Imagine, an employee recently left employment and you need a document that is not stored in the correct location. You know that this employee received this document in his mailbox. As an employer, may you look in this former employee's mailbox to look for this document?
A business email address in the employee's name is logically used for business communications. But the mailbox may also contain personal emails with which Article 8 ECHR applies:
'Everyone has the right to respect for his private and family life, his home and his correspondence.' (Article 8(1) ECHR)
Therefore, it is not permissible for an employer to view the employee's business mailbox without question. In certain cases, the employer can invoke a legitimate interest to gain access. Since employees may still experience this as an invasion of their privacy, it is wise to handle this carefully and avoid it as much as possible.
Ensure that work processes are set up so that access to employees' mailboxes is not necessary. A mailbox is a communication tool, not an archive. Make sure employees store important mails and information in the appropriate applications so that affected colleagues have access.
In addition, ensure that employees take measures in advance in case of planned absence or illness, such as setting up an out-of-office or automatically forwarding emails to a colleague. This will prevent employee privacy from being violated because the organization has insufficient internal processes in place.
In certain cases, it does allow access to a mailbox. Consider, for example, situations where an employee suddenly drops out and is unable to arrange a transfer. This can be done on the basis of legitimate interest (AVG Art 6 (1f)). It must be considered whether the interest of the organization outweighs the breach of privacy of the (former) employee. Three conditions must be met:
The organization has a legitimate interest in viewing the mailbox.
Inspection is necessary to serve the legitimate interest. In addition, there is no other, less privacy-sensitive, way available to achieve this goal.
The invasion of the employee's privacy does not outweigh the interests of the organization. In doing so, make an assessment of how great the possible negative consequences for the data subject are due to this breach. And ask yourself whether this outweighs the interests of the organization.
Finally, determine what measures can be taken to minimize the potential negative impact on the (former) employee. Consider measures such as:
Access by one person for a short defined time;
Conduct a targeted search for the information needed. Clearly define the purpose of the access in advance. For example, formulate a concrete search term. Do not open e-mails that you can expect to contain personal information;
Do not send emails from the name of the employee not present;
If necessary, set up an out-of-office so that further breach is not necessary.
If possible, inform the employee concerned of the access provided. In general, inform employees in advance of the fact that the organization may, in exceptional cases, gain access to the mailbox and that this will only occur after careful consideration of interests. Informing can be done, for example, at the time of employment through the employee privacy statement.
