In brief
Email is the central means of communication in business organizations. Mailboxes are a valuable source of information, particularly in the event of termination of employment relationships or suspected breaches of duty. However, access to emails is restricted and requires careful consideration of the interests of both employer and employee on a case-by-case basis.
Access without any justification is unlawful
Both labour law and data protection law aspects must be taken into account when deciding whether the employer can access its employees’ emails.
From a labour law perspective, the consent of the works council or individual employees is not required to inspect employees’ emails, provided that it is an ad hoc inspection (inspection in individual cases, e.g., on suspicion of misconduct) and ongoing monitoring (“scanning”) does not take place.
Individuals are entitled to the protection of their privacy and, therefore, also to the confidentiality of their personal data. Information contained in private emails is personal data within the meaning of the General Data Protection Regulation (GDPR). Therefore, any processing requires the fulfilment of one of the permissive provisions of the GDPR. According to prevailing doctrine, the employee’s consent is not a suitable justification, as employees’ free will is assumed to be diluted during the employment relationship. Therefore, in the context of labour law, the employer’s overriding and legitimate interest is particularly relevant. When assessing the legality based on a legitimate interest, a balance must be struck between the employer’s legitimate interests and the employee’s interests and fundamental rights. Whether the inspection of emails is justified depends solely on the result of the weighing of the respective conflicting interests in the specific case.
Business use vs. private use
As part of the balancing of interests described above, it is necessary to distinguish whether the business email server may also be used privately by employees. If private email communication has been prohibited, employers can generally assume that only work emails are stored in mailboxes. In this case, the inspection can usually be justified by an overriding legitimate interest of the employer. However, even then, only those emails that are not already recognizable as obviously private by the addressee or the subject are permitted to be inspected.
The legal situation is different if private use of the business email server is explicitly permitted or merely tolerated. In this case, the employer must assume that there are also private emails in the mailboxes. If this is the case, the employer’s legitimate interest in accessing the data must outweigh the employee’s interest in confidentiality and privacy. Otherwise, the inspection would not be justified under data protection law and the inspection would not be authorized.
An overriding legitimate interest of the employer is to be assumed if mailboxes contain necessary information relating to communication with customers or contractual partners and the inspection is necessary to ensure undisturbed business operations. In weighing the conflicting interests, the understanding of the parties involved is particularly important. An indication that the employer’s interests outweigh those of the employee may be recognized, for example, if the employee could reasonably expect an inspection (e.g., because they were also able to access their predecessor’s mailbox). Thus, if employees can reasonably expect the employer to access their mailbox, inspection is permissible if the employer has a legitimate interest (e.g., necessary processing of further customer enquiries).
If the employer has other reasonable means of obtaining the necessary information to achieve the desired purpose (e.g., if the information can be obtained through other means), the inspection is not necessary and therefore not permitted. The inspection must therefore be limited to the necessary. As soon as a private email is inadvertently accessed, the inspection must be stopped.
How can infringements be avoided?
To avoid penalties and other sanctions under the GDPR, as well as possible consequences under civil law (compensation claims for damages, injunctive claims), it is important to properly weigh up the interests involved in authorizing access in each individual case. The following measures should therefore be taken:
- Including clear rules in the employment contract or as part of a mutual termination agreement.
- Establishing a strict separation between private and business areas when using the company email server during an ongoing employment relationship.
- Providing employees with sufficient opportunity to check their mailbox for private data upon termination of the employment relationship.
- Evaluating the existence of a legitimate interest, as well as the necessity and reasonableness, on a case-by-case basis.
- Cancelling the inspection as soon as the private nature of an email is recognized.
Click here to read the German version.