Many of your employees will probably be going on holiday this summer. While they are enjoying some rest and relaxation, you as an employer might have to deal with a number of issues during the holiday period. Are you, for example, allowed to go into your employee’s mailbox if he or she is on holiday and what can you do if an employee goes on holiday without permission? In the weeks ahead, we shall be providing you with an answer to this and other holiday-related questions arising from employment law.

Question 4 - Can I look in the mailbox of my employee when he is on holiday?

In principle this is possible, provided that certain strict conditions are complied with.

Opening an employee’s e-mailbox is regarded as the processing of personal data as referred to in the Personal Data Protection Act (Wet bescherming persoonsgegevens - Wbp). For this reason, in such a situation the requirements set out in the Wpb must be met. Below is a summary of the main requirements.

  1. In principle an employer may only access an employee’s e-mailbox if he has a legitimate interest in doing so. This interest must outweigh the privacy interests of the employee concerned. An example of a ligitimate interest could be to check whether during the employee’s absence any e-mails have been received which have to be answered.
  2. In addition, it must be absolutely necessary to open the e-mailbox. In this context, such things as the principles of proportionality and subsidiarity must be observed. The principle of proportionality means that the breach of the employee’s privacy must be proportionate to the interests of the employer. For example, this requirement implies that the employer, when reading the employee’s e-mails, must ignore private messages as far as possible. The employer can do this, for example, by initially only reading the subject line of the e-mail. Should the employer, while reading an e-mail, find that it is a private e-mail, he must stop reading it. In fact, the employer may only read private e-mails if he has a compelling reason to do so (such as a serious suspicion of unlawful behaviour). The principle of subsidiarity means that no other less intrusive means may be available to achieve the desired aim. This requirement is breached, for example, if the employer were to look in the employee’s mailbox indiscriminately while other options are also available for achieving the desired aim.
  3. The employee must be informed that his e-mails are being read, who is reading them and for what purpose (the duty of disclosure). The general rule is that this information must be passed on to the employee before the e-mailbox is accessed.
  4. In principle, each processing of personal data must be reported beforehand to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). This is not necessary if one of the exemptions of the Exemption Decree (Vrijstellingsbesluit) is applicable. For example, the processing of personal data in relation to network systems (such as opening/checking e-mailboxes) does not need to be reported if all the conditions set out in the Exemption Decree have been met.

In view of the duty of disclosure described above, it is advisable as an employer to draw up rules for the use of e-mail, in which it is made clear in what situations the employer could have access to the mailbox. The rules could also stipulate that employees must keep business and private e-mails separate in their mailbox. It is worth noting that on the grounds of Sections 27(1), k and l of the Works Councils Act (Wet op de ondernemingsraden) such rules must be submitted to the works council for its approval.

Amendments per 2018

The General Data Protection Regulation (Regulation (EU) 2016/679) will enter into force on 25 May 2018. From that moment the same privacy legislation will apply throughout the EU. As a result of this Regulation entering into force, the Wbp will cease to be effective.

Under the new Regulation, the rules described above under points 3 and 4 will change. The rules under points 1 and 2 remain unchanged. First and foremost, the duty of disclosure is substantially extended. The employer (referred to in the Regulation as ‘controller’) must provide the employee (referred to in the Regulation as ‘data subject’) with the following information, amongst others (Article 14):

  1. the identity and the contact details of the party responsible for processing the personal data;
  2. the contact details of the data protection officer (in so far as this person has been appointed);
  3. the purpose and legal basis for the processing;
  4. the legitimate interests on which the processing is based;
  5. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; and
  6. the rights of the employee, including the right of access to and rectification or erasure of personal data or restriction of processing, the right of objection and the right to lodge a complaint to the Dutch Data Protection Authority.

Infringements of the duty of disclosure will be subject to a fine of up to EUR 20,000,000 or a fine of 4% of the worldwide annual turnover, whichever is the higher (Article 83).

After the Regulation has entered into force, the processing of personal data no longer needs to be reported to the Dutch Data Protection Authority. Instead the employer must keep a record of all its processing activities (obligation to maintain a record - Article 30). This record must contain, amongst other things, the information described above. The obligation to maintain a record does not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of those involved, the processing is not occasional, or the processing includes special categories of data (such as information about a person’s health).

Infringements of the obligation to maintain a record will be subject to a fine of up to EUR 10,000,000 or a fine of 2% of the worldwide annual turnover, whichever is the higher (Article 83).