Exploring mental models of the right to informational self-determination of office workers in Germany

Authors: Jan Tolsdorf (Bonn-Rhein-Sieg University of Applied Sciences), Florian Dehling (Bonn-Rhein-Sieg University of Applied Sciences), Delphine Reinhardt (University of Göttingen), Luigi Lo Iacono (Bonn-Rhein-Sieg University of Applied Sciences)

Volume: 2021
Issue: 3
Pages: 5–27
DOI: https://doi.org/10.2478/popets-2021-0035

Download PDF

Abstract: Applied privacy research has so far focused mainly on consumer relations in private life. Privacy in the context of employment relationships is less well studied, although it is subject to the same legal privacy framework in Europe. The European General Data Protection Regulation (GDPR) has strengthened employees’ right to privacy by obliging that employers provide transparency and intervention mechanisms. For such mechanisms to be effective, employees must have a sound understanding of their functions and value. We explored possible boundaries by conducting a semistructured interview study with 27 office workers in Germany and elicited mental models of the right to informational self-determination, which is the European proxy for the right to privacy. We provide insights into (1) perceptions of different categories of data, (2) familiarity with the legal framework regarding expectations for privacy controls, and (3) awareness of data processing, data flow, safeguards, and threat models. We found that legal terms often used in privacy policies used to describe categories of data are misleading. We further identified three groups of mental models that differ in their privacy control requirements and willingness to accept restrictions on their privacy rights. We also found ignorance about actual data flow, processing, and safeguard implementation. Participants’ mindsets were shaped by their faith in organizational and technical measures to protect privacy. Employers and developers may benefit from our contributions by understanding the types of privacy controls desired by office workers and the challenges to be considered when conceptualizing and designing usable privacy protections in the workplace.

Keywords: informational self-determination, privacy at work, mental models, usable privacy controls

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs license.