The Hungarian Data Protection Authority has issued a statement on processing of employee emails under the GDPR, providing guidance for employers on how to ensure they are compliant.
At the end of last year, the Hungarian Data Protection Authority ('HDPA') issued a statement, in which it commits itself to take all possible action and use all available means (including imposing the appropriate legal consequences to prevent further infringements) to stop the widespread practice of unlawful processing of employee emails.
How does personal data enter the picture?
Even if an email address was provided for work purposes, it might be used by the employee for personal matters, or third parties might send personal emails to the address, which turns this into a question of data privacy. Although some recommended steps can be taken to prevent the personal use of work email addresses (i.e. the prohibition of personal use of work assets), it does not seem to be possible to fully separate the two uses, since receiving a personal email from a third party is generally outside the employer's or employee's control. It is also important to note that if an employee uses his or her work email address for personal matters despite possible explicit prohibitions set in place, this will still involve data processing by the employer, meaning that the processing of personal data is unavoidable.
What is expected of employers?
First and foremost, employers should determine the lawful ground for the processing. The HDPA highlighted storing, archiving and searching/ indexing as the most common processing actions performed on employee emails. Naturally, employers have a vested interest in monitoring employee emails, as it is necessary to control and maintain workflow. This means a lawful ground for processing must be substantiated by a thorough application of the balancing test prior to the processing. Once the lawful ground is established, it is advisable to prepare a Standard Operating Procedure (SOP) on the monitoring process.
The employer must duly inform the employees about the monitoring of work emails, the data processing and whether or not personal use of work emails is permitted or prohibited in the workplace.
Before or during the monitoring, the employer must take all reasonable steps to separate work-related and private emails. In accordance with the principle of accountability, the employer should maintain a record of the steps taken during monitoring.
Considering the fact that almost every employer provides its employees with an email address for work purposes, this statement is important for all employers who wish to be compliant with the GDPR and employees interested in the protection of their private lives.