June 2022 – On 23 May 2022, the Turkish Personal Data Protection Authority (“Authority”) issued a decision (“Decision”) on the power of employers to access employee corporate e-mail accounts. In the Decision, the Authority examined the complaint of an employee who claimed that their employer monitors their corporate e-mail address as a data controller and ruled that the employer violated the Data Protection Law (“DP Law”) and imposed a monetary fine of TRY 250,000 (approx. EUR 14,215).

Background

During a lawsuit, the employer submitted the contents of e-mails including the personal correspondence of the employee with their fiancée, personal bank account statements and expenditure records of the employee as evidence.

The employee then filed a complaint to the Authority and claimed that the employer monitors their e-mail account without providing information that the corporate e-mail account should not be used for personal purposes and that it may be examined by the employer, and that for this reason, such processing activity is unlawful.

What the Authority states in its Decision

The Authority made references to decisions of the European Court of Human Rights and the Turkish Constitutional Court regarding an employer's monitoring power and stated that:

  • E-mail addresses, private correspondence, personal bank account statements, and expenditure records constitute personal data as they make a person identifiable directly or indirectly.
  • Employers need to conduct a balance test between the benefit of their expectations from such activity and the fundamental freedom and rights of employees. If the benefit of the employer is suppressed employees' rights, then the employer must not conduct such monitoring activity.
  • If an employer decides to conduct such monitoring activity, the employer must fulfil their obligation to inform its employees in advance that it monitors employee correspondence and other communication activities.
  • Employers also need to determine the scope of communication monitoring and the degree of interference to be made to employee privacy.
  • Employers must have legal grounds to monitor the communication of employees and to access the contents of such communication. In particular, the monitoring of the contents of communication requires clearer legal grounds.
  • If there is a less interfering method and/or measure, employers must not directly access the content of employee correspondence.
  • Employers must use the inputs of monitoring activities in compliance with monitoring purposes.

The Authority also evaluated cross-border data flows

The employee also claims that the employer stores the personal data of employees and customers on a foreign cloud system (i.e., OneDrive). As this server is located outside of Turkey, the employee alleges that the employer unlawfully transfers personal data outside of Turkey.

In this respect, the Authority decided to initiate an ex officio investigation regarding the employee's assertion that the employer transfers personal data outside of Turkey, since they use the Microsoft cloud system OneDrive.

Conclusion

The Authority determined that the employer did not fulfil its obligation to inform the employee regarding its monitoring activity and that there is no legal ground to examine the e-mail account of the employee. Accordingly, the Authority imposed a monetary fine of TRY 250,000 (approx. EUR 14,215) on the employer.

Follow this link (in Turkish only) for the full text of the Decision.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.