Lidl experienced this quite dramatically. Its hidden-camera surveillance activities were found to have violated data protection laws and the company was ordered to pay a fine of 1.5 million Euros (approximately two million dollars). This is, by far, the highest fine ever issued by German data privacy watchdogs. Moreover, several managers from the companies caught up in privacy scandals have already lost their jobs, including the head of Lidl’s German operations, Frank-Michael Mros, and even Deutsche Bahn chief executive Hartmut Mehdorn—his justifications for the surveillance practices were found insufficient.

Therefore, in order to avoid such consequences, companies should ensure that all surveillance practices comply with legal requirements. Here they are in brief:

Data privacy background for employee surveillance measures

Even though, for the moment, Germany has no Employee Privacy Act, there are several laws that mandate rather strict protection of employee data. First of all, the provisions of the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) apply to the collection, processing, and use of employees’ personal data. Secondly, specific data protection obligations might follow from applicable Works Agreements.

Moreover, the employee’s privacy is protected by his or her respective personal right (allgemeines Persönlichkeitsrecht), which is enshrined in the German Constitution. In particular, the fundamental right on informational self-determination and the fundamental right on confidentiality and integrity of IT systems are significant constitutional guarantees for employment relationships in Germany. The employer is obliged to safeguard and promote the free development of its employees’ personalities (Sec. 75 (2) Works Constitution Act). On top of the aforementioned constitutional rights, labour courts’ extensive case law has developed principles for protecting the right to privacy of German employees.

Monitoring mechanisms in the workplace affect the privacy rights of employees. Under the BDSG, video surveillance of premises that are open to the public (which may include salerooms and restaurants) might be allowed, however, only subject to the following requirements: (1) there is no indication of a prevailing legitimate interest of the individuals and (2) the surveillance is necessary for the purpose of:

  •      enabling public agencies to fulfill their tasks;
  •     keeping out trespassers; or
  •     achieving justified interests in certain defined situations (e.g. suspicion of crime).

Employers must make clear in advance that surveillance will be conducted and must specify who will be included. The data must be deleted as soon as it is no longer needed for the defined purpose. Clandestine surveillance of public premises is not permissible at all.

More relevant in practice is the surveillance of premises with restricted access. According to case law, the right to informational self-determination of the employees implies that they can freely decide whether they may be videotaped and whether the pictures can be used against them. Moreover, there is also protection for the spoken word. For example, the right to determine for oneself whether the spoken word should be available to the partner of the conversation only, or also made accessible to third parties or even the general public, and whether it may be recorded by electronic or other means.

The assertion of the overriding legitimate interests of the employer may justify interference in the employee’s privacy rights. When there is a conflict between the general privacy rights of the employee and the employers' interests, the legally protected interests have to be weighed against the employers’ interests to determine on a case-by-case basis whether the general right to privacy merits priority.
According to the Federal Labour Court, clandestine surveillance by technical devices is only permitted if there is a:

  •     specific indication of a criminal offence or other serious misconduct at the expense of the employer;
  •     less drastic means to clear up the suspicion have been exhausted;
  •     covert surveillance is practically the only remaining means; and
  •     the surveillance is proportionate (for example, a cash deficit that cannot be cleared up in any other way).

Surveillance measures are not allowed to invade the employee’s private sphere. Therefore, video surveillance is never permitted in such places as changing rooms and toilets (which had reportedly happened at Lidl). Even if the employees have been informed that a video camera or a similar technical device will be installed at the workplace, it does not mean that surveillance is automatically admissible. In most cases, continuous surveillance is considered an infringement on employees’ personal rights due to the pressure brought about by the constant observation. This applies particularly in situations where the employer has the potential to use undetected surveillance. Again, in this case the interests of the employees have to be weighed against the legitimate interests of the employer.

The above-mentioned principles to safeguard the employee’s privacy also apply to other surveillance measures by employers, such as eavesdropping on employees’ phone calls. Employees must be notified in advance if such calls are to be intercepted.

Apart from this notification requirement, which is also enshrined in Article 10 of the EC Directive 95/46, the principle of necessity must be observed when monitoring employees. According to Article 6 para 1 (c) EC Directive 95/46, the data processing must be “adequate, relevant, and not excessive in relation to the purposes.” Privacy watchdogs have cast doubts as to whether the above-mentioned surveillance practices comply with these requirements. In particular, they have challenged that, for the purpose of fighting corruption, it is necessary to include every employee—independent of his or her function—into the monitoring measures, irrespective of whether there had been a relevant risk for corruption in the individual case.

Involvement of the Works Council and the data protection officers

Additionally, the monitoring of employees triggers a co-determination right by the Works Council (sec. 87 para. 1 no. 6 of the German Works Constitution Act). The Works Council has a right of co-determination, especially in the event of the introduction and application of technical systems which are suitable for monitoring the conduct or performance of the employees. This will generally be the case for all surveillance systems, such as closed-circuit television (CCTV), and others.

Finally, in most of the cases mentioned above, the companies’ internal data protection officers had not been involved before the surveillance practices began, despite the data controller’s statutory obligation to inform the data privacy officer in good time of its plans for such data processing steps.


It remains to be seen whether the legislator, when drafting the new Employee Privacy Act, will confine itself to merely taking over these existing restrictions on employee surveillance into the new law, or rather tighten the legal framework (as he currently plans to do for the marketing use of customer data). The Federal Ministry of Labour and Social Affairs, which will present the draft, has announced that it will not only attempt to regulate video surveillance but also will craft detailed provisions for issues such as e-mail and Internet monitoring in the workplace, and for protecting whistleblowers. The first announcements of ministry officials argue for a stricter approach. The declared aim of the new law is to specify the existing workplace rules, and to adapt them to the requirements of a modern working environment. Even more reason for companies to revise duly their employee surveillance and data governance practices in Germany.

Flemming Moos is an attorney at DLA Piper and chair of the IAPP KnowledgeNet in Hamburg, Germany. He is a certified specialist for information technology law and a member of the IAPP Publications Advisory Board. He can be reached at flemming.moos@dlapiper.com.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»