With its judgment dated 6 June 2018 (docket number 21 Sa 48/17), the Higher Regional Labor Court of Baden-Wurttemberg (Landesarbeitsgericht Baden-Württemberg) found that an employer may use evidence proving an employee’s breach of a contractual duty against the employee, even though the evidence had only been accidentally discovered during a search of the employee’s IT-equipment. The court decided that the evidence could still be used, even if the original search itself was inadmissible pursuant to data protection regulations. However, use of such evidence shall be limited to scenarios in which the violation of the employees’ general right of privacy does not prevail against the interests of the administration of justice. Even though the Court’s decision is based on the old German data protection law, in our view it equally applies under current law, i.e. the GDPR as well as the German Federal Data Protection Act (“BDSG 2018”).
In the case at hand the employer (defendant) terminated the employment contract with the employee (plaintiff) based on a strong suspicion of fraud. The suspicion originated in sets of data that were found on the employee’s company laptop during an internal investigation. Those data indicated that the employee was committing fraud detrimental to the company by fuelling more gas than his company car’s fuel tank could possibly hold. However, the internal investigation that brought up the data had originally been based on a completely different suspicion: The employer had become aware of the fact that another employee had sent an e-mail containing confidential information to the plaintiff. The employer then asked the plaintiff to hand over his company laptop based on the suspicion that he might have forwarded this confidential information to third parties.
The Higher Regional Labor Court found that the employer did not have probable cause to search the plaintiff’s company laptop and – taking into consideration that the plaintiff was allowed to use the laptop for private purposes also and did not formally consent to the search of his laptop – ruled that the processing of the plaintiff’s personal data violated the former German Federal Data Protection Act (“BDSG a.F.”; that was applicable as the violation took place prior to the GDPR and the BDSG 2018 – coming into force). The Court expressly stated that the fact that the plaintiff had indicated willingness to cooperate with the employer in the investigation of the original suspicion cannot be regarded as a valid consent and was thus not able to justify the processing activities carried out by the employer.
However, the court then found that the defendant could nonetheless use the accidentally discovered data regarding the fuel fraud in legal proceedings against the plaintiff. The BDSG a.F. does not provide for any inadmissibility regulations. Thus, collected data may only be inadmissible as evidence in court, if its collection constitutes an unjustified interference with the opposing party’s general right of privacy. Whether this is the case would have to be assessed in each individual case, balancing the interests of the affected person against the need for well-functioning administration of justice.
In the case at hand, the plaintiff’s general right of privacy was subsidiary to the need for well-functioning administration of justice. This was mainly based on the fact that the plaintiff not only handed over his laptop unconditionally, but also showed his willingness to cooperate and provided the internal investigation with his passwords. Additionally, the search was conducted in a non-secret manner and the plaintiff knew that any private data might be discovered. In addition to that, the plaintiff’s right of privacy was further protected by the employers IT-usage guidelines and the fact that any private personal data could be saved in a file marked “private” that the employer was not permitted to search. The plaintiff could have therefore stored his private data in a way that would have prevented the employer from processing it.
The ruling appears especially significant in light of the admissibility of evidence in court that was discovered by accident. Even data found during searches that, given their original purpose, violated data protection regulations, can constitute admissible evidence. The court points out that the accidental discovery can be legitimate, if the interference with the employee’s general right of privacy can be justified by the need for a well-functioning administration of justice as a result of a balancing of interests.
Even though an appeal has been filed with the Federal Labor Court, the ruling indicates that searches that violate data protection laws might not necessarily lead to the inadmissibility of evidence discovered by accident during such searches. In particular, the individual’s general right of privacy has to be weighed against the need for well-functioning administration of justice to determine whether evidence discovered by accidence is admissible in court.
The fact that the Court’s decision is based on the BDSG a.F. that is no longer in force, does not reduce its effects: The provisions applied by the Court remain largely the same under current law which is why there are no indications that the Court’s decision would have been different.