Blog » MONITORING THE COMPANY E-MAIL ACCOUNT - DECISION OF THE HUNGARIAN DATA PROTECTION AUTHORITY
MONITORING THE COMPANY E-MAIL ACCOUNT - DECISION OF THE HUNGARIAN DATA PROTECTION AUTHORITY
11 December 2019
In its recently published decision, the Hungarian Data Protection Authority (NAIH) has dealt with the questions of the usage of the corporate email account for private purposes and the monitoring of the e-mail account. As the topic can affect every employer, who provides an e-mail account for its employees for working purposes, we summarize the most important conclusions of the decision in our short article.
In the case which is the basis of the decision, an employee made a complaint against its former employer at the Data Protection Authority. The employee claimed that his employer examined his corporate e-mail account and the content of his company computer. The employee used the devices also for private purposes and stored several personal data on the devices.
The Employer had to examine the devices and the e-mail account, because information stored in the devices was necessary in order to deal with ongoing issues while the employee was on sick leave. During the examination, the employer faced with the fact that the employee accumulated numerous unfinished cases, therefore it did further examination on the devices as a mitigation of damage.
It shall be mentioned that the employer had no written policy about the usage and monitoring of corporate computer devices, so it was not regulated, whether the employees can use their corporate e-mail accounts for personal purposes or not. In addition, the employer did not notify the employee about the examination.
2. Relevant statements of the Data Protection Authority
In its decision, primarily the Data Protection Authority established that the employer becomes a data controller with regard to the personal data generated in private correspondences and stored on the company e-mail account of the employee, regardless that the e-mail usage for private purposes was allowed or not.
According to the Authority, the data processing is a question of fact in such case, because the employer has to take into account that the Employer will use the corporate e-mail for private purposes despite the prohibition and that third parties can send private messages to that e-mail account, who are not subject of the prohibition.
Further, the Data Protection Authority highlighted that it can be the necessary, proportionate and lawful aim of the monitoring of the corporate e-mail account that the employer would like to assure the adequate substation and protect his economic interest by ensuring the continuous management of the cases while an employee is absent. Besides, the Data Protection Authority emphasized that, in such cases, the legal basis of the data processing is the legitimate interest of the employer.
3. Infringements committed by the employer
In this case, there was no doubt that the employer was considered as data controller in connection with the personal data stored in the corporate e-mail account of the former employee. Although the Data Protection Authority accepted that the examination of the corporate e-mail account by the employer was carried out for legitimate purposes, more aspects of the data processing breached the GDPR.
Primarily, the data processing of the employer was unfair because he did not ensure the presence of the employee during the examination. Fair data processing can be realized only, with a few exceptions, if the employer notifies the employee in advance about the examination and provide the possibility for him or his representative to be present at the examination.
Furthermore, the employer should have regulated the monitoring of the devices, defining the possible reasons of monitoring, who and how can carry out the examination, the rules of the procedure and the rights and remedies of the employee.
4. The sanction and the influencing factors
On the one hand, the Data Protection Authority imposed obligations for the employer (e.g. regulation of the usage and examination of the corporate e-mail account), while on the other, the employer imposed a fine in the amount of HUF 1.000.000.
The Data Protection Authority assessed as aggravating circumstances that the employer made it difficult for the employee the exercise his rights (e.g. failure to ensure the presence) and that the employer acted with gross negligence (e.g. lack of proper regulation, prior notification)
However, among others the Authority assessed as a mitigating factor that during the procedure the employer did not access to confidential information related to the private life of the employee and that the employee contributed to the situation as he has not separated his personal and work related activities.
The most important lesson of the decision is that according to the Data Protection Authority the employers are considered as data controllers regarding the personal data which are stored at the corporate e-mail account even if the employers explicitly prohibited the private correspondence.
This can create a difficult situation for the employer thus it shall ensure the lawfulness of a data processing which he does not control. In addition, we mention that the Labour Code prohibits the usage of corporate devices for private purposes since April 2019.
What you can still do and in fact need to do in this ambiguous situation as an employer, is that you lay down the circumstances of the monitoring of company devices and provide the necessary information in advance to your employees about the possibility of the monitoring of company devices.
HOW TO SET UP A COMPANY IN HUNGARY FROM ABROAD?
Hungary is a popular target for investing in the Central Eastern European region thanks to the 9% tax on capital gains for SMEs and 15% personal income tax for individuals, which tax rates are among the lowest for both businesses and private individuals across Europe. However, there are extra requirements for foreigners that are important to pay attention to. In order to avoid unpleasant surprises, we would like to draw your attention to the following when you are setting up your company in Hungary as a foreigner.Read more »
HUNGARY: WHY HIRE A LAW FIRM TO COLLECT DEBT INSTEAD OF A COLLECTION AGENCY?
In the recent years of crisis, it's becoming more and more common that your business partners fail to pay your invoices. After getting bored of their excuses or silences, there comes a time when you have to put pressure on your debtor. At that point, you either hire a law firm or turn to one of the many debt collection agencies offering “simple and cheap, yet efficient” solutions. But are the latter solutions really that effective? Is it worth entrusting a debt collection agency in Hungary? In our article, we bring up three reasons why you should hire rather a law firm in Hungary instead of a collection agency.Read more »
TRADE SECRET THEFTS IN HUNGARY – WHICH COURT PROTECTS EMPLOYERS’ RIGHTS?
Trade secrets are protected on more levels in Hungary. While the Business Secret Act provides general protection, the Labour Code protects the business secrets of employers in the employment context. Yet this abundance can cause problems when it comes to the question which court is competent to protect employer’s rights in case of theft of trade secrets by an ex-employee. Can an employer file a damage claim against an ex-employee and a competing company as co-defendants in front of the commercial court? Or is it the labour court which is competent to hear the case? A fresh decision of the Hungarian Supreme Court, analysed in this short article, deals with these questions.Read more »