work EMAIL and PRIVACY

Warning: this is a topic with strong legal implications.
Contact qualified consultants to verify the regulations and their application.

The work email is a business work tool
which contains an impressive amount of business-related information.

The companies can do whatever they want with the email,
which is a business work tool, but is it written and read by employees?
Can they read it? Can they backup it? Can they archive it?

Summary:

generic work email addresses, no constraints

The work mailbox has an ambivalent nature,
it is a tool owned by the employer, but is used by the employee.

We must distinguish between two different types of business email addresses:

  • personal company mailbox, i.e. name.surname@companyname.com
  • generic company mailbox such as info, support, sales, marketing, billing, etc.
    that is, all those that are NOT related to a single person

The generic company mailboxes are not problematic at all,
the company checks them, reads all the messages, has no constraints.

personal company mailbox, such as company cars

The personal mailboxes, such as name.surname@companyname.com,
may contain personal data of the employee that the employer must protect.

If we choose to use this kind of mailbox,
as an employer we need to know which technical standards to adopt
and which tools to use to be able to process the data adequately.

The mailbox can be compared to the company car,
it is made available to the employee for use within the business tasks.

The employer for example can check the mileage, to verify that the employee
has not abused this work tool, using it for personal purposes.

The employer can not, however, monitor systematically and without specific reasons
what the employee does inside the company car.

The mailbox is the equivalent of the company car, a work tool that is owned by the company,
given to the employee to use it use it for work, just to carry out its tasks.

What the employee sends and receives, even during working hours, is like what happens
inside the cockpit of the company car and is equated to private correspondence.

back to top

read only under certain conditions

The company cannot read what is written in the email messages,
it cannot be done systematically and without a specific reason.
Even if there is a specific motivation, it can be done only under certain conditions.

Three different interests are at stake, which must be balanced:

  • the employer’s interest in accessing this content
    for organizational/production, work safety or other reasons

  • the legitimate expectation of employees
    who consider this content as confidential

  • the expectation of third parties who write to that company name account
    they may not be aware that the content of their correspondence is NOT private and confidential.
    (the standard disclaimer at the bottom of email messages usually warns that the content may be read by others)

inform the employee

The employee must be informed, with adequate written communication, that the email messages
can only be used for all purposes related to the employment relationship, for example by prohibiting personal use.

The document must contain how to use the company tools,
including the email box, and inform that, in compliance with the privacy regulations:

  • email messages will be archived to comply with the law and to protect company assets
  • the company may, in some cases, carry out checks on the content of the employee’s mailbox

massive checks are prohibited

The so-called “massive controls” are prohibited,
such as the systematic reading of the contents of an employee’s mailbox.

Limits in employer control are based on three cardinal principles:

  • one is good faith, which is the possibility for the employer to carry out a check
    on the employee’s company mailbox only if there is a well-founded reason
    for example, for the protection of company assets that could be compromised or put at risk by a virus;
    or in the case of suspected infidelity of the employee, to carry out defensive checks

  • the others are proportionality in the control and limitation in time and in the object of the research

back to top

obligation to archive email messages

The rules require that the employer must prove
to have adopted adequate and effective security measures
to protect company data, such as corporate email archiving.

obligation to inform the employee

Access to data by the employer
if carried out in the absence of detailed company information:

  • represents a very serious violation

    sensitive data may be found in the employee’s personal space,
    for example information about political, religious, sexual or trade union trends,
    which must be guaranteed at the highest level of confidentiality

  • it is a criminal offense

    there is also the risk for all illegally acquired data
    to be unusable in any legal process

obligation to delete email messages

Business correspondence should generally be kept for a maximum of ten years.
To preserve the company’s assets and to be able to defend itself in any litigation situations.

The storage and processing of personal data is permitted only for a specific purpose.
If this purpose ceases to exist after a certain period of time, for example after ten years, this data must be deleted.

obligation to deactivate the mailboxes

In the event of employee dismissal or resignation,
the name.surname mailbox must be deactivated within a short period of time.

The company can activate an automatic reply informing the sender that the account has been deactivated,
inviting him to write to another internal email address.

The historical archive of company messages of terminated employees
can be kept only if the employee had been informed that his messages were stored.

back to top