In the last six months, the Hungarian Data Protection Authority (“NAIH”) has imposed a total of approx. EUR 5,000 in data protection fines for the private use of corporate email accounts, in three cases. Those decisions were made in connection with employers checking employees’ email accounts and accessing them. Though the individual fines remain below the NAIH's largest fine to date of HUF 100 million, the issues raised in the decisions are relevant to all companies and other organizations that provide corporate email accounts for their employees. In the cases in question, the NAIH found shortcomings in relation to a lack of prior notification and the inadequate provision or non-provision of access rights. Below, we explain what these fines were and how to eliminate them, and we raise a counter-argument to the NAIH’s view that an employer and an employee are joint controllers with respect to the employee’s private emails.
Legal grounds of data processing
Based on the lessons learned from the cases concerned, the performance of an employment contract, or even a legal obligation, cannot be the legal basis of monitoring of corporate email accounts. Therefore, according to the NAIH, in the case of data processing for the purpose of monitoring an employee's work, the legal basis may be a legitimate interest in accordance with Article 6(1)(f) of the GDPR. In the case of public authorities in the service of the general interest, the NAIH also considers that the legal basis under Article 6(1)(e) of the GDPR is applicable, according to which the processing of personal data is lawful if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
With regards to legitimate interest as a legal basis, the NAIH essentially expresses a twofold expectation: on the one hand, a general legitimate interest assessment must be carried out before introducing the monitoring of email accounts, and on the other hand, the employer must inform employees before it engages in specific monitoring of email accounts, in a quasi-supplementary, additional legitimate interest assessment that includes the interest of the employer to apply such monitoring, as well as information on the employee’s right to object. The former expectation is self-evident and feasible in the vast majority of cases. However, the latter is a more serious challenge since, due to the nature of internal monitoring, any prior notification could seriously jeopardize the effectiveness thereof.
Additionally, email accounts are usually monitored using technological methods that are partly automatic, and so a data protection impact assessment may be required.
The employer and the employee as joint controllers?
In the above-mentioned decisions, the NAIH uses the same reasoning (and wording) concerning data processing relating to e-mail accounts used for private purposes, suggesting that both the employee and the employer are data controllers of private correspondence. The NAIH considers that because “the employer has the primary responsibility for the lawfulness of data processing”, the employer and the employee may be in joint controllership.
However, the NAIH draws no definitive conclusion from the above, even though this reasoning appears with similar wording in all its decisions. Joint controllership can be a significant additional administrative burden for the employer, because in the case of joint controllership (under Article 26 of the GDPR) the two data controllers must conclude an agreement in which they have to: 1) determine their respective responsibilities with regard to exercising the rights of the data subjects and their respective duties to provide information on the essence of the agreement to the data subjects (including the employee’s private correspondents) and 2) designate a contact person for the data subjects. The question arises as to whether this really means that employers must enter into a joint controllership agreement with each of their employees who have a corporate e-mail account and that each recipient and sender must be provided with some sort of information about the essence of the agreement and the contact person. As mentioned, the NAIH has not gone so far as to explicitly rule on this, but if we take joint controllership seriously, it does entail these obligations.
However, as an “escape route”, the NAIH also notes that “the employer is always a data controller and the employee is – at least from a legal point of view – not necessarily.” But the meaning of the latter is not explained by the NAIH, which is strange, since an administrative decision must necessarily be based on an interpretation of the law. The most obvious interpretation is that the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity [Article 2(2)(c)]. [Section 2(6) of the Hungarian Info Act, which, incidentally, does not apply to data processing covered by the GPDR, contains a similar provision: the provisions of the Info Act do not apply to the processing of data by a natural person solely for his own personal purposes.] Accordingly, if employees are allowed to use corporate e-mail accounts for private purposes, their data processing does not fall within the scope of the GDPR and therefore cannot be subject to a joint controllership.
Main takeaways based on the decisions
- The employment agreement or internal policies should clearly regulate whether or not employees are allowed to use their corporate email address for private purposes.
- The internal policy on the use of email accounts made available to employees should regulate the backup, retention and deactivation of email accounts, and should indicate when emails will be permanently deleted, in addition to the rules on prohibiting or allowing private use. On the other hand, detailed rules must be laid down for monitoring and reviewing the use of email accounts, as well as rules on who is entitled to do so within the organization and in what way and what rights an affected employee has during this procedure must be established.
- If the employer does not prohibit employees from using their corporate email accounts for private purposes, in accordance with the interpretation of the NAIH, the employer and employees may be considered joint controllers in respect of the private correspondence of employees, which may result in a significant and unrealistic administrative burden.
- Employers must ensure that employees have access to their private correspondence, especially before the emails in question are deleted by the employer, or that employees themselves are able to ask the employer to delete them. According to the NAIH, private emails may be sorted in two ways: the employees can send a list of their private emails, or those emails can be sorted by the employee and the employer together.
- The employee's access right does not cover non-private, i.e. corporate, e-mails, since they may also contain trade secrets. Therefore, the purpose of exercising the right of access is to access private correspondence, using emails, e.g., in an employment dispute against the employer does not serve this purpose.
- Privacy notices should include the purposes of monitoring the employees' IT devices, (e.g. internal investigations, disciplinary grounds, etc.) and the appropriate legal basis for the processing (archiving) of them after the termination of employment.
- The employee or their representative must be present when the employer accesses the employee’s data, even if the employee no longer performs work at the employer.
- Employers are required to keep records of access to data.
Decisions of the NAIH concerned (in Hungarian):