A recent decision by the Hungarian Data Protection Authority once again highlights the importance of having clear rules in place to govern employees’ use of work email for personal purposes.
In this particular case a former civil servant sought access to his work email account after his employment had been terminated. Unsurprisingly, the employer refused. The former employee complained to the Hungarian DPA that the employer had failed to fulfil its obligations under Article 12(2) of the GDPR by denying his right of access under Article 15.
The distinguishing feature was that the former employee was seeking to get access so he could recover personal correspondence.
The Hungarian DPA concluded the large volume of emails in the account meant the former employee should have specified what emails and documents he wanted to have access to (as anticipated by Recital 63 of the GDPR). Equally, it was held the employer could withhold access to the entire email account.
However, the Hungarian DPA also held the employer should have asked what emails were specifically wanted, or completed an exercise of sorting the emails (and their content) into categories that were private (and so disclosed) and business (to which access could legitimately be denied). As a consequence, it was held the employer had indeed failed in their obligations under Article 12(2).
In this particular case there was no enforced policy concerning the use of the employer’s email account for private purposes. If there had been, it may have avoided the issue altogether.
To see the full decision (in Hungarian), go to: https://www.naih.hu/files/NAIH-2020-34-3-hatarozat.pdf