Hungary's data authority issues fines for failure to provide access to private e-mails

Hungary

Hungary’s Data Protection Authority (NAIH) imposed a fine of HUF 200,000 (EUR 570) on a company for unlawfully denying a former employee access to archived private e-mails.

In addition to the fine, the NAIH ordered the company to cooperate with the employee, conduct a review within 15 days, determine the personal data contained in the former employee’s archived e-mail account that should be considered private in nature, and give the employee access to these private personal emails.

The decision, however, also features some unprecedented findings favourable to employers. According to the NAIH, the former employee is not entitled to request the release of his entire e-mail correspondence, and the employer cannot be expected to sort through the former employee’s private e-mails independently.

Background

A former employee requested that its previous employer provide access to the 2018 archive of the employee’s work e-mail account, which was partially of a private nature, and concerned scientific publications pertaining to research activities conducted in the context of his employment relationship.

The company denied the request for the following reasons:

  • The former employee is no longer entitled to indicate the company in scientific publications, therefore it has no interest that could justify the request to have access to the e-mail account.
  • The access would jeopardise the company’s financial and economic interests and would also endanger trade secrets.
  • Since an employment lawsuit is pending between the company and the former employee, providing access would enable the former employee to destroy evidence.
  • The company was not able to identify the scope of the private personal data (e.g. the scientific publications, the release of which the former employee had requested).

In its decision the NAIH confirmed the following:

  • Data contained in a work e-mail account constitutes personal data, irrespective of whether the e-mails pertain to work or private correspondence.
  • E-mails pertaining to work, like e-mails potentially containing trade secrets, are protected, and as a result, the former employee’s full e-mail correspondence cannot be released.
  • Access to e-mails of a private nature must be ensured. A work e-mail account, however, potentially contains such a large quantity of sent and received e-mails that the employer cannot be expected to sort through it all. The appropriate measure would have been to notify the former employee that he is no longer entitled to indicate the company in his future scientific publications, which would have made it unnecessary for the former employee to request the release of the full 2018 archive of his work e-mail account. Furthermore, the company should have informed the former employee that it is fully open to release his private e-mails provided that he indicates the exact e-mails required and the data medium on which he wishes to receive these e-mails.
  • Private e-mails may be released, but the former employee must select the required e-mails from a list of contents or by participating in the sorting together with the company.

Takeaways

According to the ruling, companies in this situation must do the following:

  • Regulate the private use of their electronic mail systems appropriately.
  • Provide adequate information about data processing pertaining to their electronic mail systems and the processing of employee e-mails following the termination of employment.
  • Ensure that the private e-mails of former employees are released upon request, pursuant to a policy established in advance, but having regard for the protection of the company’s trade secrets.

For more information on this decision and how it could affect your company, contact your regular CMS advisor or local CMS experts.