Data authority issues two fines for unlawful access to workplace emails

Hungary

The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) imposed fines in two cases related to monitoring workers. In both cases, the employers failed to provide proper privacy information on the use of their employees’ data and did not have appropriate internal policies in place.

Accessing mailbox of an absent employee

In the first case, an employee was on sick leave when his employer checked his desktop, laptop and emails to ensure that his work-related duties were being covered in his absence. The employer then suspended his account. The employee complained to NAIH, claiming that he did not receive pre-notification and did not have the chance to copy and delete his private information (e.g. telephone numbers, messages). NAIH fined the employer HUF 1,000,000 (EUR 3,000).

In the second case, the employer restored the mailbox of a director who had left the company a year before and found an email containing a work-related legal document. Similar to the first case, the director complained he received no warning that his former inbox would be activated, and did not have a chance to copy and delete his private information.  (e.g. passwords, financial information etc.). NAIH fined the employer HUF 500,000 (EUR 1,500).

Recognising employees interests

In these cases, NAIH agreed with the employer argument that an absent employee who has failed to perform his tasks represents an integrity risk with financial and legal consequences. Hence, it is in an employer's legitimate business interest to take steps to prevent or mitigate these risks. NAIH also recognised that it may be necessary to archive the mailbox of former employees for security purposes, but stated that employers must comply with data protection rules in all cases.

Key takeaways for employers

  • Employment agreements must regulate whether employees can use work equipment for private purposes.
  • Privacy notices must contain the reasons for employee monitoring (e.g. business continuity, internal investigation, disciplinary purposes, and the specific retention period of employee data - including the length and recurrence of backup copies.
  • Employers must also prepare ”balancing tests” to prove their legitimate interests for general employee monitoring and specific cases.
  • An employee or a representative should be present when his data is being accessed, even if his employment has been terminated.
  • Employees should be able to request a copy or the deletion of their private data.
  • Employers must record the accessing process with minutes and photos; when the employee cannot be present, then in the presence of independent witnesses.
  • Employers must adopt internal policies on archiving and the use of IT assets and e-mail accounts, including procedural rules such as the steps of an inspection and the officials authorised to carry it out.

For more information on this eAlert, contact your regular CMS advisor or local CMS experts: Dora Petranyi and Marton Domokos.