In the last six months, the Hungarian Data Protection Authority (“NAIH”) has imposed a total of approx. EUR 5,000 in data protection fines for the private use of corporate email accounts, in three cases. Those decisions were made in connection with employers checking employees’ email accounts and accessing them. Though the individual fines remain below the NAIH's largest fine to date of HUF 100 million, the issues raised in the decisions are relevant to all companies and other organizations that provide corporate email accounts for their employees. In the cases in question, the NAIH found shortcomings in relation to a lack of prior notification and the inadequate provision or non-provision of access rights. Below, we explain what these fines were and how to eliminate them, and we raise a counter-argument to the NAIH’s view that an employer and an employee are joint controllers with respect to the employee’s private emails.
Based on the lessons learned from the cases concerned, the performance of an employment contract, or even a legal obligation, cannot be the legal basis of monitoring of corporate email accounts. Therefore, according to the NAIH, in the case of data processing for the purpose of monitoring an employee's work, the legal basis may be a legitimate interest in accordance with Article 6(1)(f) of the GDPR. In the case of public authorities in the service of the general interest, the NAIH also considers that the legal basis under Article 6(1)(e) of the GDPR is applicable, according to which the processing of personal data is lawful if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
With regards to legitimate interest as a legal basis, the NAIH essentially expresses a twofold expectation: on the one hand, a general legitimate interest assessment must be carried out before introducing the monitoring of email accounts, and on the other hand, the employer must inform employees before it engages in specific monitoring of email accounts, in a quasi-supplementary, additional legitimate interest assessment that includes the interest of the employer to apply such monitoring, as well as information on the employee’s right to object. The former expectation is self-evident and feasible in the vast majority of cases. However, the latter is a more serious challenge since, due to the nature of internal monitoring, any prior notification could seriously jeopardize the effectiveness thereof.
Additionally, email accounts are usually monitored using technological methods that are partly automatic, and so a data protection impact assessment may be required.
In the above-mentioned decisions, the NAIH uses the same reasoning (and wording) concerning data processing relating to e-mail accounts used for private purposes, suggesting that both the employee and the employer are data controllers of private correspondence. The NAIH considers that because “the employer has the primary responsibility for the lawfulness of data processing”, the employer and the employee may be in joint controllership.
However, the NAIH draws no definitive conclusion from the above, even though this reasoning appears with similar wording in all its decisions. Joint controllership can be a significant additional administrative burden for the employer, because in the case of joint controllership (under Article 26 of the GDPR) the two data controllers must conclude an agreement in which they have to: 1) determine their respective responsibilities with regard to exercising the rights of the data subjects and their respective duties to provide information on the essence of the agreement to the data subjects (including the employee’s private correspondents) and 2) designate a contact person for the data subjects. The question arises as to whether this really means that employers must enter into a joint controllership agreement with each of their employees who have a corporate e-mail account and that each recipient and sender must be provided with some sort of information about the essence of the agreement and the contact person. As mentioned, the NAIH has not gone so far as to explicitly rule on this, but if we take joint controllership seriously, it does entail these obligations.
However, as an “escape route”, the NAIH also notes that “the employer is always a data controller and the employee is – at least from a legal point of view – not necessarily.” But the meaning of the latter is not explained by the NAIH, which is strange, since an administrative decision must necessarily be based on an interpretation of the law. The most obvious interpretation is that the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity [Article 2(2)(c)]. [Section 2(6) of the Hungarian Info Act, which, incidentally, does not apply to data processing covered by the GPDR, contains a similar provision: the provisions of the Info Act do not apply to the processing of data by a natural person solely for his own personal purposes.] Accordingly, if employees are allowed to use corporate e-mail accounts for private purposes, their data processing does not fall within the scope of the GDPR and therefore cannot be subject to a joint controllership.