More than two years after the EU General Data Protection Regulation's (GDPR's) entry into force, employers' access to employee email accounts still raises several questions. This has been highlighted by three recent cases in which the Hungarian Data Protection Authority (NAIH) imposed fines on employers in connection with their access to employee mailboxes. This article summarises the legal situation regarding professional email accounts and sets out the key takeaways from the authority's decisions.
Email is a standard tool used for professional communication; therefore, it is common practice that employers provide personalised email accounts to employees. The use of these accounts, especially employers' access to their contents for monitoring or other purposes, raises several privacy questions. Employers often need to inspect an employee's mailbox, and this is by no means prohibited, but the NAIH's recent practice shows that employers must act with due care when doing so.
In October 2016 – before the GDPR had entered into force – the NAIH issued comprehensive guidelines on data processing activities in the employment context. The guidelines discussed, among other things, the data protection aspects of monitoring employees in the workplace and the use of devices and IT equipment (eg, using GPS tracking devices or checking internet use or email accounts) for such purpose.
The NAIH accepts that employers may have legitimate interests to access their employees' email accounts on certain occasions (eg, during an employee's absence), but emphasises that such right may be exercised only in a way that ensures appropriate protection of employee privacy and upholds the basic principles of data protection laws.
Employees often use their email accounts for private purposes too, which makes it difficult for employers to access the contents of the mailbox without, at least, jeopardising employee privacy. At the same time, such private use should in principle not block employers' access to business-related correspondence which is often crucial for their operations.
The NAIH recommended that employers set out the conditions of using mailboxes in a detailed policy, and set out the methods of control. If the control is based on the employer's legitimate interest (which may well be the case), employers must perform a legitimate interest test. Employers must implement measures that ensure the proportionality of the check (ie, that firstly only the addressee and subject line of the emails are checked before accessing its content). The guidelines provide recommendations for employers that can also be used under the GDPR.
Amendment of Labour Code in 2019
The GDPR's entry into force did not make companies' lives easier when it comes to handling employee data. Among the several practical and legal questions that it raised – including the legal basis of processing, information rights of employees, intra-group transfers of HR data and handling criminal data – the access to employee mailboxes received somewhat less attention.
Most Hungarian commentators – primarily employment law experts – agreed that professional email accounts must be used for work purposes and consequently work-related information contained in an employee's mailbox forms the property of their employer. This approach was also reflected in a modification of the Labour Code, which entered into force in April 2019.
The modified provisions of the Labour Code provide that:
- employers generally have the right to monitor the behaviour of their employees with regard to their employment;
- employers may use technical means for such monitoring; and
- IT equipment provided to employees (including smartphones, computers and email accounts) may be used only for work purposes unless otherwise agreed between the parties.
The Labour Code also provides that employers must inform employees in advance regarding the possibilities and methods of monitoring them or the use of work equipment.
The modified provisions aimed to provide clarity and provide employers with the opportunity to inspect any work equipment that is provided to employees. Although monitoring employees' private life remains prohibited, employers can generally inspect work equipment as long as they can prove that the inspection is work related.
NAIH recent decisions
Although the above regulations might seem rather employer friendly, in some of its recent decisions, the NAIH has fined employers for the violation of employees' privacy rights when accessing their email accounts.
In one of the cases, an employee's mailbox was accessed during their sick leave to ensure the employer's continued operations. While the NAIH accepted that such access may be based on the employer's rightful legitimate interest, the fact that the employer failed to do the following violated the principle of fair data processing and was not aligned with Article 5(1)(a) of the GDPR and Paragraph 39 of the GDPR's preamble:
- The employer did not have any policies in place that governed such access.
- The employer did not inform the employee in advance of the access and the monitoring.
- The employer did not provide an opportunity to the employee or their authorised representative to be present at the inspection
In another case, an employer restored an employee's mailbox from its archives and started to scan it with the purpose of finding a specific work-related document. Although the employer had policies in place and the scan performed specifically targeted business information, the fact that the archived mailbox contained private data and the employee was not informed of the access and could not be present at the inspection violated the principle of fair data processing.
In summary, it seems that the NAIH recognises employers' right to access employee mailboxes. In line with the principle of accountability, the NAIH requires employers to set out the exact conditions of such access and monitoring, including archiving and retention periods.
Employers must also ensure that the entire process is aligned with the GDPR (eg, the principles of lawful, fair and transparent processing and data minimisation). These principles mean – among other things – that employers must:
- inform employees in advance of such access;
- ensure that employees can be present; and
- ensure that employees are well informed of their rights.
It also helps if the whole process is documented and employers keep minutes of any access to an employee's mailbox.
Based on the recent decisions, employers that have not yet done so should develop internal rules and guidelines on the use and monitoring of employee mailboxes, as the NAIH's practice seems to be stricter than before.
This article was first published on International Law Office.