Germany Issues Privacy Guidelines for Employer Access to Employee Email and Internet Use


Can employers look at the company email accounts of employees, such as when they do not show up to work? Can employers monitor employee Internet use during working hours? Can employers read employee emails if they use the company email account for personal purposes?

Companies face these and many more questions about employer-provided email accounts and Internet access every day. To give employers guidance on this, the German Data Protection Authorities ("DPAs") published "privacy guidelines" about using email and the Internet at the workplace. These guidelines provide essential information, practical tips and helpful advice on this topic.

According the guidelines, companies have to look into two different scenarios: use of Internet and email for business purposes, and use for personal purposes.

  1. Use of the Internet and Email for Business Purposes only

In general, if the employer provides the employee with hardware and software, the Internet and email services may only be used for business purposes. A personal use of the Internet and email is only allowed, if and to the extent the employer grants the employee the rights to do so.

According to the guidelines, if the use of the Internet and email services is only permitted for business purposes, the employer can check the Internet use of the employees randomly, to make sure that they use it for business purposes only. However, it is recommended to block websites that are primarily accessed for personal use (establishing a blacklist) to avoid any conflict with data protection laws that may arise when analysing individual surfing habits of employees.

The employer may access sent and received emails of the employees during a longer period of absence, if it is necessary for business purposes.

  1. Use of the Internet and Emails for Business and Personal Purposes

Companies should be very careful with permitting personal use of their Internet and email-systems. The main reason for this is that DPAs still take the view that companies would then legally qualify as a telecommunication service provider within the meaning of the German Telecommunications Act ("TKG"). This would mean that the telecommunications secrecy principle must be observed and that the strict provisions of the TKG apply. Companies could then be barred from accessing Internet content and emails contained in their employees' inboxes, even if the company suspects that such activities/emails could reveal illegal activities of employees that may be harmful to the company.

The guidelines therefore recommend that employers only allow personal use of the Internet instead of the personal use of the company's email-system. By allowing the personal use of the Internet, the employees can access their personal email accounts instead of using the company's account and the aforementioned issues can be avoided.

According to the guidelines, surfing the Internet for personal purposes can also be limited (time and content wise). The employers should specify the limitations in written policies and also get the consent of the employees regarding the nature and the scope of monitoring activities regarding this matter.

  1. Additional Recommendations of the DPAs about use of the Internet and Emails at the Workplace

  • Employers should provide clear directions on the use of the Internet and email at the workplace by establishing written policies that specify the employer's right to access, use limitations, monitoring, recording and analysis, and any other expectations regarding emails and Internet use. For example, the employees should be informed about monitoring activities and potential consequences.
  • If the employer wants to allow the personal use of company email accounts, the following needs to be considered: Emails with recognizable personal content may only be read based on clear consent of the employee; in addition, it is necessary to separate personal from business related emails.
  • If an employee leaves the company, the email address of this employee should be deactivated as soon as possible.

In our previous blog post, which you can find here, we talked about a recent judgement of the Berlin-Brandenburg Regional Labor Court allowing the employer to check the employee's browsing history without the employee's consent. This judgment matches the points in the guidelines. The guidelines recommend informing the employees about monitoring activities, but at the same time state that the employer has the right to check the Internet use of the employees randomly, to make sure that they use it for allowed purposes only.

In the case of the judgement, the employer checked the browsing history of the employee's work computer without the employee's consent, after evidence emerged of a significant personal use of the Internet. According to the Court, the Federal Data Protection Act permits the storage and analysis of historical browsing data of an Internet browser for the purpose of monitoring abusive usage. Furthermore, the Court states that the employer had no other way of proving the extent of the extensive use of the Internet. The Court allowed an appeal on points of law to the Federal Labor Court and in that appeal the Federal Court might clarify the existing inconsistency between judgments about this topic. For a detailed analysis of this judgement, have a look at the blog entry from the German Employment Team here.

To sum it up: Employers are free to choose whether they allow personal use of the Internet and email. However, it is recommended that employers do not permit employees to use the company's email-system for personal use, but instead consider allowing some kind of personal Internet use. Regardless of the kind of use that employers want to allow, employers should establish clear written policies on the use of the Internet and email at the workplace.