E-mail of a former employee and the rights of the employer
In our previous article, we dealt with the management of an employee’s professional e-mail address (: bearing their name), when they leave their job. The reason for the relevant concerns was a recent decision of the Belgian Authority for the Protection of Personal Data (: “Belgian Authority”). But what about their older e-mails? What are the rights of the employee and what are the corresponding ones and the protection of the Employer? An answer to this question was given by an earlier decision of the Supreme Court (: 1/2017 Plenary Session of the Supreme Court). Given its importance, it had occupied us since the time of its publication.
It is worth re-approaching this specific decision of the Supreme Court – in the light of the recent decision of the Belgian Authority. As they become complementary, we will attempt to outline the limits of protection of the employer and the business in our country.
Decision 64/2020 of the Belgian Authority
The Belgian Authority has given specific guidance regarding the management of e-mails for the time following the termination of the employment relationship. In summary: it assessed that the professional email address of the employee to leave may not continue to be used. And even more: it must be completely abolished. Prior to its removal, however, the business is entitled to activate an automated response. This reply will inform those who send an e-mail to the e-mail address of the (to be) former employee about his / her non-employment in the business. Also, for the email address of the latter (: business) to which they can, from now on, address themselves.
At the same time, the decision of the Belgian Authority considered that the automated response cannot be maintained indefinitely. It should be active and sent to third party senders for a period of one month only and, subject to certain conditions, for a three months. After the expiration of the specified period of time, the professional e-mail address of the employee should, based on the above decision, be deleted.
The No. 1/2017 decision of the Plenary Session of the Supreme Court
It is noteworthy that this decision was issued before the entry into force of Regulation 2016/679 on Personal Data. It dealt with the recovery (from their storage medium) of e-mails of former employees. The Supreme Court, in this case, dealt with e-mails, which had been received or sent by the employees before their departure.
The facts of the case
An SA active in the timber trade appealed to the court. This company represented a large number of foreign companies. In 2006, two employees / high-ranking, long term executives submitted their resignation from this business. The one was its General Manager and, in the last decade of his employment, a member of the Board of Directors and Chief Executive Officer. The other had been a sales manager and also a member of the Board for the last eleven years.
These two employees were hired as high-ranking executives, after their resignation, by another timber trading company -competitor of their former employer. The first took over the position of chairman and the second the vice-chairman of the Board.
The second employee was invited upon his departure to inform and deliver to the next general manager the file of customer contracts, the relevant correspondence with the represented companies and customers, the orders and all the relevant data-as they were registered in the computer, provided to him by the SA (as its asset). The latter, however, refused any cooperation. He claimed that he had already deleted the requested files. Shortly after the resignation of the two employees, three of the most important companies, which (exclusively) were represented by their former employer in Greece, terminated their cooperation with it. At the same time, they decided (obviously not by chance) to work with its competitor business, which the two employees had joined.
About two months later, the SA asked three experts, accredited by the Ministry of Justice for issues of cybercrime, to search and retrieve the deleted files from the hard drives of the two employees’ corporate computers. But a surprise awaited the business. From the conclusion of the experts, more important findings emerged. It turned out, in particular, that the two employees for two years before their departure carried out a series of competing transactions.
Documents retrieved by the experts included earlier e-mails. The specific messages, which were stored in the hard drives of the corporate computers, proved the unfair competitive activity of the two former employees. The two lawsuits filed by the SA against the two employees (among others) were rejected in the first and second instance. The first decisions focused on the fact that the e-mail was withdrawn without the consent of the employees and without the observance of the legal procedure for the removal of the confidentiality of communications. They therefore considered that it was an “illegally acquired” piece of evidence which could not, therefore, be taken into account. It is obvious that adhering to a specific view of the law rewarded immorality and illegality.
The position of the Plenary Session of the Supreme Court
The Plenary Session, however, of the Supreme Court made to a different ruling. It adopted, in particular, the view that was then held in theory. According to this, the e-mail that, in this case, was withdrawn was not occupied by the absolute protection of article 19 §1 of the Constitution. It concluded, in particular, that “… the constitutional protection of confidentiality is located at the stage of communication, ie at the time when it takes place and ends with its conclusion. The protection of privacy ends as soon as the recipient becomes aware of the content of the message. From the end of the communication onwards, every element (message and external elements) may fall within the regulatory scope of the constitutional protection of privacy and personal data (Articles 9 and 9A of the Constitution, respectively), but is no longer covered by the constitutional protection of confidentiality. ”
As accepted by the Plenary, the e-mails in this case, were not a product of interception during a communication. Nor were they removed from the personal electronic file of employees who resigned by stealing a secret password. Instead, they were recovered from the hard drive of the corporate computers they used, due to their refusal to deliver to the SA documents that were necessary for the operation of the latter.
The Plenary, however, acknowledged that the withdrawn correspondence falls within the meaning and protection of personal data (: Article 9A of the Constitution). It pointed out, however, that privacy rights are not absolute. That is, they can be restricted – like any other constitutional right – if: (a) there are serious reasons for the public interest and (b) their exercise infringes on the rights of others. Provided, of course, that the principle of proportionality is not infringed.
In particular with regard to the employees, the Plenary (in the light of what was then valid for personal data) pointed out that “… the purpose of collecting and processing personal data of employees is permitted only in for reasons relating to the employment relationship and work organization… The processing of personal data should be relevant, proper and not more than what needed each time, for the purposes of the processing. The collection and processing must be done in such a way as to interfere as little as possible in the personal life of the employee…”.
On the basis of the above data, the Plenary Session ruled (and rightly so) that the invocation of the rights to protection of privacy and personal data (Articles 9 and 9A) of the two former employees was unfair. Specifically, it assessed the supremacy of the constitutional (and non-) rights of the business. Indicative: the right to legal protection (20 §1 of the Constitution) and business freedom (5 and 106 §2 of the Constitution). Also the right to protection of its commercial credit and free competition.
Based on the above data, it considered it legal to retrieve the e-mails of the two former employees from the corporate computers they used.
The rights of the business and its (necessary) protection
The comparative review of the two decisions leads us to a more comprehensive approach to the issues that arise, regarding the fate of the e-mail address of an employee who is leaving. An approach that takes into account both the GDPR and the Greek Constitution and Greek legislation. More specifically:
Upon the employee’s departure, the email address bearing his or her name is excluded. One month (or three – under certain conditions) after their departure, this address is deleted. This does not mean, however, that, after the expiration of the month (or, respectively, of the three months), the employer is not entitled to withdraw from the hard drive of the corporate computer used by the employee, their past (perhaps deleted) e-mails. Quite the opposite! It is presumed that the employer has a relevant legal interest. And more specifically: a legitimate interest that will render the constitutional rights of the employer business more significant than those of the employee.
At the same time, the directions of the two decisions lead to an additional conclusion. The e-mails that the employee receives in their corporate account after their departure still fall under the protection of the confidentiality of communications (19 §1 of the Constitution). As these have not been read by their recipient, they are still covered by privacy.
According to article 19 par. 1 of the Constitution: “The secrecy of letters and the free response or communication in any other way cannot be violated. The law defines the guarantees under which the judicial authority is not bound by secrecy for reasons of national security or for the ascertainment of particularly serious crimes”. The protection of the confidentiality of letters and the free response and communication, in any way, is Constitutionally guaranteed. In fact, not only against public bodies and companies, but also against individuals.
At first glance, therefore, the employer does not seem to have the right to know the contents of the mail that reaches the employee’s corporate e-mail (bearing their name) after they leave. For these e-mails, the employer business can only have activated the process of sending an automated response to their sender, but without knowing the content.
The decision no. 1/2017 of the Plenary Session of the Supreme Court came to give a (legal) solution to a really difficult problem: The one that concerned the protection of the business against the employee who, in bad faith, fortified behind the “letter of the law”, consciously (dishonestly, immorally and illegally, in the end) harmed, for their benefit, the employer business. The safeguarding of the rights of the (honest) business was chosen, and rightly so.
The recent decision (: 64/2020) of the Belgian Authority does not differentiate the data in this matter: The employer business reserves (albeit under certain conditions) the right to refer to the correspondence received in the employee’s corporate e-mail, and read by the same, during the employment relationship. However, it is obliged to deactivate (and very soon abolish) the employee’s e-mail. As already mentioned, the time limits (: month or three months-maximum) for the abolishment of the employee’s corporate e-mail are very narrow-especially when the latter holds a significant position and responsibilities.
We hope that the Greek Authority for the Protection of Personal Data will extend the aforementioned time limits for the abolition of the corporate e-mail of the employee who is leaving. We also hope that the Greek courts will recognize, respectively, the right of the business to have (even under certain conditions) access to the e-mails of the employee, received after their departure.
The constitutional and legislative background exists, moreover, for both, specific, cases.
The law, and much more the Constitution, must protect the honest from the less honest ones.-
Stavros Koumentakis
Managing Partner
P.S. A brief version of this article has been published in MAKEDONIA Newspaper (May 16, 2021).
Disclaimer: the information provided in this article is not (and is not intended to) constitute legal advice. Legal advice can only be offered by a competent attorney and after the latter takes into consideration all the relevant to your case data that you will provide them with. See here for more details.