28 June 2024

It is a common practice to provide your employee with a corporate e-mail account for working purposes. In some cases, the employer needs to examine the employee’s e-mail account, for example to ensure the continuous management of cases during the absence of the employee. How can you legally monitor your employee’s e-mail account? Here are five things to consider.

1. Usage for private purposes

First, you need to decide whether you allow your employees to use their corporate e-mail account for private purposes. It is important to know that even if you do not allow to use the e-mail address for private purposes, you process personal data, however the amount and the sensitivity of the processed personal data is not the same.

At a starting point, based on the Hungarian Labour Code, IT devices and systems such as an e-mail account provided by the employer to the employee for working purposes may only be used for the performance of work. However, the employer and the employee may agree that the employee can use the e-mail address for private purposes.

Overall, we do not recommend allowing private use because it might unnecessarily increase the amount of the data processed and the data protection related risks.

2. Purpose

When the employer decides to monitor the employees’ e-mail account, he must specify in advance the possible purposes of monitoring.

Lawful purposes might be, without being exhaustive, to ensure data security, investigating and assessing breaches of employment related obligations (e.g. the breached of the employer’s instructions) or investigating and assessing the employee’s potential liability.

As mentioned in the introduction, a lawful purpose, even recognized by the Hungarian Data Protection Authority may be ensuring business continuity (e.g. access to the correspondence of the employee during sick leave).

3. Legal basis

According to the Hungarian Data Protection Authority, the legal basis of the monitoring shall be the legitimate interest of the employer.

This means that employer needs to make a legitimate interest assessment test to check whether there is a balance between the employee’s right to private life and the employer’s interest and to justify the necessity of the monitoring.

4. Detailed procedural rules

In order for the monitoring to be lawful, the employer must draw up detailed procedural rules. We recommend that at least the following should be set out in the procedure:

- what is covered by the check (which folder, which e-mail, based on the principle of proportionality, first only the subject of the e-mail to decide whether it is relevant),

- who can carry out the check (whether an external person may be

- how the presence of the employee is ensured, how shall the employee be notified about the individual monitoring, in what cases the presence of the employee can be waived (e.g. if immediate action is required or if the purpose of the inspection would be defeated by the presence of the employee

5. Employee notification

Last, but not least, the monitoring may only be lawful if the employees are notified in accordance with Articles 13-14 of the GDPR.

Ne notification shall include the above details (purpose, legal basis, procedural rules) as well as the employees’ data protection related rights.

6. Summary

To summarize the above, if you as an employer plan to monitor your employees’ corporate e-mail accounts, you need to set up the detailed rules, including the legitimate purposes and the procedural rules of monitoring.