Brıef on Personal Data Protectıon Board’s Decısıon Dated 25.11.2021 Regardıng Employer's Access to Employee's Corporate E-maıl Account

25 Oct Brıef on Personal Data Protectıon Board’s Decısıon Dated 25.11.2021 Regardıng Employer's Access to Employee's Corporate E-maıl Account

Employers can provide many additional benefits to their employees, such as phones, computers, and cars. These may be beneficial in terms of business operations however they also may end up causing some problems due to the nature of the relationship between employer and employee. While these issues have been the subject of many labor court cases and criminal court cases within the scope of violation of privacy; they have also been evaluated by the Personal Data Protection Authority (“Authority”) within the scope of Personal Data Protection Law No. 6698 (“KVKK“) in cases where employees' data or corporate e-mail accounts are examined.

Within the framework of the Board’ decision dated 25.11.2021 and numbered 2021/1187, employer’s access to employee’s corporate e-mail account without a fair processing notice have been evaluated within the scope of KVKK. You can find the concerned decision here .

Personal Data Violation Allegation Regarding Employer's Access to Corporate Email Account

Following arguments have been put forward in the complaint made to the Authority;

• within the scope of the lawsuit to which they are on opposing sides with the employer, the personal data of the employee is accessed after the termination of the employment contract and processed without a fair processing notice and without obtaining explicit consent,
• there is no prior explanation or warning stating that the e-mail addresses provided to the employees should be used for business purposes only,
• customers’ and employees’ information are in the cloud servers that belongs to Microsoft Corporation and because these servers are located abroad, such actions constitute a violation of Article 9 of the KVKK and,
• a request has been made to the employer within the scope of Article 11 of the KVKK regarding the deletion or destruction of the personal data processed in violation of the KVKK.

Employer's Defense

The employer started its defense by stating that its former employee had seriously damaged the company by shifting business to rival companies during its tenure. It is also stated that; at the beginning of this tenure a corporate e-mail account has been assigned to the employee to carry out their business duties, and it is clear to a technically qualified IT employee that the corporate e-mail accounts should only be used for the purpose of business duties and subjecting this matter to an additional notice would be contrary to the ordinary course of life.

In addition, according to the employer’s statements; the employee should’ve considered that any private correspondence made at the workplace, from the corporate e-mail account during business hours is within the scope of employer’s internal audits. Therefore, the employee should be deemed to have given explicit consent to the employer since it should be assumed that the information in question was revealed to the public by the employee.

Evaluation in the Light of the Constitutional Court and ECHR Cases

The Board first made references to the high judicial decisions regarding this subject and then started its own evaluations.

In the decision dated 17.09.2020 and application number 2016/13010 of the Constitutional Court (“AYM”) regarding disputes arising from the communication tools provided by employers to employees, it has been emphasized that a resolution needs to be reached by evaluating the following criteria; (i) balancing the vested interests of the employer with the rights and freedoms of the employee, (ii) whether employer has a legitimate interest and a particular goal in mind, and the incursion is suitable for achieving this goal and that this goal cannot be achieved without a lesser incursion, (iii) informing employees about the process in advance and (iv) gathered data should only be restricted to the intended goal.

Also, with the decision dated 12.01.2021 and application number 2018/31036 of the AYM, it has been ruled that prior notice is a prerequisite for such access.

In addition, The European Court of Human Rights (“ECHR”) in its Bărbulescu v. Romanya Kararı decision states that since employees can have a private life in the workplace, it has been evaluated that the protection of personal data is extremely important in these matters. It was also stated that especially actions like monitoring the employees and accessing their communications should be carried out with caution and in accordance with the criteria determined by the ECHR.

In this context, considering the decisions of the AYM and the ECHR, it was stated that employer did not fulfil its obligation to inform in accordance with the article 10 of the KVKK and article 4 of the Communiqué on Principles And Procedures To Be Followed In Fulfillment Of The Obligation To Inform (“Communiqué”).

Finally, in response to the "made public" claim of the employer, it has been determined that the fact that employee made all its correspondence via its corporate e-mail account does not constitute an intention by the employee to make all its correspondence public.

Conclusion

The Authority mada the following determinations in its ruling:

• employer failed to fulfill its obligation to inform in accordance with KVKK and Communique and therefore an administrative fine amounting to 250.000 TRY shall be imposed, 250.000 TL idari para cezası kesilmesi,
• an ex officio investigation shall be initiated regarding the allegation of transferring data abroad and,
• regarding the employee’s erasure or destruction of its personal data request, there is no decision to be made since it is not possible to evaluate litigious matters.

This decision is of importance since the Board provides a required form for the prior notification to the worker stipulated by the Constitutional Court and ECHR decisions. The Board has filled a possible deficiency here by stating that the prior notification should be made in accordance with Article 10 of the KVKK and Article 4 of the Communiqué.

The conflict between employer's right to supervise its employees and the constitutionally guaranteed rights and freedoms of employees is a rather common issue. Today, with the development of opportunities provided in digital environments and increased time spent in these environments makes our business and private lives are more intertwined than ever before. This increases the risks of employers in the supervisions they carried out. It’s best to be aware of these responsibilities and act accordingly.

You can reach our İzmir Personal Data Lawyers to get expert legal support on the protection of your personal data or your company's personal data law compliance.