In the Netherlands, it is not uncommon for employers to suspect employees of irregularities. To prove an irregularity, such as sharing business-sensitive information, it is not unusual for an employer to search an employee's business mailbox. Sometimes, the evidence obtained may lead to the employee’s (immediate) dismissal. There are risks, however, and an employer must take certain considerations into account when deciding to examine an employee's business mailbox based on suspicion. Also, employees should understand when such an action is lawful, and what the potential negative consequences may be if the inspection is later found to be an unlawful infringement of privacy.
The following article explores the questions and risks faced by a Netherlands-based company when investigating suspicious activity by employees, and provides practical tools for employers.
When is control lawful?
An employer may not check an employee's business mailbox at all times. An employee has a right to privacy in the workplace with regard to the business mailbox (Article 8 ECHR). That right, however, is not unlimited. Checking a business mailbox qualifies as the processing of personal data and is therefore also bound by the rules of the GDPR.
Dutch judges will assess – based on the GDPR, good employment practices and Article 8 ECHR –whether the inspection of a business mailbox was appropriate and does not constitute an unlawful infringement of privacy. When assessing Article 8 of the ECHR, the points of view arising from the precedent of the Bărbulescu judgment include the following:
- Has the employee been informed in advance about the possibility of inspection?
- What is the scope of the inspection and how serious is the infringement of privacy (in terms of proportionality)?
- Does the employer have legitimate grounds to justify the inspection?
- Were less far-reaching measures possible (i.e. subsidiarity)?
- What consequences did the inspection have for the employee?
- Are the employees provided with adequate safeguards?
For example, the District Court of Midden-Nederland ruled that a one-off inspection of an employee's business mailbox did not constitute a violation of Article 8 of the ECHR. It was important that the employer had informed the employee beforehand that she could check the mailbox. Other circumstances such as inaccessibility, miscommunication and the fact that the inspection occurred only once also played a role in the assessment.
In another case, the same court ruled that it was unclear whether the business mailbox had been lawfully checked, as it was not possible to assess it against the above criteria because the employer was unwilling to be transparent about the reasons for the investigation and because of the manner the inspection was conducted. It was unclear whether there was a concrete, legitimate reason to justify the monitoring. These uncertainties led to the rejection of the request for dissolution.
Preventing negative consequences
Before accessing an employee’s business mailbox, it is advisable to make a careful assessment taking into account the points of view from the Bărbulescu judgment, the GDPR and the principle of good employment practice. After all, an unlawful privacy infringement can have negative consequences. These include awarding damages to the employee, awarding fair compensation in a dismissal case, the employee filing a complaint with the Dutch Data Protection Authority (AP) that may impose a measure, and (in exceptional cases) the court setting aside evidence obtained through the privacy infringement.
Concrete tips
To prevent unlawful inspection of the business mailbox and the negative consequences that can result, employers may consider doing the following:
- Lay down in a written policy what is and is not allowed in terms of internet, e-mail and telephone use. Also describe the possible consequences of a violation.
- Lay down in a written policy when and how covert monitoring of e-mail use is possible, with due observance of the GDPR. Involve the works council in drawing up or adjusting the policy. In this context, the works council has a right of consent.
- Ensure that the employees agree to the policy in writing to avoid disputes about commitment and knowledgeability.
- Make an assessment for each situation to determine whether inspection is necessary and proportionate. Weigh up the company's interests against the employee's right to privacy. Is there a concrete suspicion to justify examining the mailbox? Is a less far-reaching means available to achieve the goal? Record this balance test in writing.
- Keep the control to a minimum in terms of time and scope. For example, ensure that private emails in the business mailbox are not read. For instance, allow employees to put private emails in a separate folder.
In short, careful consideration and a clear policy are key.
For more information on drawing up or adjusting company policies, contact your CMS client partner or one of our local CMS experts.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.