Written by: Danica Černá Valentová, Marek Bugan, NITSCHNEIDER & PARTNERS
The Slovakian data protection authority has ruled on two cases where employers failed to deactivate former employees’ email accounts, finding the employer in breach of data privacy rules in both.
The Office for Personal Data Protection of the Slovak Republic (DPA) has now dealt with the issue of employers keeping access to a former employee’s email account, twice. The first case concerned a private sector employer; the second an employer from the public sector. What were the DPA’s conclusions, and what were the consequences for the GDPR violations?
The private sector case
The proceedings were initiated by a former manager who objected that the employer had not deactivated his email account after termination of his employment and that it was still active and monitored by another manager within the company.
In its defence, the employer used the legitimate interest argument. It claimed that the reason for not deactivating the email account was protection of the employer’s property, as given the former manager’s past business contacts, many client responses and even requests had been sent to this email.
The argument, however, remained only at the level of the assertion as the employer failed to submit a proportionality test in relation to this legitimate interest to the DPA, and thus to prove it. In addition, the employer failed to prove that the manager was provided with relevant information on processing for this purpose, denying him the right to object to the processing and to the duration of the processing. Those were the main reasons why the DPA ruled against the employer.
In the reasoning for the ruling, the DPA also stated that legitimate interest can be a suitable legal basis for this kind of processing, however, the processing can only be carried out for a necessary period; ten months cannot be considered as necessary. Of course, this only applies if the employer properly fulfilled its other obligations arising from the GDPR during processing.
The public sector case
After termination of her employment, a former employee of a municipality created a fake email account. Subsequently she used this fake account and sent a question to her municipality’s email. Her goal was to find out whether or not the municipality had deactivated this email account. Once she received an answer, and thus had proof of a possible breach of the GDPR, she filed a complaint with the DPA.
The municipality claimed that the former employee had failed to hand over her agenda properly. This was important because she communicated with various state authorities, social security agencies, health insurance companies, and dealt with rental apartment agendas, among other things. The municipality was therefore obliged to monitor this email account to prevent itself from being held liable for potential damages or unlawful conduct.
Although the municipality used reasonable arguments, it failed to prove that it had formally fulfilled its obligations under the GDPR. Specifically, the DPA underlined the absence of proof of a demonstrable legal basis. As a result, the DPA did not address other related issues such as the obligation to inform the data subject, proportionality, or the length of processing (in this case, four months after termination of employment), and ruled that the employee’s rights under the GDPR had been violated.
Consequences and practice notes
In both mentioned cases the DPA imposed minor fines of EUR 500. However, the violation in both cases concerned only one employee, and we can only assume that a more widespread violation would result in a larger fine.
In any case, these violations would not have occurred if the employers had asked and answered the following easy questions before the processing:
- Will we keep an employee’s email account active after termination of employment?
- If so, do we have a legal basis for this processing?
- Have we developed a proportionality test to support our legitimate interest?
- Have we informed the employee concerned about such processing of his or her other personal data?
- Will we process an employee’s email for only as long as necessary? (note: in Slovakia, ten months has been considered to exceed what is ‘necessary’)