Legal compliance with the General Data Protection Regulation (GDPR) of the European Union is one of the key areas of personal data management in connection with employment. In our earlier article we wrote about the proper management of personal data before employment; in this article, to help prepare for the GDPR, we summarise the most important rules on checking email accounts used for business purposes, which also involves personal data management, paying special attention to the practices of the National Authority for Data Protection and Freedom of Information (hereinafter referred to as: NAIH) in Hungary.
Prepare an internal policy!
It is common practice for employees to use their work email accounts for personal correspondence, without authorisation, which can cause problems. This can result in employers gaining access to personal information of the employee as well as other people (not employees) in the private emails, during checks of the email accounts. Another issue here is that the other party (not an employee) involved in the private correspondence is not aware that a third person (the employer) is entitled to review their emails. According to the NAIH, to resolve such issues it is vital for the employer to have an internal policy, which defines the following at least for the use and monitoring of email accounts set up for work purposes:
- whether the email account set up by the employer is to be used exclusively for work purposes, or whether the employee may use it for private correspondence as well,
- rules for making and keeping backup copies;
- when emails are permanently deleted;
- rules for monitoring procedures.
According to the NAIH, positive conduct by the employer is of paramount importance for the purposes of establishing proper data management practices. It is considered good practice if the employer draws the attention of employees to compliance with the provisions of the internal policy at regular intervals, e.g. in the form of system notifications.
Employees must be notified before checking email accounts begins
Employers must notify employees prior to checking email accounts, about the following among others:
- why and for what employer interest is the check being carried out (e.g. reasonable suspicion that business secrets have been breached);
- who is present during the check (e.g. Head of IT Department, HR manager), and who is entitled to carry out the check on behalf of the employer;
- what steps does the check comprise, how exactly is it carried out;
- what rights do employees have during the check, what legal remedy options do employees have in connection with the data management during the check of their email account.
Main rules for checking email accounts
When checking email accounts of employees used for work purposes, the following rules must be observed by the employer to protect personal employee information – in view of the requirement for the employee being present in person and the step-by-step principle:
- The check must be carried out in the presence of the employee concerned and minuted.
- The person conducting the check must review the email interface based on available information, and, in view of the step-by-step principle, filter the emails based on email address, email subject, time of sending, and size of attachment to select those which the employer wishes to inspect.
- If the employer does not allow work email to be used for personal purposes, the main rule is that the check shall only be carried out until it is established that the employee did not observe the employer’s instructions. The employer, however, is not entitled to read the content of the private emails. Detecting non-compliance provides sufficient grounds for labour law consequences in Hungary.
When checking email accounts used for work purposes, observing the above rules and implementing them in practice is an important part of legal compliance with GDPR requirements.
If you are interested in checking whether your company’s data management policy – related to checking email accounts or any other issues – complies with GDPR requirements, please contact us and we will review your current practices in a data protection due diligence.