Legal and data protection-compliant IT security solutions are in demand

Kiel – On 2017-07-27, the Federal Labor Court ruled that a too far-reaching keylogging was too much an interference with the employee's personality rights. According to Article 32 (1) of the Bundesdatenschutzgesetz (BDSG), this is inadmissible "if there is no suspicion of a criminal offense or other serious breach of duty which is related to the employee.”

Obtained findings from the underlying case in which the employee was informed about a monitoring, but ultimately each of his keystrokes was recorded and, in addition, a scouting software monitored the screen, could not be used as a legal tool. This would have been different if only actual critical activities on company data had been recorded.

In view of the current ruling, the uncertainties are high to what extent a data-safe foundation can be created in companies without violating employee rights in the event of a case. Especially with regard to the amendment of the Federal Data Protection Act (BDSG), which will enter into force in 2018, companies are obliged to provide proof of a continuous comprehensive prevention as well as damage limitation in the case of possible data leaks and therefore have to monitor the activities of the users.

Intelligent IT security solutions are able to reconcile these initially contradictory requirements.

What must a legally secure IT security solution be able to do?

• It must not be possible that screenshots or metadata of personal data, for example private e-mails or private payment transactions with reference to the user, are stored.
  
  
• The logged user activities are evaluated only in the event of a suspicion, according to the Data Protection Act and with the involvement of the works council. For this purpose, an appropriate service agreement must be made in advance.
  
  
• Transparency is important: It is possible for the user at any time to know what has been saved (see § 34 BDSG) and who has access to his logged activities.
  
  
• The provisions of the Federal Data Protection Act must be integrated. Please refer to §§ 1-11, as well as 32-35 of the BDSG. In particular, § 4 Permissibility of data collection, processing and use, § 9 Technical and organizational measures and § 35 Correction, deletion and blocking of data are mentioned.

It is important that the solution used is resource-conserving and data-saving in order to meet not only a further legal requirement but also the necessary performance.

IT security in the workplace needs no sorcery. It should be both legally secure and meaningful, easily integrable and scalable for the respective company size.

Factsheet

The detailed factsheet on the topic and further information can be found at www.consist.de.

Consist Software Solutions GmbH is a specialist in IT security and puts great emphasis on solutions that are not only legally secure, but also operate in real-time before any damage can occur.