In a judgment delivered on 5th October 2018, in the names of Doreen Camilleri vs Information and Data Protection Commissioner, the Maltese Court of Appeal (Inferior Jurisdiction) decided an appeal from a decision of the Information and Data Protection Appeals Tribunal (the 'Tribunal').
The case related to an ex-employee of the European Union Programmes Agency ('EUPA') who claimed that her data protection rights had been infringed when following termination of her employment, the password to her work email inbox was changed, denying her access to the same while the EUPA's access to such work email inbox was retained. Ms Camilleri originally brought a complaint before the Information and Data Protection Commissioner ('Commissioner'), who had found that the EUPA had acted in compliance with Maltese data protection law. The complainant then appealed such decision before the Tribunal which also turned down her request, leading her to file a case before the Court of Appeal, which resulted in the present judgment. The Court of Appeal accepted the claims made by Ms Camilleri and revoked the decisions delivered by both the Commissioner and the Tribunal.
In reaching this decision, the Court of Appeal held that:
• The legal basis for processing personal data must be carefully determined (by data controllers) and it must be correctly applied according to the circumstances. In this case, while in the first instance the Commissioner had found for the EUPA, due to its data processing being carried out on the ground of legitimate interests, the Tribunal had instead found for the EUPA after concluding that the processing in question was based on the grounds of necessity for compliance with a legal obligation (Legal Obligation Ground) and of necessity for the performance of an activity carried out in the public interest (Public Interest Ground). However, the Court of Appeal was of the opinion that the ground of necessity for a purpose that concerns a legitimate interest (Legitimate Interest Ground) of the controller should have been the ground invoked and proven by the EUPA itself (and not the Legal Obligation Ground and/or the Public Interest Ground)
In addition to the above the Court of Appeal also held, inter alia, that:
• A work e-mail address containing an individual's name and surname is to be considered personal data.
• The fact that an IT manager might have access for a short period of time to an employee's email account does not necessarily mean that every time the inbox was checked, processing of personal data of that employee had taken place.