Home » HR Lexicon » Basics of data protection in the workplace


The correct handling of personal and sensitive data is of crucial importance for the employer. The (deliberate) breach of data protection can not only ruin a company’s reputation, but also result in criminal consequences. For this reason, it is important to deal with the issue in depth. The following is a brief overview of the most important aspects of data privacy in the workplace.

data protection in the workplace
Photo by Dan Nelson on Unsplash

What is personal data?

The definition of data relating to a natural person is found in the European General Data Protection Regulation (GDPR). For the purposes of Article 4(1), personal data is that information which directly or indirectly enables the identification of a natural person. This information can relate to both personal and factual circumstances and includes, for example:

  • First and last name
  • Date of birth
  • residential and correspondence address
  • Telephone, matriculation and social security numbers
  • E-mail address
  • Online identifier such as IP address

Here, the GDPR distinguishes sensitive data that constitute a genetic, physiological, physical, psychological, social, cultural and economic identity of a natural person.

Individual data relating to legal persons, including registered associations and corporations, are excluded from the definition. Unless they relate to an individual living behind the legal entity.

Obligations and rights regarding data protection in the workplace

Generally, employers may collect and process personal and sensitive data from employees solely for the purpose of an employment relationship. This takes place primarily during the establishment, implementation and termination of an employment relationship. Voluntary consent on the part of employees and the ability to revoke such consent at any time are a fundamental prerequisite for legally compliant data processing at the employer level.

In this context, there is a duty to inform employees. They must be informed not only about the time of data collection, but also about the purpose and duration of data storage. In addition, it is important to provide contact information of persons responsible for data processing. Finally, employees must be informed about the following rights:

Right to:

  • Right to information
  • Correction
  • timely deletion of processed data
  • Restriction of data processing
  • Data portability
  • Complaint to the supervisory authority

In addition to the duty to inform, the employer must also comply with the data minimization obligation. According to this, only those data that are necessary may be collected and processed. They may remain stored until their processing purpose has been fulfilled.

If employees leave the company, their data must be verifiably deleted. Some of this data must be retained for a certain period due to legal requirements under labor, social insurance, commercial and tax law.

Data protection for employees during work performed

Strict GDPR requirements pose significant challenges for both employers and their employees, which come to light in a variety of situations. Some of these involve:

Data protection in the home office workplace

Various threats can arise when setting up and using home offices,

  • including espionage,
  • Disclosure of sensitive information,
  • Data loss, and destruction of equipment or media.

Therefore, it is important to implement certain security measures. These include limited authorization of people, access to authorized functions, storage of personal and sensitive data in the corporate server, and technical configuration of the computer to make various manipulations impossible.

Data protection among colleagues

Data protection among colleagues
Photo by Azamat E on Unsplash

Not only the employer, but also employees must ensure that personal and sensitive data is adequately protected in their daily work. Simple measures such as secure passwords, locking the PC when leaving the workplace, locking away files after use, shredding misprints, and strictly separating work and private life by refraining from private use of e-mail and the Internet can help.

Video surveillance in the workplace

It is allowed only under certain circumstances. As an example, the prosecution and investigation of a crime, if proportionality is maintained. Video surveillance in non-public areas requires the submission of a declaration of consent on the part of affected employees.

Special rules apply to workplaces accessible to the public. The use of video surveillance in highly personal living areas (locker rooms, restrooms, break rooms and bedrooms) is generally prohibited.

Whatsapp Group Work Privacy

Whatsapp offers its Messenger service to both individuals and (small) businesses. It can be a communication channel in everyday business, provided its use is in line with the GDPR requirements. Some Whatsapp practices, such as uploading contact data, using metadata and unencrypted backups, give rise to data protection issues.

From a data protection perspective, Whatsapp should not be used for internal communication as well as business conversations with external customers.

Violation of data protection Examples

Many employees send private emails and use the Internet for private purposes during working hours. This is only legally okay if an agreement has been made with the employer regarding Internet use at work. If this is not the case, employees are acting unlawfully and risk a warning or even termination without notice.

If the employer allows private Internet use at the workplace, he must comply with the Telecommunications Act (TKG) and take measures against the violation of telecommunications secrecy. This also means that he may not monitor, track or log private Internet use. The deletion, modification or rendering unusable of private data may result in a fine or imprisonment.

If a breach of data protection occurs, the employer is initially held liable as the responsible party. In the event that employees act in gross negligence or even intentionally against data protection regulations, they can be held legally responsible. It must be proven that employees acted contrary to clear instructions from the employer.

The employer must report a data protection breach to the supervisory authority immediately or within 72 hours at the latest.

Disclaimer:

We would like to point out at this point that our Internet offer serves a non-binding information purpose. It does not constitute legal advice in the true sense of the word. The content of this contribution cannot and is not intended to replace individual and binding legal advice. For this reason, all information provided is without guarantee of correctness and completeness. The contents of our website are researched with the utmost care. Nevertheless, the provider cannot assume any liability for the accuracy, completeness and timeliness of the information provided. For the solution of specific legal cases, we would like to ask you to consult a lawyer without fail.