Our lawyers Melanie Gassler-Tischlinger and Georg Huber were interviewed by the magazine “netzwerk tirol” about what has to be considered from a legal point of view in times of corona for external and internal crisis communication.
Conference calls, online meetings, emails: Communication in times of crisis
Melanie Gassler-Tischlinger and Georg Huber are attorneys at the Innsbruck law firm Greiter Pegger Kofler & Partners. “netzwerk tirol” spoke to them on the question of what should be considered from a legal point of view in times of corona regarding communication with outside parties and also with employees.
Has communication in companies changed due to the Corona crisis?
This answer to this question is a clear yes. In many companies, employees are working from home. Personal face-to-face meetings hardly ever take place anymore. As a result, companies are increasingly reverting to other options, in particular video conferences, webinars, but also electronic communication to promote online shops.
Particularly people with health risks are no longer allowed to come to work. Is an employer allowed to unilaterally order such persons to work via home office?
In principle, working via home office has to be agreed on. The situation is simple of if the employment contract already contains a corresponding provision. If the possibility of the employee being transferred to other places is provided for, e.g. to his place of residence, a unilateral order is usually possible.
In view of the developments in recent weeks, one could certainly also argue that employees who are fit for work can be obliged to use a home office simply because of their duty of loyalty, provided that this is possible and reasonable.
In some cases, employees in home office use their private smartphones and computers for work (“Bring-Your-Own-Device” – BYOD). In this case, we recommend that agreements be concluded on the operational use of these devices.
Back to the topic of video conferencing. There is a boom here, but is it all legal?
Despite Corona, the use of services for video and online conferences or webinars, such as Zoom, Skype or GoToMeeting, must comply with the provisions of the General Data Protection Regulation (GDPR). This should be taken into consideration when choosing a “conference tool”. Personal data is processed in the course of such conferences.
The basic rule is: if functionality is the same, preference should be given to service providers based in the EU and services should be chosen that provide privacy-friendly settings. The latter include, for example, encryption and no profiling of the conference participants. Furthermore, it should only be possible to record the meeting with the consent of the participants.
In the case of service providers outside the EU, the data protection level according to GDPR must be respected. Providers from the USA should for example be certified under the Privacy Shield (this is the case with the major providers such as Skype, Zoom, Microsoft Teams etc.).
As service providers are usually processors within the meaning of GDPR, it is imperative that a controller-processor contract be concluded with them. Most providers provide for the conclusion of such agreements in the course of registration. Strictly speaking, it would also be necessary to check the information provided by service providers on their technical and organisational measures (e.g. pseudonymisation, etc.) and their subcontractors. This is rather difficult in practice.
Once you have decided on a tool,each time you use it you should consider whether you really need the respective functions and whether there are not more data protection-friendly ways of achieving your intended purpose. Does the entire conference need to be recorded? Or could you simply record the most important information for later access?
Of course, the information and documentation requirements of the GDPR also apply. Participants must be informed about the purpose, nature and extent of the processing of their personal data. Here it is advisable to supplement this information in the regular data protection declaration and to refer to it via a link in the invitation to an online meeting.
Are there any special regulations in employment law on the subject of online meetings?
If there is a works council in the company, the choice of service should be agreed with the works council.
The use of such tools becomes critical when they are used to monitor employees. Video surveillance at the workplace, control of home office with monitoring software and other measures can affect or even violate personal rights and consequently the human dignity of the employee.
Measures affecting human dignity require the consent of the works council. If there is no works council, the consent of the individual employees is required.
Control measures that not only affect human dignity but also violate it are prohibited. Some providers of “conferencing tools” provide, for example, a control option whereby the person chairing the conference can check that the individual participants are not carrying out other activities (e.g. surfing or playing games on the PC) during the conference. The use of such a control function would probably not be permitted.
A large number of shops have had to close during the crisis and are now trying to push online trading. This requires increased marketing communication, for example through emails. Where do we stand on this?
In principle, the existing regulations on electronic communication for advertising purposes continue to apply as before. This means that both data protection and the rules of the Telecommunications Act must be observed.
Direct marketing by e-mail may be permitted under data protection law without the consent of the person concerned (especially if no profiling is carried out). However, the information obligations must be observed and, above all, the possibility of a simple opt-out must be provided.
However, telecommunications law imposes strict limits on electronic direct marketing. The provisions of telecommunications law must be observed irrespective of data protection.
SMS, telephone calls, WhatsApp, emails etc – i.e. electronic communication in the broadest sense – are not permitted for direct marketing purposes without the prior consent of the recipient. There are only a few, very limited exceptions. In particular, the recipient must have had the opportunity to object to the electronic communication beforehand – usually when the data was collected. The possibility to opt-out in the advertising message is insufficient. In addition, the customer data must originate from a separate business relationship with the customer and only the company’s own, similar goods and services may be advertised.
Advertising sent by conventional mail is not affected by the provisions of telecommunications law.