Company receives serious criticism from the Danish Data Protection Agency for unlawfully accessing former employee's personal email account

Legal News
The Danish Data Protection Agency ("Datatilsynet") has rendered a decision in a case where a company unlawfully accessed a former employee's personal email account and downloaded emails as evidence in a civil lawsuit concerning an employment law dispute between the company and the former employee. The company justified its actions by referring to its legitimate interest in processing the personal data. However, Datatilsynet assessed that the specific interest could not justify the specific processing of personal data. The question as to whether the company had violated section 263 of the Danish Criminal Code on encroachment of the secrecy of the mails does not fall within Datatilsynet's sphere of authority.

Background of the Case

After the termination of the employment relationship, a dispute arose between the former employee and the company as to whether the employee had engaged in competing business activities during their employment in violation of their employment contract. This resulted in a civil lawsuit between the parties as well as the filing of a report to the police.

The case before Datatilsynet was initiated following the employee's filing of a complaint. The employee had discovered that the company had accessed their personal email account and used information obtained from this account in the civil lawsuit.

The company had accessed the former employee's personal email account for the purpose of  "evidence preservation". The account  was still open on the former employee's work computer, which had been returned upon the termination of their employment. The company had carried out a simple search for customers, and the emails in question were therefore allegedly related to work performed by the employee as part of their employment with the company. Some time passed before the company realised that the data was obtained from an account that was, in fact, a personal email account. However, the company continued searching and downloading the former employee's personal emails, even after becoming aware that it was a personal email account.

The company argued that the information in question did not constitute sensitive personal data or personal data in general, and that it merely concerned work performed by the employee. It was therefore the company's opinion that the downloading and disclosure of the information from the employee's personal email account did not constitute processing of personal data. Under any circumstances, the company stated that such processing was carried out in accordance with Article 6(1)(f) of the General Data Protection Regulation ("GDPR"). It was argued that the data was used solely for the purpose of a civil lawsuit against the former employee and as evidence preservation for the police.

Datatilsynet's decision

Datatilsynet stated that - by accessing, downloading, and disclosing emails from the former employee's personal email account - the company had processed personal data concerning the employee.

Datatilsynet  subsequently carried out an assessment of the fact that the company processed the personal data with reference to Article 6(1)(f) of the GDPR. According to this Article, processing of personal data may take place if it is necessary for the purposes of the legitimate interests pursued by the data, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Datatilsynet concluded that the company had not conducted a lawful balancing of interests. As a result, the company faced serious criticism for its processing of the former employee's personal data.

Among the key factors considered by Datatilsynet was that access was gained to a personal email account over which the company had no authority, that the examination and review was only targeted at the work computer, in that the company by coincidence acknowledged that there was still access to the employee's personal email account on the work computer. Further, Datatilsynet attached importance to the fact that the company's search in the personal email inbox was likely to procure a number of emails and search results that were unrelated to the company's specific purpose of data processing. It was also noted that access initially occurred incidentally during an examination of the employee's work computer. However, the company chose to continue reviewing the personal email account, even after becoming aware that it was a personal account.

The decision emphasizes the need for companies to:

  • Implement clear policies and internal instructions on the processing of employees' and former employees' personal data.
  • Establish a valid legal basis before initiating specific processing of personal data , and make sure that this is also established if it relates to an employee who has resigned from a position in the company.
  • Be aware that the employees' personal email accounts are not at the companies' disposal. 
  • Be aware that a review of personal emails may constitute a violation of Section 263 of the Danish Criminal Code regarding the secrecy of the mails.

Implications for Employers

This case serves as a critical reminder for employers to ensure compliance with GDPR requirements to avoid regulatory scrutiny and potential reputational damage.

If you need assistance with GDPR compliance, Plesner is ready to help you ensure that your company's data processing practices align with current legal standards.

Read the decision (in Danish)

Related news

See all