No data breach in case of justified inspection of former employees’ emails
The Supreme Court of Justice has confirmed the decisions of both the Regional Court and the Higher Regional Court, providing further clarity for employers (OGH 06/28/2023, 6 ObA 1/22y).
What happened: A company mutually terminated the employment relationship with an assistant to the CEO. Because correspondence, especially with customers, was conducted via this assistant’s email account on behalf of the CEO, the CEO inspected her email account to ensure that the company would not miss any important customer messages after the assistant’s departure. However, what he found in the emails was far from uplifting: the assistant’s colleague had been badmouthing the company to the former employee. She had referred to it as a “bunch of idiots,” claiming it was “maddening” to work there, and everyone was incompetent, so she was not going to do much work anymore and was currently applying for other jobs. Unsurprisingly, the CEO terminated the employment relationship after learning of these messages. Both former assistants now demanded compensation for data protection violations because the CEO should not have accessed these messages, let alone disclose them to the HR manager.
Well, all the courts involved in this case saw the matter differently:
The inspection of the email account was necessary to maintain the defendant’s business operations after the former assistant had left because it contained customer and contractual partner communications. In addition, the plaintiffs had to expect inspection if messages were not clearly marked as private, which is not to be expected from email correspondence between assistants to the management. Therefore, the courts confirmed that the interests of the defendant company in accessing the emails outweighed those of the plaintiffs in protecting their personal data and privacy under section 6 (1f) GDPR. The inspection was therefore lawful. In addition, the Supreme Court of Justice stated that such an occasion-related inspection is not a control measure within the meaning of section 96 (1) ArbVG (Austrian Labor Constitution Act). Consent of those affected to view the emails was therefore not required, neither from a labor law nor data protection law perspective.
The two plaintiffs were also denied the requested damages: Only because the plaintiffs were embarrassed that they had been caught, and the merely vague risk of public humiliation, were not sufficient to reach the materiality threshold required for damages. This is not contradicted by the fact that the CEO’s wife, who was involved in personnel matters, also found out about the derogatory messages during the successor’s termination process.
What does this decision mean for employers?
Privacy in the work environment is not limitless and data protection is not a fig leaf to protect one’s own misconduct. Accessing employees’ work-related email accounts is particularly justified when it is necessary to maintain business operations. A balancing of interests must be carried out, always taking into account the specific circumstances of the individual case. However, the employer may only look as far as it is not apparent that the employee’s correspondence is private.
Our expert Markus Gaderer from the Data Protection, Telecommunications and Digitization Team will be happy to answer any further questions you may have on this topic.
This article is for general information only and does not replace legal advice. Haslinger / Nagele Rechtsanwälte GmbH assumes no liability for the content and correctness of this article.
6. September 2023
Go back to News