Blog » MONITORING THE COMPANY E-MAIL ACCOUNT - DECISION OF THE HUNGARIAN DATA PROTECTION AUTHORITY
MONITORING THE COMPANY E-MAIL ACCOUNT - DECISION OF THE HUNGARIAN DATA PROTECTION AUTHORITY
11 December 2019
In its recently published decision, the Hungarian Data Protection Authority (NAIH) has dealt with the questions of the usage of the corporate email account for private purposes and the monitoring of the e-mail account. As the topic can affect every employer, who provides an e-mail account for its employees for working purposes, we summarize the most important conclusions of the decision in our short article.
In the case which is the basis of the decision, an employee made a complaint against its former employer at the Data Protection Authority. The employee claimed that his employer examined his corporate e-mail account and the content of his company computer. The employee used the devices also for private purposes and stored several personal data on the devices.
The Employer had to examine the devices and the e-mail account, because information stored in the devices was necessary in order to deal with ongoing issues while the employee was on sick leave. During the examination, the employer faced with the fact that the employee accumulated numerous unfinished cases, therefore it did further examination on the devices as a mitigation of damage.
It shall be mentioned that the employer had no written policy about the usage and monitoring of corporate computer devices, so it was not regulated, whether the employees can use their corporate e-mail accounts for personal purposes or not. In addition, the employer did not notify the employee about the examination.
2. Relevant statements of the Data Protection Authority
In its decision, primarily the Data Protection Authority established that the employer becomes a data controller with regard to the personal data generated in private correspondences and stored on the company e-mail account of the employee, regardless that the e-mail usage for private purposes was allowed or not.
According to the Authority, the data processing is a question of fact in such case, because the employer has to take into account that the Employer will use the corporate e-mail for private purposes despite the prohibition and that third parties can send private messages to that e-mail account, who are not subject of the prohibition.
Further, the Data Protection Authority highlighted that it can be the necessary, proportionate and lawful aim of the monitoring of the corporate e-mail account that the employer would like to assure the adequate substation and protect his economic interest by ensuring the continuous management of the cases while an employee is absent. Besides, the Data Protection Authority emphasized that, in such cases, the legal basis of the data processing is the legitimate interest of the employer.
3. Infringements committed by the employer
In this case, there was no doubt that the employer was considered as data controller in connection with the personal data stored in the corporate e-mail account of the former employee. Although the Data Protection Authority accepted that the examination of the corporate e-mail account by the employer was carried out for legitimate purposes, more aspects of the data processing breached the GDPR.
Primarily, the data processing of the employer was unfair because he did not ensure the presence of the employee during the examination. Fair data processing can be realized only, with a few exceptions, if the employer notifies the employee in advance about the examination and provide the possibility for him or his representative to be present at the examination.
Furthermore, the employer should have regulated the monitoring of the devices, defining the possible reasons of monitoring, who and how can carry out the examination, the rules of the procedure and the rights and remedies of the employee.
4. The sanction and the influencing factors
On the one hand, the Data Protection Authority imposed obligations for the employer (e.g. regulation of the usage and examination of the corporate e-mail account), while on the other, the employer imposed a fine in the amount of HUF 1.000.000.
The Data Protection Authority assessed as aggravating circumstances that the employer made it difficult for the employee the exercise his rights (e.g. failure to ensure the presence) and that the employer acted with gross negligence (e.g. lack of proper regulation, prior notification)
However, among others the Authority assessed as a mitigating factor that during the procedure the employer did not access to confidential information related to the private life of the employee and that the employee contributed to the situation as he has not separated his personal and work related activities.
The most important lesson of the decision is that according to the Data Protection Authority the employers are considered as data controllers regarding the personal data which are stored at the corporate e-mail account even if the employers explicitly prohibited the private correspondence.
This can create a difficult situation for the employer thus it shall ensure the lawfulness of a data processing which he does not control. In addition, we mention that the Labour Code prohibits the usage of corporate devices for private purposes since April 2019.
What you can still do and in fact need to do in this ambiguous situation as an employer, is that you lay down the circumstances of the monitoring of company devices and provide the necessary information in advance to your employees about the possibility of the monitoring of company devices.
CORONAVIRUS: GOVERNMENTAL MEASURES PROTECTING COMMERCIAL LESSEES IN HUNGARY
The worldwide coronavirus epidemic is causing serious problems in the economy as well, businesses in sensitive sectors fear a total loss of income for months. For this reason, the Hungarian Government introduced a ban on termination and rent increase for commercial lease contract in case the lessee operates in specific, sensitive sectors. However, there are several legal uncertainties surrounding the measure, which will be discussed in our brief article.Read more »
HUNGARY: CHOICE OF LAW BY CONDUCT IN LITIGATION? – JUDGMENT OF SUPREME COURT
Can the conduct of the parties during litigation amount to an implied choice-of-law agreement based on the Rome I Regulation? We analyse the fresh judgment of the Hungarian Supreme Court in this article.Read more »
LABOUR LAW CHANGES DURING THE CORONAVIRUS EPIDEMIC – 4 MEANS AVAILABLE FOR HUNGARIAN EMPLOYERS
The coronavirus is already having its unfortunate impacts in the whole world and there is almost no sector which has not been rocked by the effects of the virus. In this rather difficult situation, it is questionable for the employer how to manage their resources and how to protect their employees. The decree of the government effective from 19th March 2020 gives certain tools to the employers which may help them to optimize their operations and to defend their employees. In our short article we summarize these measures.Read more »