2020 work email and privacy
Warning: this is a topic with strong legal implications. Contact qualified consultants to verify the regulations and their application.
The work email is a business work tool
which contains an impressive amount of business-related information.
The companies can do whatever they want with the email,
which is a business work tool, but is it written and read by employees?
Can they read it? Can they backup it? Can they archive it?
- two types of work email addresses
- behavioral guidelines
- legal requirements
generic work email addresses, no constraints
The work mailbox has an ambivalent nature,
it is a tool owned by the employer, but is used by the employee.
We must distinguish between two different types of business email addresses:
- personal company mailbox, i.e. email@example.com
- generic company mailbox such as info, support, sales, marketing, billing, etc.
that is, all those that are NOT related to a single person
The generic company mailboxes are not problematic at all,
the company checks them, reads all the messages, has no constraints.
personal company mailbox, such as company cars
The personal mailboxes, such as firstname.lastname@example.org,
may contain personal data of the employee that the employer must protect.
If we choose to use this kind of mailbox,
as an employer we need to know which technical standards to adopt
and which tools to use to be able to process the data adequately.
The mailbox can be compared to the company car,
it is made available to the employee for use within the business tasks.
The employer for example can check the mileage, to verify that the employee
has not abused this work tool, using it for personal purposes.
The employer can not, however, monitor systematically and without specific reasons
what the employee does inside the company car.
The mailbox is the equivalent of the company car, a work tool that is owned by the company,
given to the employee to use it use it for work, just to carry out its tasks.
What the employee sends and receives, even during working hours, is like what happens
inside the cockpit of the company car and is equated to private correspondence.
back to top
read only under certain conditions
The company cannot read what is written in the email messages,
it cannot be done systematically and without a specific reason.
Even if there is a specific motivation, it can be done only under certain conditions.
Three different interests are at stake, which must be balanced:
- the employer’s interest in accessing this content
for organizational/production, work safety or other reasons
- the legitimate expectation of employees
who consider this content as confidential
- the expectation of third parties who write to that company name account
they may not be aware that the content of their correspondence is NOT private and confidential.
(the standard disclaimer at the bottom of email messages usually warns that the content may be read by others)
inform the employee
The employee must be informed, with adequate written communication, that the email messages
can only be used for all purposes related to the employment relationship, for example by prohibiting personal use.
The document must contain how to use the company tools,
including the email box, and inform that, in compliance with the privacy regulations:
- email messages will be archived to comply with the law and to protect company assets
- the company may, in some cases, carry out checks on the content of the employee’s mailbox
massive checks are prohibited
The so-called “massive controls” are prohibited,
such as the systematic reading of the contents of an employee’s mailbox.
Limits in employer control are based on three cardinal principles:
one is good faith, which is the possibility for the employer to carry out a check
on the employee’s company mailbox only if there is a well-founded reason
for example, for the protection of company assets that could be compromised or put at risk by a virus;
or in the case of suspected infidelity of the employee, to carry out defensive checks
the others are proportionality in the control and limitation in time and in the object of the research
back to top
obligation to archive email messages
The rules require that the employer must prove
to have adopted adequate and effective security measures
to protect company data, such as corporate email archiving.
obligation to inform the employee
Access to data by the employer
if carried out in the absence of detailed company information:
represents a very serious violation
sensitive data may be found in the employee’s personal space,
for example information about political, religious, sexual or trade union trends,
which must be guaranteed at the highest level of confidentiality
it is a criminal offense
there is also the risk for all illegally acquired data
to be unusable in any legal process
obligation to delete email messages
Business correspondence should generally be kept for a maximum of ten years.
To preserve the company’s assets and to be able to defend itself in any litigation situations.
The storage and processing of personal data is permitted only for a specific purpose.
If this purpose ceases to exist after a certain period of time, for example after ten years, this data must be deleted.
obligation to deactivate the mailboxes
In the event of employee dismissal or resignation,
the name.surname mailbox must be deactivated within a short period of time.
The company can activate an automatic reply informing the sender that the account has been deactivated,
inviting him to write to another internal email address.
The historical archive of company messages of terminated employees
can be kept only if the employee had been informed that his messages were stored.
back to top