Public sector – €1,500 Fine (Hungary, 2019)

An employer searched in the archived private e-mails of a former employee after noticing him. Could data controller be allowed to process non-work and work related personal data of former employee in any situation? The NAIH decided that the employer was not allowed to process the former employee’s private correspondence in his archived business e-mail account, since it found that the content of the business e-mail account constitutes personal data of the employee. It obliged the employer to delete the not work-related (private) e-mails of the account actively cooperating with the former employee concerned. The NHAI also instructed the data controller to provide adequate protection of the personal data during the use, archiving and searching in the archived business e-mail accounts of former employees by adopting the necessary internal policies and by giving notice to data subjects. According to the decision, the processing of personal data contained in e-mail accounts should be limited to the necessary time, while the data controller must establish a clear and justified retention period. The processing of e-mails with private content even in an archived form is unlawful if there is no adequate legal basis for the processing. However, the DPA acknowledged that there can be cases when selecting work-related and private e-mails is an unreasonable burden for the parties concerned and it may be impossible for them to guarantee the presence of the former employee in the procedure.