Obtaining Works Council Approval to Collect Employee Email and Electronic Documents, Feb. 12, 2013,...

7/23/2019 Obtaining Works Council Approval to Collect Employee Email and Electronic Documents, Feb. 12, 2013, DS

1/10

Obtaining Works Council Approval to Collect Employee E-Mail and Electronic Documents

I. Executive ummary

Companies that seek to collect German employee E-mails and electronic documents all confront

the same hurdle: obtaining permission from their companys works council. Germanys workscouncils have earned a reputation as fierce protectors of employee privacy rights, often reecting

corporate efforts to search through employee data. !heir opposition invokes the rights and

protections afforded German employees pursuant to the "##$ E.%. &ata 'rotection &irective aswell as German federal and state data protection laws.

!his white paper will address several (uestions that arise in dealing with German works

councils, such as

) *hat is a works council and how do they function+

) *hat is the German data protection regime upon which the works councils can base their

obections+) *hat steps can a company take to maimise the probability that its data collection methodology

will be approved by its works council+

II. !"e Works Council

*orks councils have been an integral part of German business and industry since the early th

century. !he first works council provision was enacted following *orld *ar / and has eisted in

various forms ever since. !he eisting law is enshrined in the *orks Constitution 0ct of "#1

23etriebsverfassungsgeset45 and applies to private enterprises with more than five permanent

employees of voting age."#

*orks councils are established through democratic processes. Candidates for works councilsmust secure a certain amount of signatures from their fellow employees to be eligible for

election.!rade unions may also nominate candidates for election, but cannot compel their

members to vote a specificway.6 *orks council member are elected directly by company employees through a secret ballot,

though employees are not re(uired to vote,77

and generally serve for four years.$$

!he si4e of aworks council depends on the number of employees within a company and the *orks

Constitution 0ct also re(uires works councils to proportionately represent certain types of

employees.8.8

%nder the *orks Constitution 0ct, works councils have the right to co-determination in matters

affecting company structure, personnel decisions, and policies regulating workplace andindividual conduct within the company.$!he rights of a works council can be categorised as

follows:

) In%ormation& !he works council has the right to information regarding the implementation or


2/10

change of practices or policies at the company. /f necessary, the employer must provide

documentation to that effect.

) Consultation and Cooperation& !he works council has the right to consult and cooperate withmanagement to ointly discuss and develop the topic at issue.

) 'eto (ig"t& 0 works council has the right to block certain management decisions.

!he employer is re(uired to keep the works council fully informed in matters relating to

operations and personnel planning so that the council can participate in drafting company policy.9

!he purpose of this is to allow the works council to cooperate with management to avoidpotential disputes and raise relevant concerns or other suggestions. !he works council

resolutions re(uire a (uorum of fifty percent and resolutions are adopted by simple maority

unless otherwise re(uired by law.#*orks councils and management may, formally or informally,

enter into valid and binding agreements#)formal agreements are immediately binding onemployer and employees and informal agreements generally re(uire additional steps, such as the

amendment of an employee contract. !he works council may only enter into works bargaining

agreements in those areas of business operation where the *orks Constitution 0ct confers rights

of participation on it. Collective bargaining agreements between employer associations and tradeunions have absolute priority over works bargaining agreements, even if the latter are more

favorable to the work force.""

/n the event that disputes between works councils and management cannot be resolved amicably,

the parties may be assisted by the conciliation board, a body with arbitration and mediationduties."0ssuming that both parties agree to be bound by its decision beforehand, the

conciliation boards ruling is final and binding and is appealable only on the grounds that the

board has violated general principles of law."6

III. *erman Data +rotection

*hen works councils assert their right to approve or disapprove employee data collectionmethodologies, they are in part invoking their rights pursuant to European %nion law, German

federal law, and the data protection laws of their home states. !he E% &ata 'rotection &irective

authorises the processing of employee data as long as it is necessary to protect the legitimateinterest of another party and as long as the employees interests and fundamental freedoms are

not overridden.#,Each member state has enacted legislation that effectuates the general tenets of

the E% &irective.;n


3/10

violations of the law and sets out penalties for such infractions. =or eample, under the 0ct, the

collection of employee data in administrative violations is permissible only if the processing is

necessary."# ;n the other hand, in criminal violations, data collection may occur if 2"5 there is adocumented reason to believe the employee has committed a crime, 25 the data processing is

necessary to investigate the crime, and 265 the employee does not have an overriding legitimate

interest in ruling out the possibility of data collection.

/t also allows for collection of employeedata under certain circumstances and calls for a balance between the legitimate business

purposes of the company and the legitimate privacy interests of affected employees.#/n some

situations, employee notification and even consent are re(uired for collection of personal data." "1

!he =ederal &ata 'rotection 0ct regulates compliance with the law through company self-

monitoring and eternal government oversight. =or eample, the 0ct re(uires the election of a

=ederal Commissioner for &ata 'rotection and =reedom of /nformation as well as a data

protection official to ensure compliance. /t also differentiates between criminal andadministrative violations of the law as well penalties for such infractions.

&ata protection is also regulated on the state level. !he siteen states of Germany states allall

maintain data protection laws that mirror the =ederal &ata 'rotection 0ct.

"9 6

Each statelegislative body appoints its own >tate Commissioner for &ata 'rotection. !he >tate

Commissioner operates independently and is supervised by the 'resident of the statelegislature."#7 !he >tate Commissioner also oversees private organisations within its urisdiction

to ensure compliance with the state data protection law. $ ?ike the =ederal 0ct, the state data

protection laws provide for notification and the obtaining of consent before processing ofpersonal data can take place.

Compliance with the German data protection regime is achieved through self-monitoring within

the company and eternal oversight by federal and state officials. =ederal and state dataprotection commissioners are responsible for ensuring that companies comply with the law and

are empowered to investigate violations. !hese commissioners may also perform audits to ensure

that a companys organisational and technological safeguards sufficiently comply with theapplicable data protection law.8"

Companies are also re(uired to self-regulate to ensure their own internal compliance eachcompany is re(uired to appoint a &ata 'rotection ;fficer to monitor its practices. !he &ata

'rotection ;fficer reports directly to corporate management and is responsible for ensuring

compliance with applicable data protection laws and representing the company to the eternal

government agencies that enforce the 3&>G at the state and federal levels. 1!he &ata'rotection ;fficer is also tasked with ensuring that deficiencies in a companys data protection

regime are rectified. Employees whose data is targeted may approach the data protection officer

any time they have concerns.96

I'. ecuring Works Council Approval to Collect Employee Data

*orks councils are different in every company, and each company has an individual relationship

with their works councils that will affect their presentation on this topic.

*e offer the following suggestions for successful works council applications:


4/10

) *et on t"e orks council agenda as early as possible. %sually this is handled through the

companys @A department, which generally interfaces with the works council. /n the case of theauto maker, it took months ust to get onto the agenda for a monthly meeting.

) Make your presentation in *erman. !his may sound obvious, but its worth noting that even

though the managers who run your data collection operations are English speakers, they shouldemploy a German-speaking manager to make the presentation and field (uestions 2the

presentation materials used should be in German as well5. /f there is an non-German speaking

manager with significant collection responsibility, they should also attend, both out of respectand to be available for tough (uestions.

) Emp"asise t"at EnCase Enterprise can enable you to avoid collecting employee personal E-mail or documents. *ith EnCase Enterprise, your collections will cull through the data and

preserve only those E-mails and electronic documents that meet precise search criteria, includingkeywords and file types. ;ther documents that do not meet the search criteria B including private

personal data B will be left behind.

) Assure t"at collections ill be done /in-country0. >ome works councils are reassured when

told that all collections will be done from within Germany, rather than operated from a locationin another European member state or else outside Europe. EnCase Enterprise technology allows

for an eaminerD 2a laptop or workstation from which the EnCase search is operated5 to beplaced inside Germany, even if that is not its usual location.

) Discuss "o EnCase Enterprise can be con%igured to prevent employee data %rom beingtrans%erred outside Europe. E% data protection laws permit transfers to other Europeanurisdictions, but prevent most transfers outside Europe. EnCase Enterprise can be configured to

prevent searches of European employee data from outside of Europe, and prevents the transfer of

data collected to locations outside Europe.

) Emp"asise t"at existing investigative policies already approved by t"e orks council ill

remain in place. =or eample, @A policies relating to the investigation of potential employee

wrongdoing had long ago been approved by the works council and will not be affected by the use

of EnCase Enterprise technology. !hat data would go directly to the companys @A team andwould be handled the same as before.

) +ermit employees to create a /personal %older.0 /f employees create a folder in their computer

file structure with an agreed-upon folder name in which they can place all of their personal data,EnCase Enterprises search criteria can be configured to leave that folder untouched, so that none

of that data will be collected.

) Ability to restrict searc"es by %ile type. Employees can be sensitive about certain types of files

that may not be of interest to the company B personal photographs, for instance. *ith EnCaseEnterprise, these file types can be ecluded.

) Companies s"ould ensure t"at contracts %ul%ill re1uirements o% t"e la. Companies should

review all contracts to ensure that they comply with the minimum re(uirements set out in thelaw. !hese re(uirements include, but are not limited to, scope and purposes of the data

processing, security measures, data processor obligations, subcontracting rights, audit rights,

return of storage media and disposal.D#

'. Conclusion

Companies seeking approval from works councils, particularly companies based outside of


5/10

Germany, must approach their works councils with sensitivity toward the interest in the

protection of the employees personal data. !his sensitivity is often not enough to obtain the

works councils blessing for a collection methodology the concerns are that the collectionmethodology may epose personal employee information and the employee data may be

accessed from outside Germany. !o gain approval, the collection methodology itself must reflect

proactive strategies B including procedures and technology B to guarantee that employees neednot be concerned that their private e-mail and electronic documents will be collected along with

those the company re(uires for legal purposes.

A++E2DI3 I& 4ey +layers

5ederal Data +rotection Commissioner&

&ata 'rotection Commissioner who is elected by the German 'arliament for a term of si yearsand is independent in the eercise of his duties and subect only to the law. %pon discovering

violations of the German =ederal &ata 'rotection 0ct, the &ata 'rotection Commissioner may

obect and demand correction of the violation. !he Commissioner is supported in his duties by

the &ata 'rotection Commission, a group of ten members of 'arliament that provide an advisorypanel to the Commissioner.

tate Data +rotection Commissioners&

uch like the =ederal &ata 'rotection Commissioner, each states 'arliament elects a &ata

'rotection Commissioner to monitor compliance with that states &ata 'rotection 0ct.

Company Data +rotection O%%icer&

Companies appoint &ata 'rotection ;fficers within their organisations. !hese officers are

responsible for 2"5 controlling data by preventing unauthorised persons from accessing orentering personal data 25 assuring that those who have access to the data processing system are

only accessing the data they have authority to access 265 assuring that at no point can data be

collected, modified or removed without authorisation 275 that the modification of data can bedocumented 2$5 assuring that whenever data is disclosed it is documented 285 assuring that the

processing agent is only collecting data in accordance with a businesss instructions and that such

data is protected from destruction.

Works Councils&

*orks councils are re(uired for companies that normally employee five or more eligible

employees. 0 works council is a form of workplace democracy whereby representatives electedby employees are given management functions. *orks councils have the right to co-

determination in matters affecting organisational structure, personnel decisions, and policies

regulating workplace and individual conduct within the company. !his means that any proposedpolicy must first be approved by the works council in order to be implemented by the company.

A++E2DI3 II& 6se%ul 7inks

E6 Directive 8Englis" version9&

http:FFeurle.europa.euF?e%ri>ervF?e%ri>erv.do+uriCE?EH:6"##$?78:EI:@!?
http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTMLhttp://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML


6/10

*erman 5ederal Data +rotection Act 8in Englis"9&

http:FFwww.bfdi.bund.deFEIF&ata'rotection0ctsF0rtikelF3&>GJid=v"##.pdf+

JJblobpublication=ilehttp:FFwww.bfdi.bund.deFclnJ1FnnJ#7876FEIF&ata'rotection0ctsF0rtikelF3undesdatenschut4

gese t4-

=ederal&ata'rotection0ct,template/draw,propertypublication=ile.pdfF3undesdatenschut4geset4- =ederal&ata'rotection0ct.pdf.

Works Constitution Act 8in Englis"9&

http:FFhikwww".f4k.deFbrFcontentFworksConstitution0ct-3etrKG.pdf

7inks to elected *erman tates: Data +rotection 7as 8unless ot"erise noted; all

documents in *erman9&

esse&

http:FFwww.datenschut4.hessen.deFhdsg##.htm

Mecklenburg-'orpommern&

http:FFwww.lfd.m-v.deFdschut4FgesJverFguvFguvJcJ.html

7oer axony&

http:FFcdl.niedersachsen.deFblobFimagesFC876799J?.pdf
http://www.bfdi.bund.de/EN/DataProtectionActs/Artikel/BDSG_idFv01092009.pdf?__blob=publicationFilehttp://www.bfdi.bund.de/EN/DataProtectionActs/Artikel/BDSG_idFv01092009.pdf?__blob=publicationFilehttp://translate.google.com/translate?hl=en&sl=de&u=http://www.baden-wuerttemberg.datenschutz.de/&prev=/search%3Fq%3Dbaden%2Bw%25C3%25BCrttemberg%2Bdatenschutzbeauftragter%26hl%3Den%26client%3Dsafari%26tbo%3Dd%26rls%3Den&sa=X&ei=hJ0QUdagEZPO8wTovoD4BQ&ved=0CDkQ7gEwAAhttp://translate.google.com/translate?hl=en&sl=de&u=http://www.baden-wuerttemberg.datenschutz.de/&prev=/search%3Fq%3Dbaden%2Bw%25C3%25BCrttemberg%2Bdatenschutzbeauftragter%26hl%3Den%26client%3Dsafari%26tbo%3Dd%26rls%3Den&sa=X&ei=hJ0QUdagEZPO8wTovoD4BQ&ved=0CDkQ7gEwAAhttp://translate.google.com/translate?hl=en&sl=de&u=http://www.baden-wuerttemberg.datenschutz.de/&prev=/search%3Fq%3Dbaden%2Bw%25C3%25BCrttemberg%2Bdatenschutzbeauftragter%26hl%3Den%26client%3Dsafari%26tbo%3Dd%26rls%3Den&sa=X&ei=hJ0QUdagEZPO8wTovoD4BQ&ved=0CDkQ7gEwAAhttp://translate.google.com/translate?hl=en&sl=de&u=http://www.baden-wuerttemberg.datenschutz.de/&prev=/search%3Fq%3Dbaden%2Bw%25C3%25BCrttemberg%2Bdatenschutzbeauftragter%26hl%3Den%26client%3Dsafari%26tbo%3Dd%26rls%3Den&sa=X&ei=hJ0QUdagEZPO8wTovoD4BQ&ved=0CDkQ7gEwAAhttp://www.zv.uni-wuerzburg.de/datenschutz/Gesetze/bayer_datenschutzgesetz.htmhttp://www.bfdi.bund.de/EN/DataProtectionActs/Artikel/BDSG_idFv01092009.pdf?__blob=publicationFilehttp://www.bfdi.bund.de/EN/DataProtectionActs/Artikel/BDSG_idFv01092009.pdf?__blob=publicationFilehttp://translate.google.com/translate?hl=en&sl=de&u=http://www.baden-wuerttemberg.datenschutz.de/&prev=/search%3Fq%3Dbaden%2Bw%25C3%25BCrttemberg%2Bdatenschutzbeauftragter%26hl%3Den%26client%3Dsafari%26tbo%3Dd%26rls%3Den&sa=X&ei=hJ0QUdagEZPO8wTovoD4BQ&ved=0CDkQ7gEwAAhttp://translate.google.com/translate?hl=en&sl=de&u=http://www.baden-wuerttemberg.datenschutz.de/&prev=/search%3Fq%3Dbaden%2Bw%25C3%25BCrttemberg%2Bdatenschutzbeauftragter%26hl%3Den%26client%3Dsafari%26tbo%3Dd%26rls%3Den&sa=X&ei=hJ0QUdagEZPO8wTovoD4BQ&ved=0CDkQ7gEwAAhttp://translate.google.com/translate?hl=en&sl=de&u=http://www.baden-wuerttemberg.datenschutz.de/&prev=/search%3Fq%3Dbaden%2Bw%25C3%25BCrttemberg%2Bdatenschutzbeauftragter%26hl%3Den%26client%3Dsafari%26tbo%3Dd%26rls%3Den&sa=X&ei=hJ0QUdagEZPO8wTovoD4BQ&ved=0CDkQ7gEwAAhttp://www.zv.uni-wuerzburg.de/datenschutz/Gesetze/bayer_datenschutzgesetz.htm


7/10

2ort" ("ine-Westp"alia& https:FFwww.ldi.nrw.deF

("ineland-+alatinate&

http:FFwww.datenschut4.rlp.deFrgrundlagenFa"J$.html

aarland&

http:FFwww.lfdi.saarland.deFhtmlFlfd-internetFdatenschut4rechtFsdsgJ1.pdf

axony&

http:FFwww.sachsen.deFdeFbfFstaatsregierungFministerienFsmiFsmiFuploadF>achs&>G6.pdf

c"lesig->olstein 8in Englis"9&

https:FFwww.datenschut44entrum.deFmaterialFrechtFldsg-eng.htm

!"uringia&

http:FFwww.thueringen.deFdatenschut4Fgeset4eJrechtsvorschriftenFthueringenFdatenschut4geset4F

2O!E">ee *orks Constitution 0ct 23etriebsverfassungsgeset4 5 Q", available at

http:FFwww.bmwi.deFEnglishFAedaktionF'dfFJJ0rchivFlabour-lawFworks-constitution-

act",propertypdf,bereichbmwi,sprachede,rwbtrue.pdf*orks Constitution 0ct Q"725.6 *orks Constitution 0ct Q"72$5.7 *orks Constitution 0ct Q"72"5.$ *orks Constitution 0ct Q".8 *orks Constitution 0ct Q"$25.1 /ngebRrg &arsow,Implemenation of Ethics Codes in Germany: The Wal-Mart Case,

%niversitat 'ompeu =abra, 2arch $5 available athttp:FFwww.upf.eduFiuslaborF6$Fart"".htm9*orks Constitution 0ct Q9, 9", 9$, 9#.#*orks Constitution 0ct Q66." *orks Constitution 0ct Q11."" *orks Constitution 0ct Q112$5." *orks Constitution 0ct Q18."6 *orks Constitution 0ct Q#8."7 &irective #$F78FEC of the European 'arliament and of the Council of ;ctober 7, "##$,

>ection //, art. 1, ;fficial


8/10

"8 =ederal &ata 'rotection 0ct 23undesdatenschut4geset4,5 Q", available at

http:FFwww.bfdi.bund.deFEIF&ata'rotection0ctsF0rtikelF3&>GJid=v"##.pdf+

JJblobpublication=ile"1 =ederal &ata 'rotection 0ct Q8."9 =ederal &ata 'rotection 0ct Q"2"5.

"# =ederal &ata 'rotection 0ct Q6 =ederal &ata 'rotection 0ct Q6

" =ederal &ata 'rotection 0ct Q7. 0lthough the =ederal &ata 'rotection 0ct specifies several

times that notification of the data subect is re(uired, >ection 66 of the =ederal 0ct provides

eceptions to the re(uirement of notification and consent, including:- if a data subect has otherwise received notification such that it is unnecessary to inform

the subect a second time

- if the data recording or transfer is epressly laid down by law- if there is an overriding interest that re(uires the storage of the data in secrecy due to a

legal interest of a third party=ederal &ata 'rotection 0ct Q6625. =ederal &ata 'rotection 0ct Q72f5, Q6 >ee >idebar titled %seful ?inksD for links to various state data protection laws.7 See, e.., 3avarian Constitution, 0rt. 662a5, available athttp:FFwww.bayern.landtag.deFenFbayerJverfassungJersterJhauptteil.htmlU7 >aony- 0nhalt

&ata 'rotection 0ct, Q, available at http:FFwww.sachsen-

anhalt.deF?'>0FfileadminFElementbibliothekF3ibliothekJ'olitikJundJKerwaltungF3ibli

othekJ?=&F'&=FbinaryFKorschriftenF?andFdsg-lsaFEnglishFpar"#JutJtoJ7.pdf,see also

>aony-0nhalt &ata 'rotection 0ct, Q.$ >aony-0nhalt &ata 'rotection 0ct, Q.

8 =ederal &ata 'rotection 0ct Q69.1 =ederal &ata 'rotection 0ct Q72f5.9 =ederal &ata 'rotection 0ct Q72f52$5.# @unton L *illiams, Germany 0dopts >tricter &ata 'rotection ?aw B >erious /mpact on3usiness Compliance, 2


9/10

"*orks Constitution 0ct Q11.

""*orks Constitution 0ct Q112$5.

"*orks Constitution 0ct Q18.

"6

*orks Constitution 0ct Q#8."7&irective #$F78FEC of the European 'arliament and of the Council of ;ctober 7, "##$,

>ection //, art. 1, ;fficial ee >idebar titled %seful ?inksD for links to various state data protection laws.

"#>ee, e.g., 3avarian Constitution, 0rt. 662a5, available at

http:FFwww.bayern.landtag.deFenFbayerJverfassungJersterJhauptteil.htmlU7 >aony- 0nhalt&ata 'rotection 0ct, Q, available at http:FFwww.sachsen-

anhalt.deF?'>0FfileadminFElementbibliothekF3ibliothekJ'olitikJundJKerwaltungF3ibli

othekJ?=&F'&=FbinaryFKorschriftenF?andFdsg-lsaFEnglishFpar"#JutJtoJ7.pdf"#

>aony-0nhalt &ata 'rotection 0ct, Q.

>aony-0nhalt &ata 'rotection 0ct, Q."=ederal &ata 'rotection 0ct Q69.

=ederal &ata 'rotection 0ct Q72f5.

6=ederal &ata 'rotection 0ct Q72f52$5.

A


10/10

'atrick oftware, /nc., previously practiced in

the commercial litigation department of ?inklaters, where he served on the firms e&iscovery

*orking Group. 'atrick gratefully acknowledges the valuable contributions by his ?egal /ntern&onna >alcedo. /nterns ?awrence Estrada and Vrystal oftware, visit www.guidancesoftware.com

!his paper is provided as an informational resource only. !he information contained in thisdocument should not be considered or relied upon legal counsel or advice.

Obtaining Works Council Approval to Collect Employee Email and Electronic Documents, Feb. 12, 2013,...

Documents

Transcript of Obtaining Works Council Approval to Collect Employee Email and Electronic Documents, Feb. 12, 2013,...