We are excited to share that we are set to begin a new chapter with Dropbox, Inc. Dropbox is acquiring our IP technology to embed natively into the Dropbox product, bringing end-to-end, zero-knowledge encryption to millions of business customers around the world. Check out our blog to find out more!

Peter Fink, Deputy Chairman of the Works Council of Hessing Klinik in Augsburg, Bavaria.

Lisa Figas | Marketing Manager


Co-determination by the works council - a finely balanced give and take

Some people may know the Hessing Clinic in Augsburg as the hospital for injured FC Bayern players. For the people of Augsburg, "the Hessing" is the place to go for orthopedic treatments and rehab services. Peter Fink is one of 15 Betriebsrat members and is 100% exempted in his position as deputy works council chairman. In our conversation about co-determination by the Betriebsrat on the subject of software, he talks about how he and the other council members shield data from the eyes of unauthorized persons and what measures are taken to protect Hessing Klinik employees from behavioral and performance surveillance.

Boxcryptor: What is the legal framework for data protection in the context of Betriebsrat work?

Peter Fink: Within the framework of the Works Constitution Act, the works council has been a separate, non-legal entity. In other words, a part of a company and not a separate person in charge. To be honest, this was quite a comfortable position for many works councils. They sat back and didn't feel responsible, and since many council members tend to be older, they didn’t necessarily have an affinity for "computer issues“. This then changed, because the GDPR as a Europe-wide regulation does not recognize the Betriebsrat. So there was a certain amount of anxiety among the works councils as to whether they would suddenly have to be personally liable for the protection of their employees' data. However, in the new BDSG, which converts the GDPR into national law, the works council is again defined as a non-legal entity.

If we have issues that fall into a gray area, we can create legitimate conditions through a vote at the constituent meeting of the works council – for example, that we are allowed to keep a list of employees, because such a list is enormously important for our work.

Good to know: In Germany, data protection violations are punished under the German Infraction Act (Ordnungwidrigkeiten-Gesetz) - and this is primarily directed at the person acting. This person can also be a works council member. For a works council member, a data protection violation can even lead to the loss of his or her honorary office, as such a violation can qualify as a breach of duty.

B: Are you the only Betriebsrat member who specializes in data protection, or are the others also well versed in the topic?

F: When I was elected to the council back then - shortly before the GDPR came into force – there was a lot of blank space regarding data protection. The chairman at the time was pleased that I had taken up the issue. I then proceeded to attend training courses and read up on the subject in my free time, because I had the feeling that we needed to take a firmer stance in this regard. For example, we have our own system where we store information about the employees we represent. I helped set that up at the time, after I took office. Of course, everything has to be compliant with the GDPR and the new BDSG.

How is the works council set up technically? Are you independent of the clinic's IT?

We work very well with the IT department of the Hessing Clinic and are also fans of their work. They have set up our own drive on one of the clinic's servers, which can be accessed only the members of the council. We also have our own subfolders that are only accessible to exempted council members.

Let's move on to the introduction of new software: Who decides which programs are purchased?

Normally the decision is made by the department management. By that point they would have already looked into what they need the software for and what it can do. For example, the other day they needed specialized planning software for orthopedic technology. The goal was to optimize production and get a better overview of which production stage a pair of orthopedic shoes is currently in. The new system is then used, for example, to implement changes at short notice. In this case, the department manager then had to obtain approval for the purchase from the division manager and the data protection. These two then examine whether co-determination by the works council is required.

What do these people use to decide whether the software requires co-determination?

Well, that is rather determined by the software itself.

If the software enables behavioral or personal surveillance, the works council must have a say.

In practice, however, it‘s always a question of who thinks about involving the works council in the process. My experience is that the first hint often comes from the software provider themselves. As part of the sales process, they point out that the works council must have a say and then invite us to their presentations. In the case of the software in orthopedic technology, the council also performed its own inspection and had the use of the software explained by the provider.

How intensely does the works council of Hessing Kliniken use the right of co-determination in IT?

About 5 times a year we get a case where a works agreement is finally reached.

And how is such a works agreement drawn up? Who writes it and how does the coordination process work?

It's usually not that complicated, because many data protection issues are already regulated by law so there’s no need for any extra regulation. However, we take great care to include a sentence in every company agreement stating that the data obtained via the software may not be used for behavioral or personal monitoring and that legal evaluation is prohibited.

What does this prohibition look like in practice?

Of course, we can't verify whether the head of department sometimes gets a peek at the employees' performance. After all, such analysis data is usually available. But we can of course veto any dismissal of an employee based on such analyses. We have already done this in the past and ensured that the person could stay in the company for the time being.

How do you use the power you have through co-determination?

Everyone involved – i.e., the company, the department head, the software vendor and the works council itself – is aware of the power the Betriebsrat has.

If the works council's approval is not obtained, we can veto the project afterwards.

Such a veto in the case of software can lead to us invalidating a termination or paralyzing production. Of course, we try to avoid that, and we as the Betriebsrat have no interest in harming the company. It's a finely balanced give and take in which everyone plays their part. We on the works council keep a low profile once the company agreement has been concluded and only become active when it comes to labor law issues that could be related to the software. We have far-reaching powers and can carry out inspections and interviews or demand to inspect files. It’s also possible that we accompany the employee tot he labor court, but that has not been necessary for several years now.

What worries you as a works council member in the data protection department?

There are two issues. On the one hand, I worry if there is software in the company that requires co-determination, where the works agreement has not yet been concluded – for example, because we don't even know that this software is being used in the first place. This is then simply an unpleasant gray area for the works council, the contractor and ultimately, of course, for the employees. The other issue is that when it comes to data protection, we always have to consider the situation of the employees at their workplace. In the hospital, for example, we have a system in which several employees share the same computer on the wards. Due to their fast-paced work, the employees don’t change the user every time they use the computer. As a Betriebsrat, we keep an eye on things like this.

Do the employees know that the works council is involved in IT decisions? Are they interested in it?

According to the Works Constitution Act, the employer must ensure that the works agreements are all on display and can be viewed by all employees. In the past, this used to be a dusty folder in some office that could be leafed through. Today, we have a separate folder for this on the intranet. When we file a new document there, we also inform people about it in a bulletin. But I honestly can't say whether people actually read it.

But when I'm out and about in the company and talk to employees, the issue of data protection does come up.

People notice when new software is introduced and they ask me about it. If I tell them that the Betriebsrat has checked it, that's usually enough to reassure them. Basically, I have the feeling that the topic of data protection is perceived very positively in our clinics and I think that we on the council have also made our fair contribution here, since we always make sure to report positively and to emphasize the advantages.

Is there anything else you would like to tell us about this topic?

I have heard of studies that have proven that companies that have a Betriebsrat which is on good terms with the company are more productive. I can confirm this from my point of view and would like to advertise that we play an important role in the economic system. Unfortunately, people in the IT sector often bemoan that they now have to deal with the works council on top of everything. But I think you have to look at the big picture, which is absolutely positive.

Compartir este artículo

Artículos relacionados


Our New Chapter with Dropbox: What Boxcryptor Users Need to Know

Last week we already announced that we sold important technology assets to Dropbox. What our customers need to know now, we explain in detail here.


A letter from our Founders: We’re joining Dropbox!

Almost 12 years ago, we set out to make complex security solutions easy to use. Now we are excited to share that we are set to begin a new chapter with Dropbox, Inc.

Dummies Book Cover and Back

CLOSED We Celebrate Our Book Release: Your Chance to Win

We have published our first book to get even more people excited about the cloud and data security. Celebrating the official launch, you can win printes copies and Boxcryptor licenses in our raffle. Read about the details in our blog post.