Workplace data protection legislation has been of great interest since the entry into force of the GDPR. At the end of last year, two important decisions were issued that may outline the Hungarian regulatory practice for the application of GDPR to workplace data processing.
The story behind the decision of the National Authority for Data Protection and Freedom of Information (NAIH) from October 2019 is that an employer as data controller checked an employee’s desk, work equipment, computer access and e-mail account during his sick leave. After the employee returned to work, he had to hand over his work equipment – his workplace telephone and computer – to the employer. No personal data was copied or deleted. The employee used the device also for private purposes. Although the employer claimed that private use was prohibited, they could not prove this during the procedure.
Among others, the authority obliged the employer to investigate, with the employee involved, what personal data do the returned devices contain and to delete personal data that are being processed without a legitimate purpose and a legal basis. The employer was further obliged to ensure the protection of personal data in connection with the use of email accounts and IT tools provided to employees. The authority also imposed an administrative fine of HUF 1,000,000.
Although it was disputed during the proceedings whether the private use of the equipment provided to the employee was prohibited, NAIH stated in its decision that the qualification of the employer as data controller is not questionable even if the employer explicitly excludes the private use of its equipment because such qualification is a matter of fact. With regard to private use, an employer shall not be considered as a data controller only if the employer effectuates complete separation of the management of private and work-related data in such a way that the employer has no control over the former in any ways.
NAIH highlighted that based on the legal relationship between the employer and the employee, the primary liability for the lawfulness of data processing shall be borne by the employer, since it has the primary means (internal regulatory and technical operational measures) to ensure the fulfillment of these requirements.
NAIH pointed out that the employment contract may not be defined as legal basis of the data processing activity for the purpose of controlling the employee’s work by the employer as this may be substantiated only by the legitimate interest of the employer. Although the Authority considered the employer’s legal interests as an adequate legal basis for processing but it pointed out that the employer should have conducted a pre-documented legitimate interest assessment, the absence of which may cause serious harm to the rights of data subjects.
The Authority also emphasized that, in accordance with the principles of data minimisation, employee control should be carried out according to a tiered control system in order to minimize the impact on the privacy of employees. For example, as a first step, the verification of the recipient’s email address and the subject of the message may be sufficient to determine the nature of the message.
In another decision from December 2019, NAIH made additional remarkable statements on data protection activities related to the monitoring of employees.
According to the underlying facts of the case, a health institution, in search for a document, ordered to restore the accounts of its former director without his consent. The former employee thought that his accounts were deleted but they were only inactivated. During his employment, the former director was permitted to conduct his private correspondence from his work email address thus the account also contained information such as data of his bank accounts or personal data related to his health.
NIAH imposed an administrative fine of HUF 500,000; prohibited the health institution from storing an archive of the data subject’s private correspondence; and ordered it to allow the employee to make a copy.
The Authority noted that when an employee uses the email account provided by the employer for private activity and thereby processes personal data of his and in most cases other third parties, the purpose of the data processing is not determined by the employer, but by the employee, who may become a data controller himself in relation to the processing of personal data of third parties that is in no way related to his work.
However, the management and operation of the system for these personal data remains with the employer, and the employer’s right to dispose of the e-mail account will not be forfeited, so the employer remains a data controller of such data too. The fact that the employer maintains and stores the entire content of the employee’s e-mail account including private mails as a single database establishes the employer’s role as data controller. As the employer has the primary means to ensure the lawfulness of the data management, he is primarily responsible to fulfil these requirements.
With regard to the legal basis of the data management activity, NAIH explained that the employment contract cannot be referred to as a legal basis because such legal basis under the GDPR is applicable only when data processing is necessary for performance of the contract. This is, however, not the case when the processing is not actually necessary for the performance of the contract, but is unilaterally imposed on the data subject by the controller.
The employer referred to data security, which required the data controller to make backups of work and private correspondence based on the GDPR, given that the employer performs tasks of public interest. However, as NAIH explained, this does not imply unlimited storage of data. By preserving the applicant’s private correspondence without specific time limit, the debtor breached the principle of storage limitation. Reviewing an email account in the absence the employee is fundamentally contrary to the principle of fair data processing as it constitutes an intrusion into the employee’s privacy.
NAIH recommends that employers should establish internal policies regarding the use of email accounts provided to employees. Internal policies shall cover at least the following matters:
- whether the email accounts can be used for private purposes,
- rules on managing the backup and retention of these email accounts, their inactivation, and cases of permanent deletion of emails,
- the detailed rules for checking and reviewing the use of email accounts, list of people enabled to enforce such examinations in the organization and how they can enforce them during the procedure.
In addition, NAIH also recommends that if email accounts may be used for private purposes, employers should create a separate folder for private emails, excluding them from backups, and allowing them to be accessed by those affected after termination of employment or allowing its actual deletion.