OneTrust_Square Banner_300x250_DD_ROS_01_19

By Flemming Moos

Flemming Moos explores the workplace spying scandals that have rocked German businesses in recent months and have led to a hastened cry for passage of an Employee Privacy Act.

The cat was set among the pigeons when it was revealed last year that the major German retail chain, Lidl, which employs about 53,000 people in the nation, had systematically monitored its employees with hidden cameras. And what seemed to be a regrettable singular case at first glance quickly turned out to be just the first in a series of employee-spying scandals among German companies. Prestigious and well-established businesses such as national rail operator Deutsche Bahn, Airbus, and Deutsche Telekom, Europe’s biggest phone company, all confirmed they had conducted clandestine surveillance on their staff. The companies defended many of these activities as part of their efforts to root out corruption. In the case of the Deutsche Bahn, for example, the personal details—including names, addresses, and bank details of some 173,000 employees (including train conductors and others)—were compared with approximately 80,000 suppliers. In the case of Deutsche Telekom, officials tracked senior executives’ phone calls in order to identify the source in leaks of sensitive financial information to journalists.

Sanctions for unlawful spying on staff

In the wake of these privacy scandals, political leaders held an emergency summit in Berlin in February 2009. They agreed that an “Employee Privacy Act” should be included in an update of current data protection laws. This new law is expected to be accepted soon after the new German government is elected this fall. In the course of this legislative action, statutory provisions will be introduced which shall, inter alia, regulate if and under which conditions monitoring employees can be carried out lawfully.
Yet, even current applicable German data protection laws do not permit spying on employees in any case. Rather, many monitoring practices are unlawful and can be punished by harsh fines. Lidl experienced this quite dramatically. Its hidden-camera surveillance activities were found to have violated data protection laws and the company was ordered to pay a fine of 1.5 million Euros (approximately two million dollars). This is, by far, the highest fine ever issued by German data privacy watchdogs. Moreover, several managers from the companies caught up in privacy scandals have already lost their jobs, including the head of Lidl’s German operations, Frank-Michael Mros, and even Deutsche Bahn chief executive Hartmut Mehdorn—his justifications for the surveillance practices were found insufficient.

Therefore, in order to avoid such consequences, companies should ensure that all surveillance practices comply with legal requirements. Here they are in brief:

Data privacy background for employee surveillance measures

Even though, for the moment, Germany has no Employee Privacy Act, there are several laws that mandate rather strict protection of employee data. First of all, the provisions of the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) apply to the collection, processing, and use of employees’ personal data. Secondly, specific data protection obligations might follow from applicable Works Agreements.

Moreover, the employee’s privacy is protected by his or her respective personal right (allgemeines Persönlichkeitsrecht), which is enshrined in the German Constitution. In particular, the fundamental right on informational self-determination and the fundamental right on confidentiality and integrity of IT systems are significant constitutional guarantees for employment relationships in Germany. The employer is obliged to safeguard and promote the free development of its employees’ personalities (Sec. 75 (2) Works Constitution Act). On top of the aforementioned constitutional rights, labour courts’ extensive case law has developed principles for protecting the right to privacy of German employees.

Monitoring mechanisms in the workplace affect the privacy rights of employees. Under the BDSG, video surveillance of premises that are open to the public (which may include salerooms and restaurants) might be allowed, however, only subject to the following requirements: (1) there is no indication of a prevailing legitimate interest of the individuals and (2) the surveillance is necessary for the purpose of:

  •      enabling public agencies to fulfill their tasks;
  •     keeping out trespassers; or
  •     achieving justified interests in certain defined situations (e.g. suspicion of crime).

Employers must make clear in advance that surveillance will be conducted and must specify who will be included. The data must be deleted as soon as it is no longer needed for the defined purpose. Clandestine surveillance of public premises is not permissible at all.

More relevant in practice is the surveillance of premises with restricted access. According to case law, the right to informational self-determination of the employees implies that they can freely decide whether they may be videotaped and whether the pictures can be used against them. Moreover, there is also protection for the spoken word. For example, the right to determine for oneself whether the spoken word should be available to the partner of the conversation only, or also made accessible to third parties or even the general public, and whether it may be recorded by electronic or other means.

The assertion of the overriding legitimate interests of the employer may justify interference in the employee’s privacy rights. When there is a conflict between the general privacy rights of the employee and the employers' interests, the legally protected interests have to be weighed against the employers’ interests to determine on a case-by-case basis whether the general right to privacy merits priority.
According to the Federal Labour Court, clandestine surveillance by technical devices is only permitted if there is a:

  •     specific indication of a criminal offence or other serious misconduct at the expense of the employer;
  •     less drastic means to clear up the suspicion have been exhausted;
  •     covert surveillance is practically the only remaining means; and
  •     the surveillance is proportionate (for example, a cash deficit that cannot be cleared up in any other way).

Surveillance measures are not allowed to invade the employee’s private sphere. Therefore, video surveillance is never permitted in such places as changing rooms and toilets (which had reportedly happened at Lidl). Even if the employees have been informed that a video camera or a similar technical device will be installed at the workplace, it does not mean that surveillance is automatically admissible. In most cases, continuous surveillance is considered an infringement on employees’ personal rights due to the pressure brought about by the constant observation. This applies particularly in situations where the employer has the potential to use undetected surveillance. Again, in this case the interests of the employees have to be weighed against the legitimate interests of the employer.

The above-mentioned principles to safeguard the employee’s privacy also apply to other surveillance measures by employers, such as eavesdropping on employees’ phone calls. Employees must be notified in advance if such calls are to be intercepted.

Apart from this notification requirement, which is also enshrined in Article 10 of the EC Directive 95/46, the principle of necessity must be observed when monitoring employees. According to Article 6 para 1 (c) EC Directive 95/46, the data processing must be “adequate, relevant, and not excessive in relation to the purposes.” Privacy watchdogs have cast doubts as to whether the above-mentioned surveillance practices comply with these requirements. In particular, they have challenged that, for the purpose of fighting corruption, it is necessary to include every employee—independent of his or her function—into the monitoring measures, irrespective of whether there had been a relevant risk for corruption in the individual case.

Involvement of the Works Council and the data protection officers

Additionally, the monitoring of employees triggers a co-determination right by the Works Council (sec. 87 para. 1 no. 6 of the German Works Constitution Act). The Works Council has a right of co-determination, especially in the event of the introduction and application of technical systems which are suitable for monitoring the conduct or performance of the employees. This will generally be the case for all surveillance systems, such as closed-circuit television (CCTV), and others.

Finally, in most of the cases mentioned above, the companies’ internal data protection officers had not been involved before the surveillance practices began, despite the data controller’s statutory obligation to inform the data privacy officer in good time of its plans for such data processing steps.


It remains to be seen whether the legislator, when drafting the new Employee Privacy Act, will confine itself to merely taking over these existing restrictions on employee surveillance into the new law, or rather tighten the legal framework (as he currently plans to do for the marketing use of customer data). The Federal Ministry of Labour and Social Affairs, which will present the draft, has announced that it will not only attempt to regulate video surveillance but also will craft detailed provisions for issues such as e-mail and Internet monitoring in the workplace, and for protecting whistleblowers. The first announcements of ministry officials argue for a stricter approach. The declared aim of the new law is to specify the existing workplace rules, and to adapt them to the requirements of a modern working environment. Even more reason for companies to revise duly their employee surveillance and data governance practices in Germany.

Flemming Moos is an attorney at DLA Piper and chair of the IAPP KnowledgeNet in Hamburg, Germany. He is a certified specialist for information technology law and a member of the IAPP Publications Advisory Board. He can be reached at flemming.moos@dlapiper.com.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»