Control or indulgence?

More and more, a trend is taking hold: Bring-Your-Own-Device (BYOD) can be found in more and more employment contracts. Employees are thus permitted, even encouraged, to use their own smartphone, private laptop or tablet for work. Many companies already rely on so-called MDM solutions. One important aspect here is mobile device management. As soon as employees’ mobile devices have access to company networks, certain rules and security policies prevail.

As a rule, such use requires installation of a software agent on employees’ devices. Organizations use MDM software to detect and, at best, prevent information theft and data leaks – whether those mobile devices belong to the company or the employee. The installed MDM software application then monitors the device with regard to approved applications and, in the event of theft or loss, resets the device to factory settings without data.

A major problem with mobile device management software is the false sense of security. Especially during the Corona crisis, many employees had to switch to private devices. IT departments were faced with the challenge of securing access to these devices in the best possible way. With MDM profile installations, IT thus has sovereignty over the device – up to and including remote deletion of all data. This method often resulted in the rejection of BYOD or long discussions with personnel or works councils. This raises the question: How far can companies invade the privacy of their employees and what is legally permissible?

Create secure areas – separation of personal and company data

IT departments are only allowed to create certain protected areas on the devices for important company data. If such a device is lost or the user leaves the company, this data can be deleted in the protected area – without touching the private data. For the control to be permissible, employees must first know and also agree that the mobile device is being controlled. It must be transparently regulated what is controlled and when which data is deleted.

Consent by the employee

If a company plans to use employees’ private devices with MDM software in connection with BYOD, the employee must expressly agree. However, this only applies if private use of the business devices is permitted and access with mobile device management software is not limited to business data. As an example, many workers use their Outlook app with personal and business accounts mixed.

Monitoring and control systems

Important: Monitoring and control systems intended to monitor the behavior of employees are prohibited under Art. 26 of Ordinance 3 to the Labor Code! Permanent monitoring for performance control is also inadmissible in any case.

However, if such systems are required for other reasons, they shall be designed in such a way that the health and freedom of movement of workers are not impaired thereby The principle of proportionality counts here. Such systems are permitted for safety reasons and to record work performance.

Example: telephone switchboards (monitoring incoming and outgoing calls, etc.). For example, if employees are allowed to send private e-mails via the company account, monitoring is usually not permitted.

Working hours

The employer may, however, request to inspect official correspondence. Supervisors have an interest in monitoring the duration of employees’ working hours in the home office – just as they do in the office. Important to know here: Employers are also legally obligated to do so by the Working Hours Act (ArbZG). The recording of log-ins on the work computer, smartphone, etc. is a permissible means for this purpose.

Browsing history (on corporate devices)

Is an employer allowed to monitor an employee’s Internet behavior? Here it depends on whether the private use of the Internet is prohibited in the employment contract. If this is the case and there is a concrete suspicion, the supervisor may even check without the knowledge and consent of the employee. If personal data obtained is found, it may also be considered evidence and used, for example, in a dismissal case to the detriment of the employee. Even if private use of the Internet is permitted, the boss may still carry out checks in the event of concrete suspicion (e.g. predominant private surfing during working hours).

Our conclusion:

In the case of BYOD regulations, clear rules must be established in advance. The most common technical measure is the division between private and business data by creating an extra designated data area. Good mobile device management has the ability to remotely wipe business data in an emergency while not compromising private data.

It is important here that in the case of mixed use, employees take care not to allow third parties to access company data. This also applies even if you “only lend” your partner the device for a short time for surfing. The question posed at the beginning as to how far employers may control equipment must always be decided on a case-by-case basis. In general, it can be said that monitoring must always be considered in accordance with the principle of proportionality. The purpose of the surveillance measure must correspond to a concrete reason (e.g. security against theft, security against industrial espionage, etc.).

All measures that are necessary must be designed in such a way that the intrusion into the personal rights of employees is kept as low as possible. Personal evaluations are only permitted in the event of concrete suspicion of misuse. If your company needs support with the introduction or configuration of mobile device management, we are of course there as a contact partner for you.

Simply book your free consultation appointment on the topic of mobile device management.