DLP software enables email content and attachments to be checked for conflicts with chosen rules (the DLP policy). For example, it records the names of files that are uploaded to and downloaded from all USB devices. Every modification to protected data is then detected (along with the assistance of third-party software). This way, the unauthorized or unwanted leaks of confidential data is supposed to be prevented.
Yet are these proposed solutions in line with the company’s data protection policy, especially in terms of employee data protection?
Both art. 6 para. 1 lit. b GDPR and art. 26 para. 1 p. 1 alt. 2 of the German Federal Data Protection Act can be considered as a legal basis. Verification by the DLP software must be necessary for the performance of the employment relationship.
Therefore, its use is only considered if all other milder measures to protect against unwanted data leaks are ruled out completely.
Personality Rights vs. Trade Secrets Protection
Within the scope of the appropriateness test, the personality rights of the employees must be weighed up against the company’ s interest in the protection of trade secrets. Within the scope of appropriateness, it is necessary to pay attention to the protection of personal data and ultimately to weigh them up in each individual case. It is essential to prevent DLP software being used to monitor the employees’ performance and/or attendance. If the software does not make this possible, the employer’s interest should prevail. Otherwise, it is recommended to conclude a works agreement. In any case, however, access rights must be clearly restricted. In addition, the company must voluntarily obligate itself to exclusively use the DLP software to prevent data leaks.
The software regularly enables the control of employees’ emails. Therefore, private email use should be prohibited. Alternatively, detailed information must be given that monitoring may be carried out in exceptional cases if there are specific suspicions.
Before the implementation of the DLP software, it is absolutely necessary to conduct a data protection impact assessment in accordance with art. 35 GDPR. The data protection officer should participate in this process. Nevertheless, the prohibition of automated decisions in individual cases is not affected by DLP software.
Before implementing DLP software, the following measures should be carried out:
- All milder measures having been ruled out
- Weighing up the protection of trade secrets with the personality rights of employees
- Information provided to the employees
- Data protection impact assessment in line with art. 35 GDPR