Hungarian Court fines employers
Improper access to employee work emails
20 January 2020
Two employers have been fined under prosecutions brought by the Hungarian equivalent of the UK's ICO (Information Commissioner's Office).
The NAIH (Nemzeti Adatvédelmi és Információszabadság Hatóság or National Authority for Data Protection and Freedom of Information) found for the employee in each of two cases where the employer had accessed their work email accounts in their absence. The first involved checking for tasks that had been left while the employee was on sick leave and the second involved an ex-director's mailbox, restored to find an attached legal document.
In both cases the judge found that there had been a violation of the data subject's rights because in each case, the employer had failed to follow data protection law (the GDPR) despite the fact that there was a legitimate interest in accessing the email accounts.
The fines were not large, but the same reasoning would in all probability apply in the UK, which is also regulated under the GDPR. Employers are advised that to avoid similar problems they should ensure compliance with the GDPR by:
- having employment agreements that regulate whether employees can use work equipment for private purposes
- issuing privacy notices that contain the reasons for employee monitoring (e.g. business continuity, internal investigation, disciplinary purposes) and the specific retention period of employee data - including the length and recurrence of backup copies
- preparing ”balancing tests” (legitimate interest assessments) to prove their legitimate interests for general employee monitoring in specific cases
- having an employee or a representative present when his/her data is being accessed, even if the employment has been terminated
- allowing employees to request a copy of, or the deletion of, their private data
- recording the access process with minutes and photos when the employee cannot be present or do so in the presence of independent witnesses
- adopting internal policies on archiving and the use of IT assets and e-mail accounts, including procedures for inspections and identifying the officials authorised to carry them out