Czech data protection authority: Can the employer enter into its employee's e-mailbox?
In January 2020, the Czech data protection authority (ÚOOÚ) published on its website an anonymised inspection protocol, which contains valuable information on how the authority assess checking and reading employee emails after the GDPR came into effect.
In the case in question, the authority received a complaint which reads that "… after an employee leaves, his e-mailbox, which contains both working and private data, is handed over to such employee’s supervisor, who has a full access to the e-mailbox, administers it and uses it…". The authority initiated an investigation in which it expressed (and protocoled) its opinions on accessing employee mailboxes.
ÚOOÚ explains that, in general, an employer is not entitled to enter into the e-mailbox of its employer. The confidentiality of correspondence can be breached only if there is no other option how to protect employer’s legitimate interests and such interests prevail over an employee’s right to privacy. ÚOOÚ provides as an example a situation, when an employee is unforeseeably hospitalised for a long-term and he/she cannot access his/her working mailbox. In such case, the employer would be entitled to entered into its employee’s e-mailbox to check email headers (a sender and a subject). Subsequently, the employer can notify senders about the situation; eventually, it can be assessed if it is a necessary to open any received e-mail. It is recommended to set-up out-of-office replies.
Moreover, ÚOOÚ tackles the issue of ex-employees. The authority says that e-mailboxes of former employees must be "cancelled". Conditions for opening the e-mailbox are the same as in case of current employees, i.e. legitimate interests of the employer would have to prevail over the protection of its ex-employee’s rights. It is recommended to set-up an out-of-office reply for a certain "justified" period, together with information about new email contact details.
The abovementioned opinions expressed by ÚOOÚ are very similar to its previous official position (position No. 2/2009 on the employee privacy with special regard to workplace monitoring). Due to the GDPR and other legislative changes, the position became outdated and is no longer available at the regulator’s website.