Obtaining Works Council Approval to Collect Employee Email and Electronic Documents, Feb. 12, 2013,...
-
Upload
patrick-burke -
Category
Documents
-
view
212 -
download
0
Transcript of Obtaining Works Council Approval to Collect Employee Email and Electronic Documents, Feb. 12, 2013,...
-
7/23/2019 Obtaining Works Council Approval to Collect Employee Email and Electronic Documents, Feb. 12, 2013, DS
1/10
Obtaining Works Council Approval to Collect Employee E-Mail and Electronic Documents
I. Executive ummary
Companies that seek to collect German employee E-mails and electronic documents all confront
the same hurdle: obtaining permission from their companys works council. Germanys workscouncils have earned a reputation as fierce protectors of employee privacy rights, often reecting
corporate efforts to search through employee data. !heir opposition invokes the rights and
protections afforded German employees pursuant to the "##$ E.%. &ata 'rotection &irective aswell as German federal and state data protection laws.
!his white paper will address several (uestions that arise in dealing with German works
councils, such as
) *hat is a works council and how do they function+
) *hat is the German data protection regime upon which the works councils can base their
obections+) *hat steps can a company take to maimise the probability that its data collection methodology
will be approved by its works council+
II. !"e Works Council
*orks councils have been an integral part of German business and industry since the early th
century. !he first works council provision was enacted following *orld *ar / and has eisted in
various forms ever since. !he eisting law is enshrined in the *orks Constitution 0ct of "#1
23etriebsverfassungsgeset45 and applies to private enterprises with more than five permanent
employees of voting age."#
*orks councils are established through democratic processes. Candidates for works councilsmust secure a certain amount of signatures from their fellow employees to be eligible for
election.!rade unions may also nominate candidates for election, but cannot compel their
members to vote a specificway.6 *orks council member are elected directly by company employees through a secret ballot,
though employees are not re(uired to vote,77
and generally serve for four years.$$
!he si4e of aworks council depends on the number of employees within a company and the *orks
Constitution 0ct also re(uires works councils to proportionately represent certain types of
employees.8.8
%nder the *orks Constitution 0ct, works councils have the right to co-determination in matters
affecting company structure, personnel decisions, and policies regulating workplace andindividual conduct within the company.$!he rights of a works council can be categorised as
follows:
) In%ormation& !he works council has the right to information regarding the implementation or
-
7/23/2019 Obtaining Works Council Approval to Collect Employee Email and Electronic Documents, Feb. 12, 2013, DS
2/10
change of practices or policies at the company. /f necessary, the employer must provide
documentation to that effect.
) Consultation and Cooperation& !he works council has the right to consult and cooperate withmanagement to ointly discuss and develop the topic at issue.
) 'eto (ig"t& 0 works council has the right to block certain management decisions.
!he employer is re(uired to keep the works council fully informed in matters relating to
operations and personnel planning so that the council can participate in drafting company policy.9
!he purpose of this is to allow the works council to cooperate with management to avoidpotential disputes and raise relevant concerns or other suggestions. !he works council
resolutions re(uire a (uorum of fifty percent and resolutions are adopted by simple maority
unless otherwise re(uired by law.#*orks councils and management may, formally or informally,
enter into valid and binding agreements#)formal agreements are immediately binding onemployer and employees and informal agreements generally re(uire additional steps, such as the
amendment of an employee contract. !he works council may only enter into works bargaining
agreements in those areas of business operation where the *orks Constitution 0ct confers rights
of participation on it. Collective bargaining agreements between employer associations and tradeunions have absolute priority over works bargaining agreements, even if the latter are more
favorable to the work force.""
/n the event that disputes between works councils and management cannot be resolved amicably,
the parties may be assisted by the conciliation board, a body with arbitration and mediationduties."0ssuming that both parties agree to be bound by its decision beforehand, the
conciliation boards ruling is final and binding and is appealable only on the grounds that the
board has violated general principles of law."6
III. *erman Data +rotection
*hen works councils assert their right to approve or disapprove employee data collectionmethodologies, they are in part invoking their rights pursuant to European %nion law, German
federal law, and the data protection laws of their home states. !he E% &ata 'rotection &irective
authorises the processing of employee data as long as it is necessary to protect the legitimateinterest of another party and as long as the employees interests and fundamental freedoms are
not overridden.#,Each member state has enacted legislation that effectuates the general tenets of
the E% &irective.;n
-
7/23/2019 Obtaining Works Council Approval to Collect Employee Email and Electronic Documents, Feb. 12, 2013, DS
3/10
violations of the law and sets out penalties for such infractions. =or eample, under the 0ct, the
collection of employee data in administrative violations is permissible only if the processing is
necessary."# ;n the other hand, in criminal violations, data collection may occur if 2"5 there is adocumented reason to believe the employee has committed a crime, 25 the data processing is
necessary to investigate the crime, and 265 the employee does not have an overriding legitimate
interest in ruling out the possibility of data collection.
/t also allows for collection of employeedata under certain circumstances and calls for a balance between the legitimate business
purposes of the company and the legitimate privacy interests of affected employees.#/n some
situations, employee notification and even consent are re(uired for collection of personal data." "1
!he =ederal &ata 'rotection 0ct regulates compliance with the law through company self-
monitoring and eternal government oversight. =or eample, the 0ct re(uires the election of a
=ederal Commissioner for &ata 'rotection and =reedom of /nformation as well as a data
protection official to ensure compliance. /t also differentiates between criminal andadministrative violations of the law as well penalties for such infractions.
&ata protection is also regulated on the state level. !he siteen states of Germany states allall
maintain data protection laws that mirror the =ederal &ata 'rotection 0ct.
"9 6
Each statelegislative body appoints its own >tate Commissioner for &ata 'rotection. !he >tate
Commissioner operates independently and is supervised by the 'resident of the statelegislature."#7 !he >tate Commissioner also oversees private organisations within its urisdiction
to ensure compliance with the state data protection law. $ ?ike the =ederal 0ct, the state data
protection laws provide for notification and the obtaining of consent before processing ofpersonal data can take place.
Compliance with the German data protection regime is achieved through self-monitoring within
the company and eternal oversight by federal and state officials. =ederal and state dataprotection commissioners are responsible for ensuring that companies comply with the law and
are empowered to investigate violations. !hese commissioners may also perform audits to ensure
that a companys organisational and technological safeguards sufficiently comply with theapplicable data protection law.8"
Companies are also re(uired to self-regulate to ensure their own internal compliance eachcompany is re(uired to appoint a &ata 'rotection ;fficer to monitor its practices. !he &ata
'rotection ;fficer reports directly to corporate management and is responsible for ensuring
compliance with applicable data protection laws and representing the company to the eternal
government agencies that enforce the 3&>G at the state and federal levels. 1!he &ata'rotection ;fficer is also tasked with ensuring that deficiencies in a companys data protection
regime are rectified. Employees whose data is targeted may approach the data protection officer
any time they have concerns.96
I'. ecuring Works Council Approval to Collect Employee Data
*orks councils are different in every company, and each company has an individual relationship
with their works councils that will affect their presentation on this topic.
*e offer the following suggestions for successful works council applications:
-
7/23/2019 Obtaining Works Council Approval to Collect Employee Email and Electronic Documents, Feb. 12, 2013, DS
4/10
) *et on t"e orks council agenda as early as possible. %sually this is handled through the
companys @A department, which generally interfaces with the works council. /n the case of theauto maker, it took months ust to get onto the agenda for a monthly meeting.
) Make your presentation in *erman. !his may sound obvious, but its worth noting that even
though the managers who run your data collection operations are English speakers, they shouldemploy a German-speaking manager to make the presentation and field (uestions 2the
presentation materials used should be in German as well5. /f there is an non-German speaking
manager with significant collection responsibility, they should also attend, both out of respectand to be available for tough (uestions.
) Emp"asise t"at EnCase Enterprise can enable you to avoid collecting employee personal E-mail or documents. *ith EnCase Enterprise, your collections will cull through the data and
preserve only those E-mails and electronic documents that meet precise search criteria, includingkeywords and file types. ;ther documents that do not meet the search criteria B including private
personal data B will be left behind.
) Assure t"at collections ill be done /in-country0. >ome works councils are reassured when
told that all collections will be done from within Germany, rather than operated from a locationin another European member state or else outside Europe. EnCase Enterprise technology allows
for an eaminerD 2a laptop or workstation from which the EnCase search is operated5 to beplaced inside Germany, even if that is not its usual location.
) Discuss "o EnCase Enterprise can be con%igured to prevent employee data %rom beingtrans%erred outside Europe. E% data protection laws permit transfers to other Europeanurisdictions, but prevent most transfers outside Europe. EnCase Enterprise can be configured to
prevent searches of European employee data from outside of Europe, and prevents the transfer of
data collected to locations outside Europe.
) Emp"asise t"at existing investigative policies already approved by t"e orks council ill
remain in place. =or eample, @A policies relating to the investigation of potential employee
wrongdoing had long ago been approved by the works council and will not be affected by the use
of EnCase Enterprise technology. !hat data would go directly to the companys @A team andwould be handled the same as before.
) +ermit employees to create a /personal %older.0 /f employees create a folder in their computer
file structure with an agreed-upon folder name in which they can place all of their personal data,EnCase Enterprises search criteria can be configured to leave that folder untouched, so that none
of that data will be collected.
) Ability to restrict searc"es by %ile type. Employees can be sensitive about certain types of files
that may not be of interest to the company B personal photographs, for instance. *ith EnCaseEnterprise, these file types can be ecluded.
) Companies s"ould ensure t"at contracts %ul%ill re1uirements o% t"e la. Companies should
review all contracts to ensure that they comply with the minimum re(uirements set out in thelaw. !hese re(uirements include, but are not limited to, scope and purposes of the data
processing, security measures, data processor obligations, subcontracting rights, audit rights,
return of storage media and disposal.D#
'. Conclusion
Companies seeking approval from works councils, particularly companies based outside of
-
7/23/2019 Obtaining Works Council Approval to Collect Employee Email and Electronic Documents, Feb. 12, 2013, DS
5/10
Germany, must approach their works councils with sensitivity toward the interest in the
protection of the employees personal data. !his sensitivity is often not enough to obtain the
works councils blessing for a collection methodology the concerns are that the collectionmethodology may epose personal employee information and the employee data may be
accessed from outside Germany. !o gain approval, the collection methodology itself must reflect
proactive strategies B including procedures and technology B to guarantee that employees neednot be concerned that their private e-mail and electronic documents will be collected along with
those the company re(uires for legal purposes.
A++E2DI3 I& 4ey +layers
5ederal Data +rotection Commissioner&
&ata 'rotection Commissioner who is elected by the German 'arliament for a term of si yearsand is independent in the eercise of his duties and subect only to the law. %pon discovering
violations of the German =ederal &ata 'rotection 0ct, the &ata 'rotection Commissioner may
obect and demand correction of the violation. !he Commissioner is supported in his duties by
the &ata 'rotection Commission, a group of ten members of 'arliament that provide an advisorypanel to the Commissioner.
tate Data +rotection Commissioners&
uch like the =ederal &ata 'rotection Commissioner, each states 'arliament elects a &ata
'rotection Commissioner to monitor compliance with that states &ata 'rotection 0ct.
Company Data +rotection O%%icer&
Companies appoint &ata 'rotection ;fficers within their organisations. !hese officers are
responsible for 2"5 controlling data by preventing unauthorised persons from accessing orentering personal data 25 assuring that those who have access to the data processing system are
only accessing the data they have authority to access 265 assuring that at no point can data be
collected, modified or removed without authorisation 275 that the modification of data can bedocumented 2$5 assuring that whenever data is disclosed it is documented 285 assuring that the
processing agent is only collecting data in accordance with a businesss instructions and that such
data is protected from destruction.
Works Councils&
*orks councils are re(uired for companies that normally employee five or more eligible
employees. 0 works council is a form of workplace democracy whereby representatives electedby employees are given management functions. *orks councils have the right to co-
determination in matters affecting organisational structure, personnel decisions, and policies
regulating workplace and individual conduct within the company. !his means that any proposedpolicy must first be approved by the works council in order to be implemented by the company.
A++E2DI3 II& 6se%ul 7inks
E6 Directive 8Englis" version9&
http:FFeurle.europa.euF?e%ri>ervF?e%ri>erv.do+uriCE?EH:6"##$?78:EI:@!?
http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTMLhttp://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML -
7/23/2019 Obtaining Works Council Approval to Collect Employee Email and Electronic Documents, Feb. 12, 2013, DS
6/10
*erman 5ederal Data +rotection Act 8in Englis"9&
http:FFwww.bfdi.bund.deFEIF&ata'rotection0ctsF0rtikelF3&>GJid=v"##.pdf+
JJblobpublication=ilehttp:FFwww.bfdi.bund.deFclnJ1FnnJ#7876FEIF&ata'rotection0ctsF0rtikelF3undesdatenschut4
gese t4-
=ederal&ata'rotection0ct,template/draw,propertypublication=ile.pdfF3undesdatenschut4geset4- =ederal&ata'rotection0ct.pdf.
Works Constitution Act 8in Englis"9&
http:FFhikwww".f4k.deFbrFcontentFworksConstitution0ct-3etrKG.pdf
7inks to elected *erman tates: Data +rotection 7as 8unless ot"erise noted; all
documents in *erman9&
esse&
http:FFwww.datenschut4.hessen.deFhdsg##.htm
Mecklenburg-'orpommern&
http:FFwww.lfd.m-v.deFdschut4FgesJverFguvFguvJcJ.html
7oer axony&
http:FFcdl.niedersachsen.deFblobFimagesFC876799J?.pdf
http://www.bfdi.bund.de/EN/DataProtectionActs/Artikel/BDSG_idFv01092009.pdf?__blob=publicationFilehttp://www.bfdi.bund.de/EN/DataProtectionActs/Artikel/BDSG_idFv01092009.pdf?__blob=publicationFilehttp://translate.google.com/translate?hl=en&sl=de&u=http://www.baden-wuerttemberg.datenschutz.de/&prev=/search%3Fq%3Dbaden%2Bw%25C3%25BCrttemberg%2Bdatenschutzbeauftragter%26hl%3Den%26client%3Dsafari%26tbo%3Dd%26rls%3Den&sa=X&ei=hJ0QUdagEZPO8wTovoD4BQ&ved=0CDkQ7gEwAAhttp://translate.google.com/translate?hl=en&sl=de&u=http://www.baden-wuerttemberg.datenschutz.de/&prev=/search%3Fq%3Dbaden%2Bw%25C3%25BCrttemberg%2Bdatenschutzbeauftragter%26hl%3Den%26client%3Dsafari%26tbo%3Dd%26rls%3Den&sa=X&ei=hJ0QUdagEZPO8wTovoD4BQ&ved=0CDkQ7gEwAAhttp://translate.google.com/translate?hl=en&sl=de&u=http://www.baden-wuerttemberg.datenschutz.de/&prev=/search%3Fq%3Dbaden%2Bw%25C3%25BCrttemberg%2Bdatenschutzbeauftragter%26hl%3Den%26client%3Dsafari%26tbo%3Dd%26rls%3Den&sa=X&ei=hJ0QUdagEZPO8wTovoD4BQ&ved=0CDkQ7gEwAAhttp://translate.google.com/translate?hl=en&sl=de&u=http://www.baden-wuerttemberg.datenschutz.de/&prev=/search%3Fq%3Dbaden%2Bw%25C3%25BCrttemberg%2Bdatenschutzbeauftragter%26hl%3Den%26client%3Dsafari%26tbo%3Dd%26rls%3Den&sa=X&ei=hJ0QUdagEZPO8wTovoD4BQ&ved=0CDkQ7gEwAAhttp://www.zv.uni-wuerzburg.de/datenschutz/Gesetze/bayer_datenschutzgesetz.htmhttp://www.bfdi.bund.de/EN/DataProtectionActs/Artikel/BDSG_idFv01092009.pdf?__blob=publicationFilehttp://www.bfdi.bund.de/EN/DataProtectionActs/Artikel/BDSG_idFv01092009.pdf?__blob=publicationFilehttp://translate.google.com/translate?hl=en&sl=de&u=http://www.baden-wuerttemberg.datenschutz.de/&prev=/search%3Fq%3Dbaden%2Bw%25C3%25BCrttemberg%2Bdatenschutzbeauftragter%26hl%3Den%26client%3Dsafari%26tbo%3Dd%26rls%3Den&sa=X&ei=hJ0QUdagEZPO8wTovoD4BQ&ved=0CDkQ7gEwAAhttp://translate.google.com/translate?hl=en&sl=de&u=http://www.baden-wuerttemberg.datenschutz.de/&prev=/search%3Fq%3Dbaden%2Bw%25C3%25BCrttemberg%2Bdatenschutzbeauftragter%26hl%3Den%26client%3Dsafari%26tbo%3Dd%26rls%3Den&sa=X&ei=hJ0QUdagEZPO8wTovoD4BQ&ved=0CDkQ7gEwAAhttp://translate.google.com/translate?hl=en&sl=de&u=http://www.baden-wuerttemberg.datenschutz.de/&prev=/search%3Fq%3Dbaden%2Bw%25C3%25BCrttemberg%2Bdatenschutzbeauftragter%26hl%3Den%26client%3Dsafari%26tbo%3Dd%26rls%3Den&sa=X&ei=hJ0QUdagEZPO8wTovoD4BQ&ved=0CDkQ7gEwAAhttp://www.zv.uni-wuerzburg.de/datenschutz/Gesetze/bayer_datenschutzgesetz.htm -
7/23/2019 Obtaining Works Council Approval to Collect Employee Email and Electronic Documents, Feb. 12, 2013, DS
7/10
2ort" ("ine-Westp"alia& https:FFwww.ldi.nrw.deF
("ineland-+alatinate&
http:FFwww.datenschut4.rlp.deFrgrundlagenFa"J$.html
aarland&
http:FFwww.lfdi.saarland.deFhtmlFlfd-internetFdatenschut4rechtFsdsgJ1.pdf
axony&
http:FFwww.sachsen.deFdeFbfFstaatsregierungFministerienFsmiFsmiFuploadF>achs&>G6.pdf
c"lesig->olstein 8in Englis"9&
https:FFwww.datenschut44entrum.deFmaterialFrechtFldsg-eng.htm
!"uringia&
http:FFwww.thueringen.deFdatenschut4Fgeset4eJrechtsvorschriftenFthueringenFdatenschut4geset4F
2O!E">ee *orks Constitution 0ct 23etriebsverfassungsgeset4 5 Q", available at
http:FFwww.bmwi.deFEnglishFAedaktionF'dfFJJ0rchivFlabour-lawFworks-constitution-
act",propertypdf,bereichbmwi,sprachede,rwbtrue.pdf*orks Constitution 0ct Q"725.6 *orks Constitution 0ct Q"72$5.7 *orks Constitution 0ct Q"72"5.$ *orks Constitution 0ct Q".8 *orks Constitution 0ct Q"$25.1 /ngebRrg &arsow,Implemenation of Ethics Codes in Germany: The Wal-Mart Case,
%niversitat 'ompeu =abra, 2arch $5 available athttp:FFwww.upf.eduFiuslaborF6$Fart"".htm9*orks Constitution 0ct Q9, 9", 9$, 9#.#*orks Constitution 0ct Q66." *orks Constitution 0ct Q11."" *orks Constitution 0ct Q112$5." *orks Constitution 0ct Q18."6 *orks Constitution 0ct Q#8."7 &irective #$F78FEC of the European 'arliament and of the Council of ;ctober 7, "##$,
>ection //, art. 1, ;fficial
-
7/23/2019 Obtaining Works Council Approval to Collect Employee Email and Electronic Documents, Feb. 12, 2013, DS
8/10
"8 =ederal &ata 'rotection 0ct 23undesdatenschut4geset4,5 Q", available at
http:FFwww.bfdi.bund.deFEIF&ata'rotection0ctsF0rtikelF3&>GJid=v"##.pdf+
JJblobpublication=ile"1 =ederal &ata 'rotection 0ct Q8."9 =ederal &ata 'rotection 0ct Q"2"5.
"# =ederal &ata 'rotection 0ct Q6 =ederal &ata 'rotection 0ct Q6
" =ederal &ata 'rotection 0ct Q7. 0lthough the =ederal &ata 'rotection 0ct specifies several
times that notification of the data subect is re(uired, >ection 66 of the =ederal 0ct provides
eceptions to the re(uirement of notification and consent, including:- if a data subect has otherwise received notification such that it is unnecessary to inform
the subect a second time
- if the data recording or transfer is epressly laid down by law- if there is an overriding interest that re(uires the storage of the data in secrecy due to a
legal interest of a third party=ederal &ata 'rotection 0ct Q6625. =ederal &ata 'rotection 0ct Q72f5, Q6 >ee >idebar titled %seful ?inksD for links to various state data protection laws.7 See, e.., 3avarian Constitution, 0rt. 662a5, available athttp:FFwww.bayern.landtag.deFenFbayerJverfassungJersterJhauptteil.htmlU7 >aony- 0nhalt
&ata 'rotection 0ct, Q, available at http:FFwww.sachsen-
anhalt.deF?'>0FfileadminFElementbibliothekF3ibliothekJ'olitikJundJKerwaltungF3ibli
othekJ?=&F'&=FbinaryFKorschriftenF?andFdsg-lsaFEnglishFpar"#JutJtoJ7.pdf,see also
>aony-0nhalt &ata 'rotection 0ct, Q.$ >aony-0nhalt &ata 'rotection 0ct, Q.
8 =ederal &ata 'rotection 0ct Q69.1 =ederal &ata 'rotection 0ct Q72f5.9 =ederal &ata 'rotection 0ct Q72f52$5.# @unton L *illiams, Germany 0dopts >tricter &ata 'rotection ?aw B >erious /mpact on3usiness Compliance, 2
-
7/23/2019 Obtaining Works Council Approval to Collect Employee Email and Electronic Documents, Feb. 12, 2013, DS
9/10
"*orks Constitution 0ct Q11.
""*orks Constitution 0ct Q112$5.
"*orks Constitution 0ct Q18.
"6
*orks Constitution 0ct Q#8."7&irective #$F78FEC of the European 'arliament and of the Council of ;ctober 7, "##$,
>ection //, art. 1, ;fficial ee >idebar titled %seful ?inksD for links to various state data protection laws.
"#>ee, e.g., 3avarian Constitution, 0rt. 662a5, available at
http:FFwww.bayern.landtag.deFenFbayerJverfassungJersterJhauptteil.htmlU7 >aony- 0nhalt&ata 'rotection 0ct, Q, available at http:FFwww.sachsen-
anhalt.deF?'>0FfileadminFElementbibliothekF3ibliothekJ'olitikJundJKerwaltungF3ibli
othekJ?=&F'&=FbinaryFKorschriftenF?andFdsg-lsaFEnglishFpar"#JutJtoJ7.pdf"#
>aony-0nhalt &ata 'rotection 0ct, Q.
>aony-0nhalt &ata 'rotection 0ct, Q."=ederal &ata 'rotection 0ct Q69.
=ederal &ata 'rotection 0ct Q72f5.
6=ederal &ata 'rotection 0ct Q72f52$5.
A
-
7/23/2019 Obtaining Works Council Approval to Collect Employee Email and Electronic Documents, Feb. 12, 2013, DS
10/10
'atrick oftware, /nc., previously practiced in
the commercial litigation department of ?inklaters, where he served on the firms e&iscovery
*orking Group. 'atrick gratefully acknowledges the valuable contributions by his ?egal /ntern&onna >alcedo. /nterns ?awrence Estrada and Vrystal oftware, visit www.guidancesoftware.com
!his paper is provided as an informational resource only. !he information contained in thisdocument should not be considered or relied upon legal counsel or advice.