Data sovereignty versus data protection in digital communication
How do companies reconcile their interest in archiving and accessing their employees' digital messages with the GDPR requirements? Six points that say what's what.
The General Data Protection Regulation (GDPR) of the European Union puts the digital communication of companies under a new tension. Companies naturally have a great interest in archiving all their employees' messages centrally and accessing them as needed - for example, if an employee is unexpectedly absent or in order to be able to provide evidence in the event of legal disputes. This interest is now set against the strengthened data protection rights of employees under the GDPR. This has left many companies uncertain.
The specialist for confidential digital communication Brabbler AG explains what companies need to know to successfully reconcile data sovereignty and data protection:
1. all messages may be archived further. A closer look at the current legal situation puts many fears into perspective. Companies are still allowed to archive the business correspondence of their employees. This applies not only in cases where there is an explicit legal obligation to do so. The company's own need for traceability and control is also still a valid reason.
2. employee permission to archive is not required. According to the GDPR, the lawfulness of data processing is given if it is necessary "for the fulfillment of a legal obligation" or "for the protection of legitimate interests". Thus, the two main reasons for archiving in the company are specifically named in the legal text. The consent of the employees is therefore not required.
3. messages from ex-employees do not have to be deleted automatically. In principle, former employees have the right to be forgotten; however, in the case of business correspondence, the interests of the employer usually prevail according to widespread expert opinion. In many cases, deleting messages from individual employees would tear apart entire communication histories and severely impair traceability.
4. private use of communication systems should be excluded. However, it becomes problematic,if the private use of the company accounts is not explicitly prohibited.Private messages are then subject to telecommunications secrecy. The safest and most practical solution is therefore to completely prohibit the private use of the company's communications systems, thus clearly separating business from private.
5. access to messages must not degenerate into surveillance. Unrestricted access by companies to the messages of their employees is not permitted. The principle of proportionality prohibits unprovoked and permanent reading. The transparency requirement demands that companies inform their employees about central storage and provide information about the purpose and duration of storage as well as the group of persons authorized to access the data. In addition, the data protection officer should be present during accesses or at least be informed of them.
6. communication systems must ensure secure processing. The greatest challenge for digital communication is the security of the processing of personal data. In this respect, open e-mail systems often fail to meet the DSGVO requirements, as do private messengers à la WhatsApp. A good alternative are closed business messaging systems that protect their messages from unauthorized access through encryption and at the same time allow companies to archive the messages centrally and decrypt them if necessary.
"When selecting a suitable communication system, companies should look very carefully," advises Fabio Marti, Director Business Development at Brabbler. "With many encrypted messengers, the individual keys are only located on the users' devices, so that central access to plaintext data by the user company is ruled out. Instead, the solutions should have an encryption concept that can also be used to decrypt messages at a central location if required. Only then can it be ensured that DSGVO-compliant security does not come at the expense of companies' legitimate archiving interests."
