Employee email tracking (is it an unspeakable sacrilege or legally permissible reinsurance?)
We already talked about “Big Brother”-like systems in the workplace. The ability (?) of businesses to monitor their employees. Using Visual Recording Systems in the Workplace. The conditions under which it is tolerated under European and national law. How the Personal Data Protection Authority addresses transgressions.
But what about employee emails?
Is the employee entitled to illegally distribute the business’s confidential information through the email provided to them by the employer?
Is the employer entitled to protection from their employees who are acting illegally?
Or does the employee’s (absolute?) right to privacy of their correspondence exceed?
II. The employee’s “information self-determination”
The subordinate employment contract has several important characteristics. One of them, one that is intertwined with its very nature and function, is that of the employer collecting and processing a wealth of information about their employee. This information, no doubt, constitutes personal data.
The employee has, at a first level, the right of “information self-determination”. That is, the right to decide for themselves the disclosure, disposal and use of their personal information. This right derives from the Greek Constitution itself. This is because it is a more specific manifestation of the protection of personality (Article 5 par. 1 C.), privacy (Article 9 C.) and personal data (Article 9A C.). In addition, personal life is protected by Article 8 of the ECHR.
The possibility of infringement of an employee’s information self-determination right is higher than ever. Technological developments provide the employer with significant opportunities to penetrate the privacy of its employees. Traditional forms of subordinate work are declining, giving way to new, flexible forms of work (teleworking). Jobs are now sometimes inextricably linked with the use of laptops, tablets, and smartphones. Technological means and / or technological structures belonging to the employee. The line between an employees’ private and professional life has already proven very blurry.
The employees through technology enjoy flexibility in providing their work. But it is through the same technology that the employer is given the opportunity to control their employees.
One of the ways to monitor employees is tracking their emails.
III. The protection (?) of the content of emails
The ability to monitor (or not) the employee’s email is a matter of great legal debate. Disagreements have even been made on the applicable constitutional provision.
At a first glance, electronic mail falls under the protection of the privacy of communications (19 C.). Protecting this privacy is not just about letters. It also covers any form of private, that is, non-public, communication. So are e-mails, which are the modern form of communications.
Arguments in the legal world about the protection of this particular electronic communication concern, first and foremost, its scope. According to the opinion held, constitutional protection of privacy covers only the stage of communication. That is, from the time it is sent until when it is opened by the recipient. On the contrary, according to the opinion not held by most, constitutional protection of privacy extends beyond the termination of communication. That is, it extends until the communicants say it doesn’t. Until they no longer wish to ensure the confidentiality of the communication.
The Supreme Court of Concession (decision no. 1/2017) came to reinforce the aforementioned view held in legal theory. We have already analyzed this decision in our article (: Companies and Confidentiality). It is noteworthy that this decision was adopted by a majority. Minorities? Just one of the members of the Supreme Court of Concession.
The prevailing view is not without legal consequences.
On this basis, electronic communications are protected by the confidentiality of communications only during the communication in question is actually taking place (Article 19 C.). Upon its completion, these messages fall within the scope of Articles 9 and 9A C. This applies where the sender or recipient retains the emails. Either printed on their computer without a password.
Therefore, emails, after the completion of the communication, are protected as part of employee’s privacy and as the employee’s personal data.
IV. Employee email tracking: The absolute (?) protection of communications and electronic mail
From the moment an (electronic) mail is sent till the moment it is opened, it is absolutely protected. This is because it falls under the (respectively) absolute protection of the privacy of communications (Article 19 § 1 C.). In this case, its content can be monitored only with the permission of the Judicial Authority. This permission is granted when it is required for national security reasons or for the detection of particularly serious crimes. In no other case.
These strict conditions apply only to the content of the emails. Not to the external elements of a communication (eg time of sending and receiving e-mails, sender and recipient details, etc.). Recording and processing external elements of a communication is, at a first level, legal for the employer. Their limits are determined on the basis of legal parameters: the principles of proportionality and purpose.
Therefore: The privacy of the content of a mail (electronic or not) is completely inviolable. Only the Judicial Authority can, under certain conditions, lift it.
This absolute protection does not apply to privacy and personal data protection rights. Although they are, too, protected under the constitution.
V. Employee email tracking: The relevant protection of communications and electronic mail
An e-mail sent by a business e-mail address (or, more generally, sent from within the workplace) can be considered to have information concerning the employee’s private life.
The relevant correspondence seems (and is) closely linked to the employer’s business. It remains, however, private as it is intended to serve the employee’s personal affairs and / or interests. Even when it comes at the expense of the employer. The employee has a legitimate, at least at first, expectation that their privacy is protected in the workplace. This expectation is, in fact, not remedied by the fact that the employee uses equipment, means, infrastructure and facilities of the employer.
It is accepted that the employee’s electronic mail falls within the scope of Articles 9 C. and 8 ECHR.
It is also accepted that electronic mail and the information contained therein are personal data and fall within the scope of Article 9A C.
However, privacy and privacy-related rights are not absolute.
They may be limited if there are serious public interest concerns. Most importantly: when the exercise of such rights violates the rights of others. (Always provided that such restrictions are provided for by the Constitution or the law. And, of course, the non-infringement of the principle of proportionality (Article 25 par. 1 C.).
VI. Employee email tracking: The protection of e-mails as employees’ personal data
Regardless of their constitutional protection, personal data are also protected under more specific legislation.
In order for the monitoring of employees’ emails, and generally of the personal data contained therein, to be legal, the requirements of Regulation (EU) 2016/679 (: General Data Protection Regulation-GDPR) must also be fulfilled.
The GDPR lists cases where the processing of personal data is lawful. Those cases are explicitly, specifically and restrictively laid down in Article 6 § 1 and (in the case of special categories of personal data) apply, Article 9 § 2 GDPR.
Processing of personal data in the context of an employment relationship is, however, presenting some peculiarities not encountered in other relationships. Peculiarities deriving from the special nature of the employment relationship.
In this context, the GDPR gives Member States (: Article 88) the power to lay down specific rules on the processing of personal data in the context of employment. On the basis of this option, the national legislature provided for in Article 27 of the Implementing Law (: 4624/2019). This provision refers to the “processing of personal data in the context of employment relationships”.
VII. Employee email tracking: Requirements for the lawfulness of tracking employees’ emails
To qualify for a monitoring of employee emails to bel legal, certain conditions must be met.
1. The legitimate interest of the employer
The processing of the employee’s personal data by the employer is legal, subject to certain conditions. One of these conditions is that the processing is necessary for the purposes of pursuing the legitimate interests of the controller (the employer in this case – Article 6 § 1 f’ GDPR). In the latter case, always in the light of the principles of proportionality and necessity, the interest or fundamental rights and freedoms of the data subject (: employee), which impose the protection of personal data, do not prevail.
The employer’s legitimate interest may, inter alia, be satisfied by exercise of their managerial right. That right is, moreover, what introduces the consequent employee obligations of loyalty. In this context, the employer can base their legitimate interest in processing their employees’ data on a number of grounds. Indicative: prevention and control of leakage of know-how, confidential information, commercial & business secrets. Also: ensuring the smooth operation of the business by establishing a control mechanism for their employees. Lastly: protecting the business and its property from significant threats, such as the conveyance of confidential information to competitors or the collection of evidence of any criminal activities cunducted the employee.
2. Employee’s consent (?)
It had long been a question whether the legality of the processing of personal data could be based on the consent of the employee (Article 6 § 1 (a) GDPR).
The employment relationship is, by its nature, an unequal, between the parties, relationship. It is therefore questionable whether the employee’s consent is the product of their free will. Even more so if it can be considered for the characterization of the processing of data by the employer as legitimate.
Article 27 άρθρο 2 of Law 4624/2019 provides:
“Where the processing of an employee’s personal data is exceptionally based on their consent, in the judgment that it was the result of free will, account must be taken in particular the following:
(a) the employee’s existing dependency on the employment contract; and
(b) the circumstances under which the consent was granted. The consent is provided either in writing or electronically and it must be clearly distinguished from the employment contract. The employer must inform the employee either in writing or electronically of the purpose of the processing of personal data and of their right to withdraw their consent in accordance with Article 7 (3) of the GDPR.”
Is employee consent, however, the right legal basis for processing their personal data? And, in particular, for the monitoring of their electronic communications? The Personal Data Protection Authority dealt with the issue in its decision 26/2019. We have extensively dealt with this (particularly important) decision in our earlier article on the commencement of the imposition of fines by the Data Protection Authority under the GDPR.
Its most important assumption: The employee’s consent (: Article 6 § 1 (a) GDPR) is neither an adequate nor an appropriate legal basis for the processing of personal data in the context of electronic communications monitoring. Accordingly, the performance of the employment contract (Article 6 § 1 b) is not an appropriate legal basis. This is because, depending on the nature of the employment, the processing involved may go beyond what is necessary for the performance of the employment contract.
The existence and invocation of the employer’s legitimate interests may form the basis for the lawful processing and legal monitoring of employees’ emails.
3. The obligations of the employer
The employer must, in any event, fulfill certain conditions before monitoring their employee’s emails.
The ECtHR, the Data Protection Authority and the Working Party of Article 29, having adopted decisions and opinions respectively, have formulated the framework of the relevant conditions.
In this context, it has been held that it does not constitute a legitimate ground for surveillance or monitoring of the employee’s personal data if the employee uses a computer: (a) owned by the employer; and (b) for which the employee has formerly been notified that they should not use for non-professional reasons.
On the contrary, more specific information is required (ECHR, Bărbulescu v. Romania). In this context, employees should be informed in advance of any checking and monitoring of their personal data in a clear and appropriate manner. Also: for the purpose for which their personal data is processed.
And all this is not enough. When an employer oversees an employee’s electronic communications, it is not sufficient for them to comply with what is required by law for the protection of personal data, in order for their actions to be lawful and justified. They should also go one step further in informing the employees.
VIII. In conclusion
The business has the right to access the electronic mail of its employees. Not to monitor their personal lives (like another Big Brother) nor for the sake of curiosity.
This particular right of the business is, of course, subject to strict conditions. As long as these are kept, neither the business is committing a crime nor are its executives committing a (at least) sacrilege.
But rather the opposite!
Those who run a business are, of course, entitled to protect their legitimate interests. To be more precise: they have to do so because of their position.
It is also clear that employees who are acting illegally cannot be worthy of protection…
P.S. A brief version of this article has been published in MAKEDONIA Newspaper (February 23rd, 2020).
Disclaimer: the information provided in this article is not (and is not intended to) constitute legal advice. Legal advice can only be offered by a competent attorney and after the latter takes into consideration all the relevant to your case data that you will provide them with. See here for more details.