ING – Court Ruling (Netherlands, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court ruled against ING's request to dissolve an employee's contract due to unclear email monitoring practices. The court found that ING did not meet the required standards for monitoring employee emails. This case emphasizes the need for companies to follow strict guidelines when monitoring employees.
What happened
The court ruled against ING's request to dissolve an employee's contract due to unclear email monitoring practices.
Who was affected
A former employee of ING who was monitored for alleged fraud.
What the authority found
The court found that ING did not meet the necessary standards for monitoring employee emails, as set by the European Court of Human Rights.
Why this matters
This ruling underscores the importance of adhering to privacy standards when monitoring employees, reminding companies to ensure transparency and proportionality in their monitoring practices.
National Law Articles
The controller is ING, a Dutch bank, and the data subject is one of its former employees. The controller had received signals of fraud: an anonymous report which stated that the data subject was involved in money laundering, skimming money of supermarkets he co-owned, and mortgage fraud. This, together with other elements, led the controller to monitor the email use of the employee, after which it became clear that the data subject had structurally used his work-equipment for private purposes. The controller requested the Subdistrict Court to dissolve the employment agreement on grounds of the culpable acts or omissions of the data subject. The Court, however, dismissed the request because it was unclear whether the controller had respected the conditions set by the ECHR in Bărbulescu for monitoring employees' email use. The Court held that, according to these requirements, the following questions must be asked:1. Was the employee informed in advance of (the nature of) possible monitoring of correspondence and other communications by the employer? 2. What was the scope of the monitoring and seriousness of the breach of the employee’s privacy (or: proportionality)? 3. Did the employer have legitimate grounds to justify the monitoring applied? 4. Would monitoring have been possible with less intrusive methods and measures? 5. What we're the consequences of the monitoring for the employee? 6. Have adequate safeguards been provided for the employee, especially in the case of intrusive monitoring? The Court stated that it was unable to assess whether (1) ING had a justification for monitoring the business emails, and (2) whether the monitoring was legitimate and proportionate. It therefore denied the controller's request who, in turn, appealed the Subdistrict Court’s decision. First, the Court of Appeal noted that the Subdistrict Court incorrectly referred to the guidelines listed in Bărbulescu as cumulative conditions. It followed that these conditions do not all hav
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for ING in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. ING - Netherlands (2022). Retrieved from cookiefines.eu
Last updated: