Technology at the Workplace – A European Overview of Employment Law Issues in a Modern Working Environment

Europe
We can no longer imagine our professional life without modern information and communication technology. As a rule, employers provide their employees with technical aids, such as smartphones or notebooks. These communication tools are commonly also used for social media in a business context and are often not switched off by the employees even in their leisure time, thus after they have worked their daily hours. E-mails or calls are received even in the evenings or on weekends and when the employees are on leave. It is true that mobile devices promote flexible work, but they also involve the risk that employees are "always online" and violate working time regulations. Employers use modern surveillance tools in order to monitor their employees. In this article, we will look at some key issues relating to technology at the workplace in various European jurisdictions.

1. Social Media
(Isabel Meyer-Michaelis, CMS Germany, and Loic Delhaye, CMS Belgium)

In Europe, 80 per cent of all Internet users are registered in social networks, and 70 per cent of all Internet users actively use social networks. This development also has a growing impact on the world of employment. During the employment, the employees' rights and obligations relating to the use of social media depend on the purpose of such use and the question of whether private or business network accounts are affected:

Business use of business network accounts

Employers often make use of social networks such as Facebook or LinkedIn, especially for marketing or recruitment purposes. In this regard, employees have to follow the instructions given by their employers concerning, for example, communications with customers or the presentation of the company within the relevant social network.

Private use of private network accounts

As off-duty activities are not subject to the employer's right to control the employees' behaviour, employers may not dictate or regulate their employees' private use of social networks during leisure time. Nevertheless, employees are obligated to respect their employer's legitimate interests when using social networks for private purposes. Therefore, any trade and business secrets have to be kept confidential, and any defamation of the employer, supervisors or colleagues is forbidden. Employees must also not spread any false information or make any damaging assertions about their employers. Any breach of these duties – which are often subject to social media guidelines – can justify the termination of the employment relationship.

The question may arise, however, as to whether the damaging assertions about their employers made by employees on their private network accounts can be considered "public" and may therefore be used as evidence in order to justify the termination of the employment relationship. The answer to this question will depend mainly on the confidentiality settings of the social network account (i.e., was the account accessible to all, or was the view restricted to a private circle?) and on whether employees intended to give their assertions a public character.

It is recommended, for the mutual benefit of employers and employees, to establish social media guidelines covering the use of social media by employees.

Employer's Facebook presence subject to works council's codetermination

In December 2016, a decision rendered by the Federal Employment Court attrackted attention in Germany: If the employer enables Facebook users to publish on its Facebook page so-called visitor posts that in their content refer to the conduct or performance of individual employees, the settings for this function are subject to the works council's codetermination right.

2. E-Mail Monitoring
(Maité Ollivier and Raphael Bordier, CMS France)

In most European countries, limitations apply regarding monitoring of employee e-mail and Internet traffic. The situation in France, for example, is very strict:

Employers in France are held to both a duty of faithful execution of employment contracts and to a separate duty to respect the privacy of their employees. The right of an employer to "monitor" the workforce is limited by mandatory compliance with the principle of individual freedom.

French statutory law and case law establish a certain number of principles in this respect:
  • If an employer wishes to implement a system for recording employees' telephone conversations or the telephone numbers called by employees, or for tracking each employee's computer use, the employer is required to declare such system to the public authorities (to the CNIL, that is, the French National Commission for Freedom regarding Information Technologies).
  • If it is planned to implement a system for recording employees' telephone conversations or the telephone numbers called by employees, or for tracking each employee's computer use, the work council has to be consulted on this project before its implementation and the potential use of this system in order to justify a disciplinary procedure.
  • Informing employees:
    • French law requires that the employees of the company be informed of the implementation of a "system for processing data containing names" and the properties of such a system.
    • Furthermore, French courts have held that information obtained from a computer system that was not brought to the attention of the employees is deemed to be unlawful proof, which may not be used against the employee.
  • May an employer have access to an employee's private e-mail messages? According to recent case law, an employer may not have access to private e-mail messages sent and received by an employee on a computer made available to him/her for professional purposes.
How may the employer then manage e-mail monitoring?

As a matter of principle; the employer may access professional correspondence without the employee being present. However, if the correspondence is marked as private, the employer must require the employee to be present before opening said files. If the employee refuses to be present, the employer may access the correspondence, although the employer bears the burden of proof with regard to the circumstance that the employee's presence had been duly requested and that he had refused.

At every stage of the procedure, the employer must be able to justify its project on legitimate grounds and must be ever careful with respect to the distinction between private correspondence and professional correspondence.

The identification of personal or private correspondence or data can be done in two ways: either by distinctively marking them as such or by storing them in a file labelled as such.

The distinction between professional correspondence and private correspondence must be appreciated with regard to the actual content of the e-mail. In other words, if some correspondence is deemed to be professional at first sight (i.e. it is not marked as private and is stored in a professional file), the employer may not produce the e-mail in court if its content is private.

Indeed, the main principle is the following: the employer may monitor the professional communication and files stored on the company computer, provided that the information is not private.

3. Video and Telephone Surveillance
(Tim Wilms and Guus Lemmen, CMS Netherlands)

Surveillance by videotaping movement and recording telephone conversations seems to be the ideal way to maintain total control of business. Employees often do not mind if retail stores use video surveillance to guard against theft from outsiders. But what if the employees themselves are being monitored. Is this lawful? And can any information obtained by such surveillance be used in a dismissal case? In this article, we will provide a first impression of the legal framework.

The use of video and/or telephone surveillance is considered a violation of Article 8 of the European Convention on Human Rights ('ECHR'). It can, however, be deemed a justifiable violation. Surveillance is allowed under certain conditions:
  1. There must be a legitimate purpose for the surveillance.
  2. The surveillance must be suitable to achieve this purpose.
  3. The surveillance must be necessary to achieve the purpose. If there is a less intrusive way to achieve the purpose, surveillance is not considered necessary.
  4. The surveillance must be reasonable. An employer should consider the competing interests of the employee or other parties involved.
These criteria determine whether (video) surveillance is allowed or not. Regarding the difference between the use of hidden or visible cameras, the criteria do not differ. However, the use of hidden video surveillance is considered a more severe violation of Article 8 and therefore requires a more substantial justification.

In the Netherlands, for example, the Personal Data Protection Act, inter alia, provides for a concrete list of circumstances under which data processing (i.e. processing video footage and/or telephone recordings of employees) can be allowed. Data processing is allowed, for example, if the data subject has unambiguously given his consent or if processing is necessary to uphold the legitimate interests of the responsible party, provided that the interests of the data subject do not prevail. Therefore, employers intending to use video surveillance and/or to record telephone conversations of employees are obligated to comply with this code. In addition, a company that has a works council requires the consent of the works council before rules on video surveillance and/or telephone recording may be implemented.

Legal consequences in court proceedings

If the criteria mentioned above are met, any evidence obtained is considered lawful and therefore does not entail an exclusion in court proceedings. But what if these criteria are not met, for example, in the event of evidence collected unlawfully by the employer via (hidden) cameras or telephone recordings? Dutch case law indicates that in that case ascertaining the truth is, in principle, considered more important than the prevention of a violation of Article 8 of the ECHR and/or the Personal Data Protection Act. Therefore, it is also often unlikely that evidence will be excluded in such a case. One should thus bear in mind that evidence collected unlawfully by the employer by way of video and/or telephone surveillance can, in principle, be used in court and in a – for the employee – worst-case scenario result in termination of the employment agreement. Dutch case law demonstrates that there are numerous examples where this worst-case scenario actually applied.

4. Confidentiality and Protection of Business Secrets
(Patricia Jares, CMS Germany)

The increased use of technology at the workplace has created new concerns for both employers and employees in the area of data privacy. While this technology can be lauded for the ways in which it has helped business, it also raises concerns that previously did not exist.

While in many jurisdictions non-disclosure and confidentiality agreements have to be concluded between employers and employees in order to protect business secrets, according to German law, every employee has a contractual obligation of confidentiality during the term of the employment relationship. Accordingly, the employee is obligated to take the interests of the employer into account and, even without explicit agreement, to maintain secrecy about internal company issues. This includes all matters that the employee becomes aware of in connection with his position and, in particular, where the employer has a legitimate interest in the matters being kept secret. These can be business secrets regarding the technical area, technical know-how, the sales area, the supplier area, accounts and HR, as well as computer programs, etc. Since, concerning the protection of business secrets, it is generally irrelevant in what way and via what medium the protectable facts are passed on to third parties, the obligation of confidentiality also applies to the transmission of information via electronic communication systems.

Legal consequences of violation

In the case of violation of the obligation of confidentiality, the employer has a right to apply for a prohibitory injunction. Furthermore, violations of secrecy can also justify a dismissal. For example, according to case law, unauthorised copying of data from the employer's database onto private data storage devices can constitute good cause for dismissal without notice. In addition, damage claims and consequences under criminal law come into consideration.

Post-contractual non-disclosure obligation

In general, there is also an obligation in the post-contractual period for the former employee not to disclose business secrets. However, such protection is comparatively weak. A comprehensive non-disclosure obligation requires a specific post-contractual confidentiality agreement. Depending on the scope of the post-contractual confidentiality agreement, compensation is required for the duration of the prohibition if the employee is impeded in advancing in his professional life. Otherwise, such confidentiality agreements would not be enforceable.

Contractual penalty

Generally, the (post-)contractual non-disclosure obligation can also be "secured" by a contractual penalty agreement. However, the requirements for an effective contractual penalty agreement are strict; in particular, they are not allowed to unreasonably disadvantage the (former) employee. As a "rule of thumb", court rulings deem contractual penalties in the amount of a month's salary to be appropriate.

Uniform protection on European law

In a directive on the protection of undisclosed know-how and business information their unlawful acquisition, use and disclosure (EU 2016/943 of 8 June 2016), the European Commission has provided for uniform protection throughout the European Union which leads to more strict requirements on the protection of business secrets. The main legal innovation is that anyone who wants to claim a violation of protective rights must be able to demonstrate and prove that all reasonable measures were taken to protect business secrets. As a consequence, it will be necessary to define very precisely what exactly is meant by business secrets. The member states are obligated to pass the necessary laws to comply with the directive by 9 June 2018. As of today the directive has not yet been implemented into German national law.

5. Employee's representation issues
(Oliver Ramcke and Amelie Schäfer, CMS Germany; Guillemette Peyre, CMS France, and Tomasz Sancewicz, CMS Poland)

IT technology is intrusive so staff privacy needs some protection. One safety net is to involve employee representatives in the process of setting up various IT systems, e.g. those used for monitoring staff. Many EU countries require that an employer discusses tech issues with employee representatives before the technology is up and running. When it comes to co-determination rights two legal approaches emerge across the EU.

In some countries, employee representatives have real decisive powers, e.g. they must agree to the use of modern IT technology. Otherwise it is illegal from the outset. In other jurisdictions, employee representatives have less power. They must be consulted about the tech issues but they cannot block it.

The first group of countries includes the Netherlands, France and e.g. Germany. In Germany, the works council has vast co-determination rights when it comes to technology matters at the workplace. If a given technology can potentially be used to supervise or monitor employees, the works council has a say in the matter. This, in particular, relates to all technical equipment such as storage software or any IT mechanism collecting or recording individual-related data.

Thus, the employer has to conclude a works agreement with the works council before e.g. launching a monitoring software. The agreement must fix, in particular, the legitimate purposes of the data collected through the software. If the parties fail to reach an agreement, the employer needs to settle the matter by involving a conciliation board. As long as the issue is still pending, the works council may block the use of the technology by a court's decision granting an injunctive relief in favour of the works council.

In France, the employee representatives are also involved in the project of implementing new technologies (e.g. acquisition of new information technology equipment…), although the employer makes the final decision. The Health and Safety Committee is informed and consulted on the consequences the project has on the employee’s health and safety. The Works Council is informed and consulted on any important project introducing new technologies that could have consequences on employment, qualification, compensation or working conditions.

In the case of important and rapid technological change, the employer must implement an "adaptation plan" on which the Works Council and the Health and Safety Committee must also be consulted.
The employee representatives also have the possibility, under certain conditions set by the French Labour Code, to appoint a technical expert to help them give an opinion on the project.

On the other end of the co-determination spectrum is e.g. Poland. In this country, trade unions or a works council (if it exists) must be consulted on various matters, including IT monitoring issues. But they cannot legally block the use of a given technology or a system. When the negotiations / consultations fail to produce an agreement, the employer can implement the monitoring systems unilaterally. Typically, the employer enacts a separate IT / monitoring policy or supplements already existing internal by-laws. In this respect, the employer must explain to the staff what technology is used and why.

In France, the employee representatives are also involved in the project of implementing new technologies (e.g. acquisition of new information technology equipment…), although the employer makes the final decision. The Health and Safety Committee is informed and consulted on the consequences the project has on the employee’s health and safety. The Works Council is informed and consulted on any important project introducing new technologies that could have consequences on employment, qualification, compensation or working conditions.

In the case of important and rapid technological change, the employer must implement an "adaptation plan" on which the Works Council and the Health and Safety Committee must also be consulted.

The employee representatives also have the possibility, under certain conditions set by the French Labour Code, to appoint a technical expert to help them give an opinion on the project.

6. Private Use of company devices (Internet, e-mail, smart and mobile phones) and BYOD
(Maximilian Koschker and Martin Triemel, CMS Germany)

Information technology (IT) and electronic data processing (EDP) systems are now an essential part of daily work. In the interest of their work, employees spend many hours in front of PC and laptop screens, and phone clients or customers via smartphone when they are on the road. Employees often wish to use work communication appliances for private purposes – sending a quick e-mail or Facebook message to friends, reading the most recent sport results or making a quick call to a family member. Companies often know that the devices provided are also used by staff for private purposes from time to time – even if they do not like this, they tolerate private use in order not to jeopardise employee satisfaction. Clear work instructions as to whether and to what extent private use is permitted tend to be the exception rather than the rule. This then leads to a complicated situation in which neither management nor staff know exactly what is permitted and what not.

From the company's point of view, this is what constitutes the greatest risk. For example, whether employees are legally entitled to use these communication devices for private use if the employer tolerates such use for a long period of time without objecting ("common practice") is disputed in Germany. Once a legal entitlement has arisen, it cannot be removed unilaterally by the employer. Therefore, the employer's aim must be to exclude such claims from the outset. This will succeed only if there is an express written provision (contractual agreement, unilateral employer guideline, works agreement).

However, as far as the employer is concerned, this leads to further risks associated with the private use of work devices. The prevailing view in Germany, although greatly disputed, is that the employer becomes the provider of telecommunications services (comparable to telecommunications companies) as soon as it provides its communication devices for its employees' private use. The employer is then bound to telecommunication secrecy, which considerably restricts the company's ability to control the employees' online conduct and the way they use the devices.

Therefore, there is a need for employers to act, because unregulated and uncontrolled private use must definitely be avoided. At the same time, employers must carefully consider whether they wish to permit private use of the work IT systems at all. The reason is that this is associated with a whole gamut of subsequent issues and problems for the employer that are greater than the advantages of private use.

Bring your own device (BYOD)

"Bring your own device" describes the possibility for employees to use their private and personally owned mobile devices (like smartphones, tablets and laptops) also for business purposes by being granted access to the IT infrastructure (like e-mail systems and company servers/the intranet) of their employer using these devices. Relevant studies point out that BYOD leads to more productivity, efficiency and satisfaction of the employees. They can use only one – and especially their well-known private – device for private and business communication instead of, for example, having to use two smartphones, one for business purposes and another for private use.

From a legal perspective, if the employer allows BYOD, it has to ensure that it complies, in particular, with statutory data protection provisions. Because the employee has access to personal data of other employees of the company (i.e. e-mail addresses, telephone numbers and other personal information) when using his device, the provisions of the German Federal Data Protection Act (BDSG) are applicable. However, the German Telecommunication Act (TKG) and the German Telemedia Act (TMG) are not applicable, because the employer does not offer technical transport services for business data, it only offers access to its business data. According to the BDSG, the employer has to ensure technical and organizational measures such as controlling the access to and transfer of data. From a technical point of view, it is advisable for employers to use so-called container apps. These programs allow a separation of private and business content, since two separate data areas ("containers") are created on the mobile device. Focussing on the business container, the employer can ensure that it fulfils all statutory data control and protection obligations. In order to be able to fulfil these obligations, since the device is in the sole ownership of the employee, the contractual agreement regarding BYOD between the employer and the employee should contain, for example, access rights for the employer regarding the device.

If the employer wants to introduce BYOD, it also has to respect the co-determination rights of an existing works council, since BYOD is a technical device in terms of § 87 (1) No. 6 of the Works Constitution Act (BetrVG). If there is a competent works council in the company, a works agreement containing all relevant details is typically the best method to implement BYOD.

The practical use of BYOD leads to additional legal problems. One of these is the issue of working time, regulated under the Working Hours Act (ArbzG). The use of a private device also for business reasons can de facto lead to a permanent availability of the employee, because the employee will typically always keep his private mobile device switched on and also use it for business communication beyond the normal working hours. The employer has to ensure that the employee does not, for example, work more than the statutory maximum working hours per day and, in particular, does not regularly use his private device for business reasons beyond these limits.

As described, BYOD has several advantages for both employer and employee. But the complex legal framework based on regulations, for example, under the BDSG, the BetrVG and the ArbzG, has to be respected.

7. Working Time Issues
(Isabel Meyer-Michaelis, CMS Germany)

Generally speaking, home and remote working does not take place on a 9 to 5 (= eight hours) daily working time basis. In most cases, people work whenever it is necessary from a business perspective and/or convenient from their perspective. In these cases, conflicts with EU working time law are hardly avoidable.

At EU level, the Working Time Directive (2003/88/EC) requires EU countries to guarantee minimum standards to protect workers' health and safety. The weekly working hours are limited to 48 hours on average (including any overtime). In addition to a minimum daily rest period of eleven hours, a minimum weekly rest period of 24 uninterrupted hours is required for each seven-day period. This directive has been widely implemented throughout the EU Member States.

In Germany, for example, a statutory eight-hour day is applicable based on the Working Hours Act (Arbeitszeitgesetz) (this does not include breaks). The daily working hours may be extended to up to ten hours if an average of eight hours per workday is not exceeded within six calendar months or within twenty-four weeks. On the basis of six working days a week (Mondays to Saturdays), the maximum (temporarily) permissible number of weekly working hours is sixty (6 x 10) hours in general, whereas the average number of working hours over a longer period may be a maximum of forty-eight (6 x 8) hours per week.

According to the Working Time Directive, employees must be given eleven hours of uninterrupted rest. With respect to areas of employment or types of work associated with special health hazards, both the daily working time and the duration of this rest period may be extended and/or shortened if this is balanced accordingly. However, the employer may agree to such extension or shortening in a collective bargaining agreement or in a works agreement by permit of the local authority. Periods during which the employee may do anything he wants and must be available in order to start work immediately or soon after he has been called may be counted as rest periods. If the rest period of eleven hours is interrupted, a new period must be granted in full after the interruption.

Employers are obligated to record working hours that exceed the daily working hours and to keep these records for two years. The flexibilization of the performance of work ensuing from mobile work makes proper documentation of the working hours necessary so that this recording duty can be satisfied. This documentation duty may also be transferred to the employees. This does not release employers from their responsibility to ensure that the recording duty is duly satisfied; it is thus advisable to make spot checks.

In France, recent Act of August 8. 2016 (Loi Travail) provided the employers (employing more than 50 employees) with a new yearly obligation to negotiate on the particular subject of the right to disconnect, in order to guarantee the effective respect of rest periods and of private and family life.

In particular, negotiation should focus on the different possible ways for every employee to fully benefit of his right to disconnect and about the implementation of a regulation system of the digital tools’ use.

Should the negotiation fail, the employer is required to prepare and implement a charter about the terms and conditions of the right to disconnect. This charter should also include information and training measures for employees and management concerning a reasonable use of communication tools.

Such an agreement or a charter are conditions for the validity of contracts with no reference to working hours but to an annual number of working days (forfait jours).

8. Flexible Working
(Shalina Vyas, CMS UK)

As technology has evolved more and more, employees have requested "flexible working conditions", such as home work and flexible working time arrangements.

In the UK, a statutory right came into force on 30 June 2014 for employees with at least 26 weeks' continuous employment to make a request for flexible working for any reason. This was a major change, because previously requests could be made only by employees with qualifying caring responsibilities, and so this change substantially increased the number of employees able to make a request. Flexible and home working can bring a number of benefits to an employer, such as reduced overhead costs, increased productivity and better motivation of their workforce. However, when considering flexible working requests, employers must take a range of other factors into consideration, including how the work by the employee will be carried out in practice.

An employee’s request for flexible working should include certain prescribed information such as details of the change they are seeking, the effect they think the change will have and how the employer could deal with this. Employees are entitled to make only one statutory flexible working request in any twelve month period and the maximum period under the revised statutory scheme for dealing with such a request is three months from receipt to the employer’s final decision.

An employer is permitted to refuse a request for flexible working under the statutory scheme on one of the eight prescribed grounds for rejecting a request. These include the burden of additional costs, detrimental effect on ability to meet customer demand, inability to reorganise work among existing staff and planned structural changes.

The maximum amount of compensation for a breach by the employer under the statutory scheme – for example that it failed to deal with the application in a reasonable manner or that it rejected the application for a reason other than one of the statutory prescribed grounds – is eight weeks’ pay (currently capped at £489 per week). However, in considering any request for flexible working, whether under the statutory scheme or otherwise, employers need to remain mindful of any potential discrimination claim (for which compensation is uncapped) arising from any rejection and take advice where appropriate.

Issues such as data privacy, confidentiality and health and safety are also significant considerations for an employer when allowing employees to work flexibly from their homes. Performance management is also important, and this can involve employee monitoring (please see No. 2 above for details).

Where flexible and home working arrangements are introduced, employers may need to amend their communications and privacy policies to ensure that they are able to properly monitor employees' levels of work and protect confidential information. Up-to-date employee handbooks and formally documented home working arrangements assist employers in protecting their business needs when employees work flexibly and remotely.

9. Working with the "Cloud"
(Emina Mameledžija, CMS Bosnia and Herzegowina)

The somewhat misleading term of "cloud" computing refers to storage, management, and data processing by way of using remote servers hosted on the Internet. Due to its many advantages, this method of data management makes it obsolete to store data on local servers or personal computers.

From an employment law perspective, companies increasingly use cloud computing to manage employees’ personal data for purposes of payroll accounting, maintenance of pension scheme plans, employees’ participation in shares trading, etc. Thereby it is often the case, especially for large corporations, to process and transfer employees’ personal data onto servers outside of the country of origin.

Such activities raise privacy questions relating to the protection of personal data. Even though in Bosnia and Herzegovina ("BiH") as well as in many other European countries cloud computing is not legally regulated per se, the protection of personal data is a legal requirement set upon all legal entities that process personal data. That said, following the applicable legal definition of data processing, which among others, entails the storage and management of data, cloud computing of personal data is treated within the meaning of that definition. The matter is even more sensitive when it comes to processing and transfering employees’ personal data, which is subject to strict data protection rules.

In BiH it is legally required that personal data transfer and processing is registered with the relevant authority, i.e., the Agency on Data Protection. As a precondition for the registration, it is mandatory that a data processing and transfer agreement is concluded between the so-called processor and the controller. Thereby the controller is considered the local employer and the processor is the entity using the cloud computing system for data processing. An important element of such agreement is the obligation of the processor to guarantee the highest EU standards of data protection, especially with regard to technical equipment. This agreement is subject to review and approval by the Agency on Data Protection.