Attention employers! Do you lack a company e-mail and archiving policy? Do you allow or tolerate the private use of company e-mail? Have you ever accessed and/or restored an (ex-)employee’s e-mail box to search for a document or a past correspondence with the client? If yes, you have a high risk exposure to GDPR fine.
The Hungarian Data Protection Authority (hereinafter: NAIH) has recently published two decisions in this topic. Although the GDPR fines imposed on the given employers have been emblematic yet, this attitude may change in the future as the GDPR awareness grows.
What were these two cases?
In the first case under no. NAIH/2019/769, NAIH imposed a fine of HUF 1,000,000 on the employer because the company devices (PC and laptop) as well as the e-mail box of an employee was checked during his sick leave.
According to the employee, he used his company e-mail for private purposes. Thus, private phone numbers, messages, passwords and browse history was accessible for the employer. The employee claimed that he has not received any notification prior to the employer’s actions. Consequently, he has not had the chance to delete his personal data. NAIH did not accept the employer’s argument that the employer did not know about the private use or the employer’s denial that it would have become familiar with any personal data of the employee.
In the second case under no. NAIH/2019/51/11, NAIH imposed a fine of HUF 500,000 on the employer because an ex-employee’s e-mail box was restored in order to search for a work related document. Similarly, the employee was not informed in advance and he did not have the possibility to copy and delete his personal information. NAIH did not accept the employer’s explanation that the employee got a training on the e-mail system or that the search was specified by sender and subject and after all it was unsuccessful.
What does the GDPR say?
GDPR does not say how to store and/or archive e-mails. Instead, it determines the basic principles to be followed when it comes to personal data processing.
As we can see from the above two examples, when it comes to e-mail, the critical point is erasure.
Article 5(e) of the GDPR sets forth that personal data can be stored for no longer than is necessary for the purposes for which the personal data are processed. In accordance with this, Article 6 of the GDPR lists the available legal basis for personal data processing from among which the data processor shall pick the best fit with a view on the purpose of personal data processing. In addition, Article 17 of the GDPR highlights the so called right to be forgotten.
The devil is in the detail
A lot of employees never delete e-mails because they might need them someday. Although this seems reasonable, the more e-mail is restored, the bigger risk exposure for the employer if there is a data breach.
If – on top of this – the private use of company e-mail is allowed or tolerated by the employer, the risk and volume of potential data breach gets even bigger.
What to do in order to mitigate GDPR risks?
- Review the e-mail utilization and archiving practice at your company
- Explore if there are any (up-to-date) internal policies on e-mail utilization and retention
- Evaluate whether you have a legitimate purpose and legal basis for e-mail retention and to what extent
- Analyse if you can balance the employer’s legitimate business interests against its data protection obligations under the GDPR
- Set up an e-mail utilization and archiving strategy for your company and introduce / update the relevant internal policies
For more details and questions please contact our leading attorney who is trained in employment related GDPR issues. It is as simple as that: We make employment law work for you.
