We are excited to share that we are set to begin a new chapter with Dropbox, Inc. Dropbox is acquiring our IP technology to embed natively into the Dropbox product, bringing end-to-end, zero-knowledge encryption to millions of business customers around the world. Check out our blog to find out more!

Header for Microsoft365 and the work council

Microsoft 365 and the Works Council

What Is a Works Council?

A works council, or Betriebsrat / pl. Betriebsräte in German, is an organisation within for-profit businesses, representing it‘s workers. They are not to be confused with trade unions (Gewerkschaft / pl. Gewerkschaften), which generally operate industry-wide and represent workers from several companies. Unions are in charge of negotiating wage rises and organise strikes when necessary, among other things. Works councils, on the other hand, are specific to one company with their members simultaneously being employees of said company. The purpose of the Betriebsrat is to establish a sort of checks and balances system within the company, holding the executives accountable and the workers protected. Companies have certain reporting responsibilities towards the council, e.g. regarding hiring or restructuring departments, which the council can veto – this is referred to as the co-determination process. The council is democratically elected by employees, with a re-election taking place every four years. While there are other European equivalents, the German form of Betriebsrat is the most developed and common.

One of the tasks tackled by the works council is protecting employees from being monitored by their employer. This is why the works council must be well versed in topics of data protection and be able to conclude company agreements with the employer in regard of introducing certain software products. This also applies to products offered by the Microsoft 365 brand.


What Is Microsoft 365?

The Microsoft 365 brand includes a variety of software products that are provided in the cloud or locally and for private or business use. Perhaps the best-known example is the Microsoft Office package with the programs Word, Excel and PowerPoint. Cloud services such as SharePoint and the Outlook email client are commonly used by many businesses. During the corona pandemic, in order to enable collaboration in lockdown, many companies and schools deployed Microsoft Teams – a collaboration software that can also be used as part of a Microsoft 365 license.

Why Is Microsoft 365 Subject to the Co-determination Process?

There are two reasons why Microsoft 365 can only be implemented in a company if the works council agrees. Both have to do with the fact that sensitive information could fall into the wrong hands.

1. Monitoring by the Employer

The works council must ensure that employees are not surveilled by the employer, referring to performance and behavioral monitoring. But software like Microsoft 365, which is conquering offices bit by bit, is creating increasingly more new opportunities for this kind of control by recording time stamps and recipients of chat messages, or documenting access and storage processes. The resulting log files are ideally suited for monitoring individual people in the company almost seamlessly – whether that is the intention or not. The point is that the possibility theoretically exists.

A detailed research about this was published by the Privacy International (PI) network in June 2022: WFH - Watched from Home: Office 365 and workplace surveillance creep

2. Data Access by Foreign Authorities

Employees are also vulnerable to surveillance from outsiders. Many large software providers such as Microsoft are headquartered in the USA, where a far-reaching law, the CLOUD Act, ensures that authorities have almost unrestricted access to files stored in cloud storage. This fundamentally contradicts the standards set by the GDPR and our European understanding of data protection.

Learn more about the CLOUD Act in our blog post: The USA CLOUD Act

Personal and Behavioral Control Through Microsoft 365

So, due to the current legal situation, it is impossible to control who ends up seeing the sensitive, personal or classified information that an employee sends to a colleague within Microsoft Teams. The same goes for any documents stored in a cloud, such as Microsoft OneDrive and SharePoint.

The problem is further exacerbated by services such as Delve, which perform data visualization and search files within Microsoft Office 365. The only way for employees to prevent Delve from publishing their file content is to take additional security precautions. While these analyses may be useful for employers, on the individual level they often infringe on personal rights.

In summary, the reason Microsoft 365 requires co-determination is due to the fact that monitoring employees with the help of this software is theoretically possible.

Works Agreement on Microsoft 365

A works agreement can be concluded for matters requiring co-determination in accordance with Section 87 of the German Works Council Constitution Act (BetrVG). In such an agreement, the works council and the company management determine which requirements and control instances must be created in order to introduce a certain software in the company.

There are templates for works agreements on the use of Microsoft 365 on the Internet that one can use to prepare one’s case. It is important that the employer approaches the works council prior to installing the software and provides detailed information. The key issue is whether and how the collected data should be used.

The works council then approves or rejects the use within the framework of a works agreement. The decision is made in accordance with the employees' right to privacy.

Keep Updates in Mind

It is important that you don’t consider a company agreement regarding software a „set it and forget it“ situation. Especially with software packages such as Microsoft 365, updates are bound to happen. This means that the requirements for data protection and compliance with personal rights are subject to change.

Therefore, the use of Microsoft 365 must be continuously regulated and attended to. In doing so, you will assure that the actual use of the software is in accordance with the company agreement and doesn’t diverge due to everyday work. This softening of the regulation can be avoided by concluding a process agreement that can be continuously adapted. There are specialized service providers, whocan provide you with automated information about changes in Microsoft 365 that require co-determination.

Share this article

Related Articles


Our New Chapter with Dropbox: What Boxcryptor Users Need to Know

Last week we already announced that we sold important technology assets to Dropbox. What our customers need to know now, we explain in detail here.


A letter from our Founders: We’re joining Dropbox!

Almost 12 years ago, we set out to make complex security solutions easy to use. Now we are excited to share that we are set to begin a new chapter with Dropbox, Inc.

Dummies Book Cover and Back

CLOSED We Celebrate Our Book Release: Your Chance to Win

We have published our first book to get even more people excited about the cloud and data security. Celebrating the official launch, you can win printes copies and Boxcryptor licenses in our raffle. Read about the details in our blog post.