In the landscape of corporate operations, accessing employee emails may sometimes feel like a necessity for companies. Whether to investigate suspected misconduct of current employees, facilitate operational management during an employee’s prolonged absence, or streamline the transition after an employee departs, the reasons can be varied. However, this task is not straightforward as there are many complexities involved, especially when considering the rules set forth by the General Data Protection Regulation (GDPR).
It is Not Free-For-All
While the corporate email address might be perceived as fair game due to being provided by the employer and used in the professional context, this is not the case. Corporate emails always contain vast amounts of personal data, triggering the full spectrum of GDPR rules. Moreover, corporate inboxes can routinely contain private (non-business) information of employees, who may have used the email address to send and receive messages outside of their work tasks. Even though the email address is – in principle – associated with a professional setting, the privacy and rights of the individual behind the address must be safeguarded.
Applicable legal basis
Every processing of personal data must rely on one of the legal bases established by the GDPR.
Some employers try to justify the access to employees‘ emails on the basis of the contract between them. However, the reality is not that simple. Accessing an employee’s email address is generally not necessary for the performance of the employment contract, making this legal basis hardly applicable in such scenarios.
Another legal basis that is sometimes considered for this situation is the employee’s consent. While it could work in some situations, it also has several downsides: First, typically, it is difficult to obtain valid consent from employees, since the hierarchical relationship between the parties can stain the voluntariness of it. An employee may feel forced to give consent to please the company, which immediately makes the consent invalid. Collecting valid consent from employees is a complex topic to prove that employees were not forced into it and were provided legitimate alternatives, which is not always the case. Second, consent is not guaranteed to be obtained. For example, employees will hardly consent to the access of their email when the purpose is to obtain evidence against them for suspected misconduct. Furthermore, consent can be withdrawn at any time, making it a less-than-sure basis for processing. Finally, in the case of former employees, it may be impossible to obtain consent if there is no way to contact them.
Another possible basis for accessing emails is the legitimate interest of the company. This basis requires performing a legitimate interest assessment in which a valid purpose for the access is identified, the necessity and proportionality of the processing are analyzed, and the rights of the data subjects are considered to determine whether the rights and freedoms of data subjects override the interests of the company. This legitimate interest assessment is a technical analysis that requires deep knowledge of privacy regulations and is better done by an expert on the subject.
Authority Decisions: Lessons from Europe
Several decisions by European authorities provide valuable insights into the intricacies of accessing employee emails. Some of the most enlightening ones are the following.
Three Hungarian Data Protection Authority’s decisions (1, 2, 3) emphasized the importance of having an internal policy governing the use and control of email accounts. Employers are advised to inform employees in advance about plans to access their inboxes, providing an opportunity for data control and allowing employees to be present during the process or send a representative to protect their interests.
In June 2021, the Norwegian Data Protection Authority fined an employer 13,000 euros for accessing an employee’s email account for a period of six weeks after they left the company. The DPA stated that there was no legal basis to justify such access. This authority has also published some rules on email inspection: employers must have a legitimate interest, the access to the emails must be necessary to pursue this interest, and the employer’s interest must outweigh the employee’s affectation. Regarding the employer’s legitimate interest, it can be safeguarding the operation of the business or the existence of a reasonable suspicion that the employee’s use of the material may result in gross breach of their duties.
The Italian DPA imposed a 10,000 euros fine for continuing the use of an employee’s email after the termination of the employment relationship and accessing 34,000 emails. The DPA quoted several European Court of Human Rights decisions to establish that the protection of privacy also applies to the workplace. The DPA criticized that the company did not inform the complainant in advance of the treatment to which the email account would be subject and that, at the time of the termination, the company had not adopted any regulations for the use of IT tools. This infringed the general principle of lawfulness, fairness and transparency in the GDPR that requires employers to keep employees informed about these facts.
In this case, it is noteworthy that, following the conclusion of the employment relationship, the employer implemented an internal policy regarding IT tools. According to the policy, upon termination of employment, the company email would stay active for six months and be accessible to a designated individual within the company solely for message reception. This individual would then either share the contents with other employees or delete the messages based on their content. The DPA pointed out that this wording conflicted with the principle of data minimization, thereby violating the GDPR.
A decision by the Regional Labor Court (Landesarbeitsgericht) of Baden-Württemberg in Germany studied the admissibility of using emails as evidence in judicial cases against employees. The court explained that if the employer only permits work-related use of communication tools, they have broader – albeit not absolute – access rights. However, if private use is allowed or tolerated, accessing emails requires informing the employee in advance, providing the opportunity to store private messages separately, and prohibiting covert analysis.
The case, which we described in detail in a previous blog post, emphasizes the importance of clearly regulating the use of communication tools, preferably through written agreements, and highlights the need for careful communication policies and restrictions on employer access to private communications.
A Cautionary Approach to Email Access
In light of these decisions, companies must approach email access with extreme caution. Here are some tips:
- Transparency is key: Craft a comprehensive policy detailing the rules for the use and control of communication tools, email accounts and computing devices. If possible, inform employees in advance about any plans to access their inboxes, providing them an opportunity to safeguard their private information and participate in the process.
- Establish a Legal Basis: Ensure there is a legitimate and applicable legal basis for accessing employee emails, as outlined in the GDPR. If the access is based on legitimate interest, make sure to craft a solid legitimate interest assessment after an exhaustive analysis of the impact of the processing on data subjects’ rights and freedoms.
- Minimize Data Access: Adhere to the data minimization principle, accessing only the necessary information for the intended purpose. Blank statements to access the whole inbox of an employee should be avoided.
- Each Case is Different: Email access is typically a high-impact processing activity for the rights and freedoms of data subjects. There are not set-in-stone rules for this and slight variations in the facts may lead to different legal repercussions. Even if a policy is already in place, it is better to always consult with expert advisors specializing in data privacy matters before proceeding.
- Keep in Mind Other Regulations: Accessing emails is not solely regulated by privacy laws; other legal aspects come into play. Depending on your country, be aware of telecommunications regulations and labor law provisions that may impose additional requirements for email access. In specific jurisdictions, involving Workers‘ Councils may be necessary.
Navigating the GDPR demands a meticulous and informed approach to ensure compliance while respecting the privacy rights of employees. In case of any ambiguity, FIRST PRIVACY and the other companies of the DSN GROUP can provide you with tailored solutions.