Blog » MONITORING THE COMPANY E-MAIL ACCOUNT - DECISION OF THE HUNGARIAN DATA PROTECTION AUTHORITY
MONITORING THE COMPANY E-MAIL ACCOUNT - DECISION OF THE HUNGARIAN DATA PROTECTION AUTHORITY
11 December 2019
In its recently published decision, the Hungarian Data Protection Authority (NAIH) has dealt with the questions of the usage of the corporate email account for private purposes and the monitoring of the e-mail account. As the topic can affect every employer, who provides an e-mail account for its employees for working purposes, we summarize the most important conclusions of the decision in our short article.
In the case which is the basis of the decision, an employee made a complaint against its former employer at the Data Protection Authority. The employee claimed that his employer examined his corporate e-mail account and the content of his company computer. The employee used the devices also for private purposes and stored several personal data on the devices.
The Employer had to examine the devices and the e-mail account, because information stored in the devices was necessary in order to deal with ongoing issues while the employee was on sick leave. During the examination, the employer faced with the fact that the employee accumulated numerous unfinished cases, therefore it did further examination on the devices as a mitigation of damage.
It shall be mentioned that the employer had no written policy about the usage and monitoring of corporate computer devices, so it was not regulated, whether the employees can use their corporate e-mail accounts for personal purposes or not. In addition, the employer did not notify the employee about the examination.
2. Relevant statements of the Data Protection Authority
In its decision, primarily the Data Protection Authority established that the employer becomes a data controller with regard to the personal data generated in private correspondences and stored on the company e-mail account of the employee, regardless that the e-mail usage for private purposes was allowed or not.
According to the Authority, the data processing is a question of fact in such case, because the employer has to take into account that the Employer will use the corporate e-mail for private purposes despite the prohibition and that third parties can send private messages to that e-mail account, who are not subject of the prohibition.
Further, the Data Protection Authority highlighted that it can be the necessary, proportionate and lawful aim of the monitoring of the corporate e-mail account that the employer would like to assure the adequate substation and protect his economic interest by ensuring the continuous management of the cases while an employee is absent. Besides, the Data Protection Authority emphasized that, in such cases, the legal basis of the data processing is the legitimate interest of the employer.
3. Infringements committed by the employer
In this case, there was no doubt that the employer was considered as data controller in connection with the personal data stored in the corporate e-mail account of the former employee. Although the Data Protection Authority accepted that the examination of the corporate e-mail account by the employer was carried out for legitimate purposes, more aspects of the data processing breached the GDPR.
Primarily, the data processing of the employer was unfair because he did not ensure the presence of the employee during the examination. Fair data processing can be realized only, with a few exceptions, if the employer notifies the employee in advance about the examination and provide the possibility for him or his representative to be present at the examination.
Furthermore, the employer should have regulated the monitoring of the devices, defining the possible reasons of monitoring, who and how can carry out the examination, the rules of the procedure and the rights and remedies of the employee.
4. The sanction and the influencing factors
On the one hand, the Data Protection Authority imposed obligations for the employer (e.g. regulation of the usage and examination of the corporate e-mail account), while on the other, the employer imposed a fine in the amount of HUF 1.000.000.
The Data Protection Authority assessed as aggravating circumstances that the employer made it difficult for the employee the exercise his rights (e.g. failure to ensure the presence) and that the employer acted with gross negligence (e.g. lack of proper regulation, prior notification)
However, among others the Authority assessed as a mitigating factor that during the procedure the employer did not access to confidential information related to the private life of the employee and that the employee contributed to the situation as he has not separated his personal and work related activities.
The most important lesson of the decision is that according to the Data Protection Authority the employers are considered as data controllers regarding the personal data which are stored at the corporate e-mail account even if the employers explicitly prohibited the private correspondence.
This can create a difficult situation for the employer thus it shall ensure the lawfulness of a data processing which he does not control. In addition, we mention that the Labour Code prohibits the usage of corporate devices for private purposes since April 2019.
What you can still do and in fact need to do in this ambiguous situation as an employer, is that you lay down the circumstances of the monitoring of company devices and provide the necessary information in advance to your employees about the possibility of the monitoring of company devices.
CAN YOUR DEBTOR BE PUT IN PRISON FOR HIS DEBT IN HUNGARY?
You can hear a lot of stories where the debtor “escaped with the money”, the construction contractor “disappeared” or the debtor company’s assets have been hidden. Essentially, failure to pay is a breach of contract, which is subject to civil action, eg. litigation. However, if a transaction is suspected to be a scam, criminal proceedings may be brought against the defaulting debtor, for example, for fraud, which we examine in this article.Read more »
EU COURT RULED - STRENGHTENED CONSUMER PROTECTION IN CROSS BORDER DEBT RECOVERY
Can the unfairness of cross-border claim be reviewed ex officio in case of consumer contracts in such a simplified procedure, like the European order for payment procedure? In our article, we analyse the recent judgement of the Court of Justice of the European Union in the Bondora case and its possible effects on cross-border debt recovery, covering also the Hungarian legal regulations.Read more »
LAWFUL DISMISSAL IN HUNGARY - PART IV: TERMIANTION BASED ON EMPLOYER’S OPERATIONS
In the previous articles on the lawful dismissal, we explained dismissal for employee-related reasons. However, that is only half of the whole picture, because in many cases the employer dismisses employees for reasons of reorganization or redundancy. Justification must meet strict rules to be lawful in this case as well, the details of which we explore in this article based on case law of Hungarian labour courts.Read more »