POSITION No. 1/2003
Published in the Official Journal No. 23/2003
Office for Personal Data Protection advising on practical problems - No. 1/2003
The monitoring of electronic mail and the protection of employee privacy and personal data
With reference to Article 13 of the Charter of Fundamental Rights and Freedoms, as well as with respect to the Act on Personal Data Protection, as amended, or to the decisions of the European Court of Human Rights concerning Article 8 of the Convention on the Protection of Human Rights and Fundamental Freedoms (e.g. Niemitz vs. Germany, Halford vs. United Kingdom), an employee is justified in expecting that his or her right to the protection of privacy, including the right to protect his or her personal data, inter alia also in labour relations, will be respected by the employer and will not be limited unreasonably. This right of the employee, however, cannot infringe upon the legitimate rights and interests of the employer, in particular the right to expect efficient work from the employee and above all the employer's right to protect his activities against liability risks, criminal activity or damage caused by the employee in the performance of his or her work. The rights of the employee and those of the employer have to be asserted, observing the principle of maximum harmony and compatibility.
In implementing this rule of harmonious assertion of rights and performance of obligations it is necessary to take into account a number of principles, particularly the principle of reasonableness, or proportionality.
As for the employer's monitoring of the electronic mail of his employees, it is necessary to remember that even electronic mail is mail and written documents (papers) sent by it are still written documents within the meaning of Article 40 of the Civil Code, which means that the same rules apply to them as to other written material. When considering the question of e-mail monitoring one has to take into account above all Article 13 of the Charter of Fundamental Rights and Freedoms which stipulates: "The secrecy of mail and other written documents and records, both kept in private and sent by mail or other means, shall not be infringed, with the exception of cases stipulated by law and in the manner set thereby. The secrecy of messages communicated by telephone, telegraph, or other similar device shall likewise be guaranteed." This provision is expanded in the wording of Article 12 of the Civil Code which, inter alia, stipulates that written documents of personal nature may be obtained or used only with the consent of the natural person to whom they relate. The consent is not required in those cases where written documents of personal nature are used for official purposes stipulated by law. The aforementioned provisions, in particular Article 13 of the Charter of Fundamental Rights and Freedoms, clearly show that the right in question falls within the category defined as "the protection of person", and that it is a fundamental human right. It is also evident that the aforementioned provisions apply universally, i.e. they apply also to the employer and must be complied with. In discussing whether a private message delivered to the employee through electronic communication networks remains a private message even after its delivery it is necessary to refer to the 2002 European Parliament and Council Directive on the Processing of Personal Data and the Protection of Privacy in the Field of Electronic Communications (Privacy and Electronic Communications Directive) which must be transposed into the legal system of the
Czech Republic prior to the accession of the country to the EU. The introductory commentary (24) states: "end-user equipment in electronic communication networks and any information preserved in such equipment form part of the end-user's privacy which is protected in accordance with the Convention on the Protection of Human Rights and Fundamental Freedoms. What is called "searching software", web bugs, hidden identifiers and other similar instruments that find their way into the end-user equipment without the knowledge of the end-user and whose purpose is to gain access to information, preserve hidden information or monitor the activities of the user, may seriously infringe the privacy of the users in question. The use of such instruments should be permitted only for authorized purposes and with the knowledge of the users in question. Within the meaning of the aforementioned Directive, the user is any person using a public electronic communication service for private or commercial purposes, although he or she may not necessarily be identical with its subscriber.
On the other hand, it is necessary to consider that the employer has the right to check whether his employees respect their working hours and how efficiently they use their worktime. To exercise this right, the employer has no need to monitor and process the content of his employees' correspondence. What he possibly could do is monitor the number of e-mails received and sent by the employees and require that they occupy themselves with their personal affairs only to a reasonable and more or less necessary extent, since, as indicated above, even a labour relationship does not suspend the right of the employees to reasonable privacy. The employer should in any case notify the employees in advance of his intention or common practice to monitor the frequency of e-mail messages delivered or sent, the best occasion being the actual hiring of the employee. For the aforementioned purpose, some kind of general guidelines should be adopted for both employers and employees, to make clear that the content of the mail is protected and that the principles of mail secrecy and personal data protection are fully applicable with respect to it.
From the personal data protection perspective it is necessary to consider one more question, namely, whether any e-mail monitoring includes the processing of personal data. In the case of an employer who systematically monitors his employees and uses the data thus acquired for further processing, the answer is clearly yes. In such cases, the relevant activities of the employer would be subject to the Personal Data Protection Act However, if the employer does not monitor the e-mails systematically, but only examines it accidentally, because of the need to deal with business correspondence (e.g. because the employee is absent from the workplace for a longer period of time, for example due to an illness) then such an act does not constitute the processing of personal data and the Personal Data Protection Act consequently does not apply. Still, the content of such correspondence is protected under the aforementioned Article 13 of the Charter of Fundamental Rights and Freedoms and under Article 12 of the Civil Code, and the act of the employer thus could constitute a breach of mail secrecy, an infringement of the right to the protection of person or unauthorized interference with the privacy of individuals, in this case the employees,. which is prohibited under Article 10, para. 2 of the Charter of Fundamental Rights and Freedoms, stipulating that everyone has the right to be protected against unauthorized interference with both public and family life. Even this last provision offers universal protection against anyone, including the employer. Nonetheless, unless a processing of personal data took place, the Office of Personal Data Protection would not be authorized to intervene.
In the end it should once more be emphasized that the employer cannot under any circumstances monitor the content of correspondence - i.e. also electronic correspondence - of his employees or other persons. If the employer wishes to monitor the number of electronic messages delivered or sent, he or she should notify the employees in advance of his intention to do so and include this right explicitly also in the contractual conditions under which the employment takes place.
As for the potential question of how the employee could or should defend himself or herself against the monitoring of his or her electronic mail, the procedure should be as follows. First, the employee should ask the employer to stop the monitoring and liquidate any data that he or she might have processed. If the employer does not respond to such request and continues the monitoring, the employee is authorized - in case that the processing of personal data indeed takes place - to exercise his or her right under Article 21 of the Personal Data Protection Act and ask the Office for Personal Data Protection to intervene. Apart from this legal possibility, the employee may also protect his or her right to privacy and to the protection of his or her person by a court action which would be practical especially in those cases where there is no actual processing of personal data, as defined above.
When considering the use of electronic mail by employees it should be taken into account that the electronic address itself may fall within the category of personal data. The Office for Personal Data Protection would class the address as personal data in those cases where it contains the name and surname of the employee. The employer undoubtedly has the right to determine the form and manner in which his employees communicate with other natural or legal persons, especially if the employees are, with regard to the nature of their work obligations, authorized to perform functions requiring them to use also the electronic form of communication. In such cases the employer clearly cannot be denied the right to make their e-mail addresses accessible and public, as is the case with all other forms of communication. Another case would be, however, if the employer (company, administrative authority) chose to make public the e-mail addresses of all employees, even those who do not in any way represent the employer in external relations. In such cases the employer (institution) may make the employee electronic address public only with his or her knowledge (consent) - if, from the viewpoint of legal form, such consent may be considered to have been granted on the basis of some demonstrable evidence whereby the employer complies with the requirements of Article 5 of the Personal Data Protection Act.
With respect to everything that has been mentioned above and with reference to the decisions of the European Court of Human Rights, concerning Article 8 of the Convention on the Protection of Human Rights and Fundamental Freedoms, the observance of following principles may be recommended in using electronic communications:
- The employee has a right to privacy in the workplace. This right is not affected by the fact that the employee uses the communication or other equipment of the employer. The location and the ownership of electronic equipment cannot rule out the right to privacy of communications and correspondence, stipulated in the Constitution and in other legal regulations.
- The universal principle of mail privacy applies also to communication in the workplace. This communication includes e-mail and files attached to it.
- The respect for privacy also includes, to a certain extent, the right to form and develop relations between individuals. This right, too, must be taken into account in judging whether the employer is justified to use certain methods of monitoring his employees.