11 December 2019

In its recently published decision, the Hungarian Data Protection Authority (NAIH) has dealt with the questions of the usage of the corporate email account for private purposes and the monitoring of the e-mail account. As the topic can affect every employer, who provides an e-mail account for its employees for working purposes, we summarize the most important conclusions of the decision in our short article.

1. Facts

In the case which is the basis of the decision, an employee made a complaint against its former employer at the Data Protection Authority. The employee claimed that his employer examined his corporate e-mail account and the content of his company computer. The employee used the devices also for private purposes and stored several personal data on the devices.

The Employer had to examine the devices and the e-mail account, because information stored in the devices was necessary in order to deal with ongoing issues while the employee was on sick leave. During the examination, the employer faced with the fact that the employee accumulated numerous unfinished cases, therefore it did further examination on the devices as a mitigation of damage.

It shall be mentioned that the employer had no written policy about the usage and monitoring of corporate computer devices, so it was not regulated, whether the employees can use their corporate e-mail accounts for personal purposes or not. In addition, the employer did not notify the employee about the examination.

2. Relevant statements of the Data Protection Authority

In its decision, primarily the Data Protection Authority established that the employer becomes a data controller with regard to the personal data generated in private correspondences and stored on the company e-mail account of the employee, regardless that the e-mail usage for private purposes was allowed or not.

According to the Authority, the data processing is a question of fact in such case, because the employer has to take into account that the Employer will use the corporate e-mail for private purposes despite the prohibition and that third parties can send private messages to that e-mail account, who are not subject of the prohibition.

Further, the Data Protection Authority highlighted that it can be the necessary, proportionate and lawful aim of the monitoring of the corporate e-mail account that the employer would like to assure the adequate substation and protect his economic interest by ensuring the continuous management of the cases while an employee is absent. Besides, the Data Protection Authority emphasized that, in such cases, the legal basis of the data processing is the legitimate interest of the employer.

3. Infringements committed by the employer

In this case, there was no doubt that the employer was considered as data controller in connection with the personal data stored in the corporate e-mail account of the former employee. Although the Data Protection Authority accepted that the examination of the corporate e-mail account by the employer was carried out for legitimate purposes, more aspects of the data processing breached the GDPR.

Primarily, the data processing of the employer was unfair because he did not ensure the presence of the employee during the examination. Fair data processing can be realized only, with a few exceptions, if the employer notifies the employee in advance about the examination and provide the possibility for him or his representative to be present at the examination.

Furthermore, the employer should have regulated the monitoring of the devices, defining the possible reasons of monitoring, who and how can carry out the examination, the rules of the procedure and the rights and remedies of the employee.

4. The sanction and the influencing factors

On the one hand, the Data Protection Authority imposed obligations for the employer (e.g. regulation of the usage and examination of the corporate e-mail account), while on the other, the employer imposed a fine in the amount of HUF 1.000.000.

The Data Protection Authority assessed as aggravating circumstances that the employer made it difficult for the employee the exercise his rights (e.g. failure to ensure the presence) and that the employer acted with gross negligence (e.g. lack of proper regulation, prior notification)

However, among others the Authority assessed as a mitigating factor that during the procedure the employer did not access to confidential information related to the private life of the employee and that the employee contributed to the situation as he has not separated his personal and work related activities.

5. Summary

The most important lesson of the decision is that according to the Data Protection Authority the employers are considered as data controllers regarding the personal data which are stored at the corporate e-mail account even if the employers explicitly prohibited the private correspondence.

This can create a difficult situation for the employer thus it shall ensure the lawfulness of a data processing which he does not control. In addition, we mention that the Labour Code prohibits the usage of corporate devices for private purposes since April 2019.

What you can still do and in fact need to do in this ambiguous situation as an employer, is that you lay down the circumstances of the monitoring of company devices and provide the necessary information in advance to your employees about the possibility of the monitoring of company devices.