Get ready for the GDPR – Part 5: E-mails
E-mails remain an essential communication channel. Especially in the area of HR, e-mails will often contain personal data in relation to recruitment and HR administration. This means, that the General Data Protection Regulation applies to these e-mails. The same goes for companies that use different types of monitoring of their employees’ e-mails. This newsletter focuses on the existing and the new requirements that companies must be aware of by 25 May 2018 in relation to the use and monitoring of e-mails.
Companies’ use or monitoring of e-mails that contain personal data is already regulated by a number of rules, some of which are expected to be passed on, while several new rules will be introduced as a result of the new regulation.
General requirements for e-mails
In the future, companies must make sure that they live up to the new requirements in the regulation when sending e-mails containing personal data. We have looked at some of those requirements, which may affect the use of e-mails.
- Increased demands on data security
The Danish Data Protection Agency already requires that e-mails containing sensitive data, such as civil registration numbers or passwords, must be encrypted. In all other cases, the Data Protection Agency only recommends encryption.
The new rules increase the general requirements on data security. But they do not generally demand that e-mails are encrypted. As the current requirements are based on the general principles of good data practice, it is expected that the recommendation of the Data Protection Agency will be passed on and that companies should encrypt e-mails that contain sensitive personal data. However, by encrypting all e-mails containing personal data, companies will gain certain advantages, for example less strict requirements for announcing data breaches to all data subjects.
- Right of access and the right to be forgotten
The regulation increases the possibility of gaining access to data registered about oneself. To the extent that the company sends e-mails containing personal data, for example in relation to recruitment or dismissal, the new rules will place heavier demands upon the company to comply with such requests for access. Read more about the right of access here.
- The right to be forgotten
With the new rules, the company has an enhanced duty to erase all personal data, when the data is no longer considered as necessary for the purpose for which it was initially collected. As for the right of access, companies that send and receive personal data by e-mail will find it increasingly difficult to comply with requests to erase the personal data. Companies therefore have a clear interest in limiting the amount of personal data in e-mails.
The Danish Data Protection Agency has previously compiled guidelines for managing employees’ e-mails in relation to resignation. These guidelines are largely based on the general principles of good data processing practice and are expected to be passed on. Read more about the guidelines here.
- The obligation to keep records
Companies subject to the obligation to keep records must register every processing activity of personal data in the company, also when it happens by e-mail. Moreover, the company’s use of e-mails to send and receive personal data could, in itself, result in an obligation to keep records.
Monitoring of employees’ e-mails
Many companies see a need to protect the company’s data by introducing a form of monitoring of the IT-system, including the employees’ use of e-mails. The EU guide to processing of employees’ personal data acknowledges that there may be a legitimate need to monitor employees’ e-mails.
The requirements for initiating a way of monitoring e-mails are based on the principles of good data processing practice and objectivity and are passed on from the existing regulation. When a company wants to gain access to an employee’s e-mail, for example due to suspicion of misuse, three requirements based on the existing rules must be met:
- The monitoring must pursue a legitimate interest, for example the interest of control of use
- The employee must be given a clear and unambiguous notification of the measure beforehand
- The monitoring must not adversely affect the employee’s integrity
- The monitoring must be proportional and less extensive measures should be considered
Companies that introduce monitoring of employees’ e-mails must also consider whether the new requirements concerning the data protection impact assessment apply. This will often be the case if the monitoring makes use of new monitoring technology and includes sensitive personal data.
The requirement for clear and unambiguous information means that companies wishing to introduce monitoring should develop an e-mail policy, possibly as part of an overall data policy, and make sure that the employees have received, read and understood the policy before any monitoring is implemented.
Furthermore, companies must be aware of the general requirements for information and hearing in connection with the establishment of measures that are passed on in connection with the new rules. For example, companies covered by the agreement on control measures between the Danish Employers' Confederation and the Danish Confederation of Trade Unions must inform their employees no later than 6 weeks before the measures are implemented.
Many companies have, in accordance with the existing rules, inserted a provision on consent in their employment contracts to extend the access to monitor its employees without risking a breach of the law. With the new rules, the requirements for consent are made significantly more rigorous. Even though Denmark tries to carry on the access to give consent in employment relationships with the bill on protection of personal data, it is recommended to avoid the use of consent if the processing can be carried out on another basis, which will often be the case with monitoring of e-mails.
In addition to the new rules in the regulation, the rules in the Danish Criminal Code on the secrecy of correspondence, which also apply to e-mails, still apply. Companies should issue clear guidelines for the private use of work e-mail accounts – but even in this situation, the companies must be aware of the special protection.
IUNO’s Opinion
Companies should consider if their procedures and processes meet the existing and the new requirements within the area of personal data. We recommend that companies undergo a review of their processing of personal data and, if necessary, change their procedures, policies and contracts.
For e-mails in particular, we recommend that companies identify when and where e-mails containing personal data are being sent and received, which is something that generally should be kept to a minimum and, in some cases, be done in encrypted form. Additionally, we recommend that companies that have established or consider establishing monitoring of employees’ e-mails obtain a thorough review of whether the monitoring meets the new and stricter requirements.
Companies’ use or monitoring of e-mails that contain personal data is already regulated by a number of rules, some of which are expected to be passed on, while several new rules will be introduced as a result of the new regulation.
General requirements for e-mails
In the future, companies must make sure that they live up to the new requirements in the regulation when sending e-mails containing personal data. We have looked at some of those requirements, which may affect the use of e-mails.
- Increased demands on data security
The Danish Data Protection Agency already requires that e-mails containing sensitive data, such as civil registration numbers or passwords, must be encrypted. In all other cases, the Data Protection Agency only recommends encryption.
The new rules increase the general requirements on data security. But they do not generally demand that e-mails are encrypted. As the current requirements are based on the general principles of good data practice, it is expected that the recommendation of the Data Protection Agency will be passed on and that companies should encrypt e-mails that contain sensitive personal data. However, by encrypting all e-mails containing personal data, companies will gain certain advantages, for example less strict requirements for announcing data breaches to all data subjects.
- Right of access and the right to be forgotten
The regulation increases the possibility of gaining access to data registered about oneself. To the extent that the company sends e-mails containing personal data, for example in relation to recruitment or dismissal, the new rules will place heavier demands upon the company to comply with such requests for access. Read more about the right of access here.
- The right to be forgotten
With the new rules, the company has an enhanced duty to erase all personal data, when the data is no longer considered as necessary for the purpose for which it was initially collected. As for the right of access, companies that send and receive personal data by e-mail will find it increasingly difficult to comply with requests to erase the personal data. Companies therefore have a clear interest in limiting the amount of personal data in e-mails.
The Danish Data Protection Agency has previously compiled guidelines for managing employees’ e-mails in relation to resignation. These guidelines are largely based on the general principles of good data processing practice and are expected to be passed on. Read more about the guidelines here.
- The obligation to keep records
Companies subject to the obligation to keep records must register every processing activity of personal data in the company, also when it happens by e-mail. Moreover, the company’s use of e-mails to send and receive personal data could, in itself, result in an obligation to keep records.
Monitoring of employees’ e-mails
Many companies see a need to protect the company’s data by introducing a form of monitoring of the IT-system, including the employees’ use of e-mails. The EU guide to processing of employees’ personal data acknowledges that there may be a legitimate need to monitor employees’ e-mails.
The requirements for initiating a way of monitoring e-mails are based on the principles of good data processing practice and objectivity and are passed on from the existing regulation. When a company wants to gain access to an employee’s e-mail, for example due to suspicion of misuse, three requirements based on the existing rules must be met:
- The monitoring must pursue a legitimate interest, for example the interest of control of use
- The employee must be given a clear and unambiguous notification of the measure beforehand
- The monitoring must not adversely affect the employee’s integrity
- The monitoring must be proportional and less extensive measures should be considered
Companies that introduce monitoring of employees’ e-mails must also consider whether the new requirements concerning the data protection impact assessment apply. This will often be the case if the monitoring makes use of new monitoring technology and includes sensitive personal data.
The requirement for clear and unambiguous information means that companies wishing to introduce monitoring should develop an e-mail policy, possibly as part of an overall data policy, and make sure that the employees have received, read and understood the policy before any monitoring is implemented.
Furthermore, companies must be aware of the general requirements for information and hearing in connection with the establishment of measures that are passed on in connection with the new rules. For example, companies covered by the agreement on control measures between the Danish Employers' Confederation and the Danish Confederation of Trade Unions must inform their employees no later than 6 weeks before the measures are implemented.
Many companies have, in accordance with the existing rules, inserted a provision on consent in their employment contracts to extend the access to monitor its employees without risking a breach of the law. With the new rules, the requirements for consent are made significantly more rigorous. Even though Denmark tries to carry on the access to give consent in employment relationships with the bill on protection of personal data, it is recommended to avoid the use of consent if the processing can be carried out on another basis, which will often be the case with monitoring of e-mails.
In addition to the new rules in the regulation, the rules in the Danish Criminal Code on the secrecy of correspondence, which also apply to e-mails, still apply. Companies should issue clear guidelines for the private use of work e-mail accounts – but even in this situation, the companies must be aware of the special protection.
IUNO’s Opinion
Companies should consider if their procedures and processes meet the existing and the new requirements within the area of personal data. We recommend that companies undergo a review of their processing of personal data and, if necessary, change their procedures, policies and contracts.
For e-mails in particular, we recommend that companies identify when and where e-mails containing personal data are being sent and received, which is something that generally should be kept to a minimum and, in some cases, be done in encrypted form. Additionally, we recommend that companies that have established or consider establishing monitoring of employees’ e-mails obtain a thorough review of whether the monitoring meets the new and stricter requirements.
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing
