view all news & events

21.02.2023

Use of wearables at work: How secure is employee data?

Whether smartwatches, data glasses, gloves with sensors and scanners or fitness trackers for company health programes: Wearables are becoming increasingly popular as digitalisation progresses and offer employers an excellent opportunity to optimise their operational work processes and effectively use this technological progress in their company. In this way, wearables can significantly facilitate the operational work process and, in particular, minimise health hazards for employees. However, as is so often the case, technological developments also have their downsides: Wearables generate a lot of personal data, which is why increased demands must be placed on the collection and processing of this data. How secure is this data really and how can employees be protected from performance monitoring by the employer? These and other questions will be examined in more detail below:

1. What are wearables?

Wearables are small mobile computers that are worn directly on the body or head by employees. As a rule, they are hardly noticeable and record the employees' values by means of sensors. A fundamental difference between conventional mobile computer systems (such as smartphones) and wearables lies in the purpose: with wearables, it is not the use of the computer system as such that is the main activity, but rather the activity of the respective person that is supported by the computer system worn on the body.

2. Where are wearables used in the workplace?

Wearables can be used in the workplace for a variety of reasons: For example, employees can be equipped with smartwatches or fitness bracelets for the purpose of occupational health care, in order to take care of their health in this way, both in the professional and private environment. The advantage for employers is certainly that they can reduce absenteeism due to illness and ensure a stable work performance of their employees. The use of wearables in the logistics sector is also very popular.  In the context of so-called "pick-by-voice systems", employees receive a headset on which they receive warehouse instructions from the software via voice output. In this way, hand scanners and countless paper lists are no longer needed and disruptions in the workflow are avoided. Furthermore, the use of wearables for training purposes is also proving to be extremely useful and is being increasingly used by companies.

3. What are the data protection concerns?

The possibilities for collecting and analysing data seem endless with the use of wearables: from personal data to sensitive health data, much is theoretically technically feasible. For this reason, employee data must be protected from access by third parties. In particular, from the perspective of labour law, it must be ensured that employees' performance is not monitored. There is a possibility that smartwatches, for example, could be used by employers to systematically record movement profiles and monitor employee performance. Employee data protection therefore plays a decisive role in this context (see also our website article on the topic of "Use of video surveillance systems under data protection law aspects".)

4. What is the legal basis for the use of wearables?

a) Section 26 (1) BDSG Contractual fulfilment in employee data protection
Section 26 (1) BDSG provides on the one hand that the processing of employee data in the context of the use of wearables must be necessary and otherwise proportionate. Whether wearables are actually necessary for the performance of the employment relationship must be assessed on a case-by-case basis and may prove to be extremely difficult under certain circumstances. In any case, the VG Hannover ruled in February 2023 that the Amazon logistics centre in Winsen may monitor the working speed of its employees with the help of hand-held scanners (Case No. 10 A 6199/20) and thus affirmed the necessity. In the court's opinion, Amazon's interest in optimising the processes in the logistics centre and monitoring the performance of its employees outweighs the necessity. It remains to be seen whether this ruling will be overturned in the second instance before the Higher Administrative Court of Lüneburg. In any case, it is clear that data protection law is not completely closed to technological progress, but nevertheless sets clear limits. In any case, before using wearables, companies must ensure that the rights of their employees are adequately taken into account by taking appropriate precautions, such as regulating access rights, implementing technical and organisational measures and respecting the principle of data minimisation.

b) Consent
If the necessity of data processing is denied, a further legal basis is consent under data protection law in accordance with section 26 (2) BDSG. However, such consent is only effective if it is given voluntarily. The problem here is that due to the economic dependence of employees on their employers, voluntary consent can often not be assumed because employees often agree to the employer's measures out of concern for their jobs (see also DSK Brief Paper No. 14 – in german).

In this respect, consent in the employment relationship is often associated with risks and certain uncertainties.

c) Company agreement
At least for companies that have a works council, the most secure legal basis is the works agreement pursuant to Art. 88 (1) GDPR in conjunction with section 26 (4) BDSG. Section 87 (1) no. 6 BetrVG obliges these companies to always involve the works council before introducing technical equipment. In this context, the works agreement must in particular ensure compliance with the principles of Art. 5 (1) of the GDPR. In particular, the principle of purpose limitation from Art. 5 (1) (b) of the GDPR, according to which the purposes for which employee data is collected, processed or used must be described clearly and in detail, is of fundamental importance. Employees must be able to clearly see the purpose for which their data is processed (transparency requirement). In addition, rules on data minimisation must be laid down and the measures required for this must be documented. In addition, the principle of storage limitation must be observed and clear deletion periods agreed upon. Last but not least, explanations on technical and organisational measures must be included in order to ensure that the collected data are adequately protected.

5. How can employees be protected?

In order to ensure that, on the one hand, the interests of the employer are sufficiently taken into account and, on the other hand, no performance checks of employees take place, at least the following measures must be taken for the use of technical equipment:

  • Employees must be made aware of and informed about data processing within the scope of data protection notices in order to comply with the transparency requirement of the GDPR in this way.
  • Another important point is the clarification of the legal question of whether the performance of a data protection impact assessment is required for the use of wearables according to Art. 35 GDPR. This is usually assumed for the use of new or innovative technologies, which is why a corresponding risk assessment must regularly be carried out in these cases (see also our website article on the topic of "How to carry out a data protection impact assessment"). In this context, among other things, explanations must also be made regarding a possible third country transfer, whereby in the case of a transfer of employee data to a third country, further measures, such as the drafting of a transfer impact assessment, must be elaborated. In the case of wearables, such a third-country transfer is also not unusual, as a large number of these devices are operated by cloud providers.
  • Last but not least, the inclusion of this data processing process in the processing directory must also be considered, whereby, among other things, explanations on the legal basis, the categories of recipients as well as the categories of data concerned must be made.

6. Conclusion

Overall, it can be stated that the use of wearables benefits both entrepreneurs and employees. From the point of view of entrepreneurs, wearables contribute significantly to optimising business processes and saving costs. At the same time, employees benefit in particular with regard to the promotion of their health. From a data protection perspective, however, wearables require increased attention and should not be underestimated by companies. Before using wearables, employers should therefore take a close look at how they can adequately protect their employees' data and which mandatory data protection documents they need to provide for this.

If you are planning to introduce wearables in your company or need help with wearables already in use, please contact us. We will be happy to support you and ensure that all data protection requirements are met in your company and that possible data protection violations are avoided from the outset.

Authors

Oliver Hornung

Dr. Oliver Hornung

Partner

visit profile
Marwah Kamal

Marwah Kamal

Associate

visit profile