Lack of legal basis under GDPR
In this case, it was found that the employer had activated automatic forwarding of the employee’s work emails. The employee had been absent through illness for more than a month. Upon their return, the employee discovered this unlawful processing of their data. It proved to be a violation of the national regulations concerning an employer’s access to e-mail inboxes and other electronic information. It was also a breach of the General Data Protection Regulation concerning legal basis whereby the employer should have informed the employee (data subject) and consulted with them to consider their objections prior to this process.
The Norwegian Data Protection Authority (NDPA) fined the employer €40,000 for unlawfully setting up automatic forwarding of an employee’s work emails, without having a legal basis to do so. The case will be of interest to Irish employers as it could be a persuasive decision if an employee made a similar claim in this jurisdiction.
If an employer wishes to monitor an employee's emails, they must comply with the provisions of the GDPR which, in short, require that:
- the employer must have a legal basis for the processing (such as legitimate interest)
- the monitoring must not be excessive - employers should look at whether there are less intrusive measures available; and
- the employee should be on notice of the monitoring.
See the Data Protection Commissioner guidance note on processing personal data. If you would like more information on GDPR or to discuss your requirements further please contact Emma at SFA on 01 605 1668 or at firstname.lastname@example.org or visit our HR and Employment Law advice section on our website.