Recent developments in the applicable legislative and regulatory framework governing the processing of personal data of natural persons, spearheaded by the entering into force of the Regulation EU/2016/679 (henceforth the "General Data Protection Regulation" or simply "GDPR"), seek to confer upon data subjects a greater degree of control over their personal data whilst at the same time imposing more stringent obligations upon data controllers and data processors when it comes to the processing of personal data. The GDPR is complemented by the provisions of Protection of Natural Persons Against the Processing of Personal Data and the Free Transmission of Such Data Law, L.125(I)/2018 (the "Law"). For the purposes of this article, the GDPR and the Law shall henceforth be jointly referred to as the "Data Protection Legislation".
Personal information pertaining to employees processed by the employer in the course of the employment relationship is a subject that often leaves employers scratching their heads when trying to reconcile the interests of their business with the rights expressly afforded to employees in their capacity as data subjects under the Data Protection Legislation.
More specifically, in the context of the employment relationship, an employee is expected to provide information which is required by the employer for the performance of the contract of employment, including -among others- the employee's social insurance number, the employee's contact details and details of the bank account of the employee to which the employee's salary will be deposited. The provision of such information by the employee is not especially controversial, provided of course that it is processed by the employer in a manner that is compatible with the Data Protection Legislation. At the same time, however, the realities of the employment relationship may give rise to more difficult questions which merit a cautious approach when balancing the rights of the employer against the rights of the employee.
In this regard, an interesting question arises with regards to the email accounts of employees and former employees and, more specifically, when and under which circumstances can these be accessed by the employer without running the risk of falling afoul of the provisions of the Data Protection Legislation. This question is the subject of Opinion 1/2019 (the "Opinion") issued by the Commissioner for Personal Data Protection (the "Commissioner") in its capacity as the competent supervisory authority tasked with monitoring compliance with the provisions of the Data Protection Legislation.The Commissioner's authority to issue opinions on any matter concerning the processing of personal data can be traced inthe provisions of Article 53(3)(b) of the GDPR.
It is stressed from the outset that the Opinion applies to a number of persons to whom the employer provided an email address strictly for business use in the course of the employment; these persons include (a) former employees, (b) current employees who are absent for an extended period of time and (c) former and current employees who are reasonably suspected of being involved in the commission of offence(s). It is worth noting that the scope of the Opinion also encompasses (a) other electronic means of communication or electronic equipment made available to the employee for use in the course of the employment such as mobile phones and portable handheld devices (tablets) and (b) data deleted by the employee but which remain stored in secure copies or other secure locations to which the employer has access.
The Opinion urges employers to take precautionary measures with a view of limiting the instances necessitating the employer accessing messages contained in the email accounts of employees. In this context, the employer is expected to ensure that outgoing and incoming emails for business use are also accessible by other sources. It is suggested that this may be achieved by storing such emails on an email server which shall only be accessible by an authorised user.
Notwithstanding the implementation of precautionary measures, it is conceivable that the employer may still need to access the email account of an employee or former employee in certain cases. Where it is necessary to access the email account of employees / former employees and to process data stored on such account in order to:
- Ensure the seamless operation of the business,
- Ensure the protection of the interests, property and managerial rights of the employer,
- Facilitate the organization and monitoring of carrying out of a particular task or turnover and in particular monitoring of expenditure,
- The investigation of possible offences,
Such processing -the Opinion suggests- may be permissible provided that the following conditions are met:
(a) at least one of the legal bases for processing stipulated in Article 6(1)(b)-(g) of the GDPR applies,
(b) the employer has adopted a written policy with a view of determining clear procedures for accessing email accounts of employees / former employees and for processing of information stored therein (the "Policy"),
(c) the employer has informed employees about the purpose and scope of the Policy upon the commencement of their employment in a concise, easily accessible and legible manner and using precise and plain wording,
(d) the employee / former employee is specifically notified of the employer's intention to gain access to the email account,
(e) the employer processes any such data having regard to the fundamental principles of processing enunciated in Article 5 of the GDPR and specifically,
(i) the principle of lawfulness, fairness and transparency,
(ii) the principle of purpose limitation,
(iii) the principle of data minimisation,
(iv) the principle of accuracy,
(v) the principle of storage limitation,
(vi) the principle of integrity and confidentiality,
(vii) the principle of accountability
(f) The email message should be read in the presence of the employee / former employee, unless this is not feasible or would require disproportionate effort or where an administrative investigation / disciplinary procedure is underway.
The Policy must -at the very least- include the following information:
(a) Whether the sending of emails for personal reasons from terminals installed in the workplace is permissible and of the penalties associated with such use of the business email account and, where possible, the provision of appropriate mediums to facilitate the completion of personal email correspondence in the employee's spare time,
(b) the purpose and manner of accessing of the email account by the employer and the information included therein,
(c) the categories / capacities of persons allowed to have access,
(d) any legal recipients,
(e) the legal basis for processing,
(g) if the legal basis cited for processing is the employer's legitimate interest pursuant to Article 6(1)(g) of the GDPR, the nature of the legitimate interest of the employer or of a third party,
(h) in case that it shall be permissible for the personal data to be communicated to a third party-recipient, the employee / former employee must be notified when the data in question shall be communicated to the third party-recipient for the first time. When the entity intends to process data for a different purpose to the one for which it was originally collected, the employee / former employee must be provided with all material information prior to any such processing taking place, and
(i) departing employees must be informed if and for how long their email account shall remain active and for which purpose.
It is stressed that the notification obligation included in points (a) – (i) above, does not apply where the information in question is already at the employee's disposal, or where the registration or communication of the data is expressly provided by law, or in cases where the provision of information to the employee / former employee is not feasible or would require a disproportionately onerous effort on the part of the employer.
In an attempt to insulate themselves from liability, some employers require employees to sign data processing consent forms, the rationale being that any processing on the basis of such consent will be considered legitimate. Nevertheless, having regard to the idiosyncratic nature of the employer-employee relationship whereby the employer is acknowledged to be negotiating from a position of strength (hence the presumption of equality of bargaining power usually applicable to most contractual relationships is not applicable in this context), such consent forms signed by an employee in the course of their employment will not be considered as valid consent for the purposes of the Data Protection Legislation.
Source: Opinion 1/2019 issued by the Commissioner for Personal
Data Protection available in Greek
2019-access to email accounts by the employer.pdf (dataprotection.gov.cy)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.