E-Mail and internet at work primarily serve the company’s business purposes. However, in many cases, employers allow or tolerate private use of company e-mailing or internet systems. This may result in severe restrictions for the company’s access to data stored in such systems. Companies are well advised to implement clear rules on (private) use in order to prevent undesired consequences.
1. Data Protection Authorities’ Guidance
The German Federal states’ data protection authorities’ assembly, the so-called Düsseldorf circle, has recently addressed unsolved problems regarding private use of company e-mailing and internet systems in a guidance note. The guidance note summarises the current state of discussion (see item 2.) and provides a number of recommendations and sample internal regulations on e-mail and internet-use in companies (see item 3.2. E-Mail and Internet-Use
As a matter of principle, company e-mail and internet-systems serve company purposes and may be used for private purposes with permission only, but requirements for such permission are rather low. Where an employer tolerates such use for a certain period this may be considered a permission. The consequences may be severe.
Following the data protection authorities’ opinion, the employer becomes telecommunication service providers upon such permission, is bound to ensure the secrecy of telecommunication and my access telecommunication contents under very restricted circumstances only. In particular, where this is strictly required for ensuring the systems’ security.
Such restricted access to telecommunication contents turn into a real problem for any company, where e-mails need to be retained for bookkeeping or taxation purposes, employees are absent without sufficient notice or telecommunication contents turn relevant in an employment related dispute. In the context of internet-usage, respective restrictions tend to be less severe and in particular affect monitoring (miss)use of corporate internet systems.
3. Internal Regulations
Clear internal regulations on permitted use of corporate e-mail and internet are for the above reasons essential, both for employers and employees. From a data protection perspective, prohibiting any private use of corporate IT- and communication systems would be the measure of choice. Where such prohibition is effectively enforced, the employer would in principle ensure unrestricted access to its corporate data. This way is, however, rather rarely chosen.
An alternative measure providing for employees’ access to corporate e-mailing and internet-systems while providing for access of the employer also, is described in the data protection authorities’ guidance note. This way includes a limited permission to using corporate internet systems while preventing private use of the corporate e-mailing-system. This would enable employees to use web-mailer for private purposes while the employer would not be restricted in regard to accessing the corporate e-mailing-system and reasonably monitoring.
As an alternative or additional measure, the employer may implement logging or monitoring of using corporate e-mail or internet-systems in respective internal regulations (e.g. an e-mail and internet policy) or a works council agreement.
Such general regulation may be implemented in connection with an individual request for consent to respective measures as a condition for the permission of private use. The employer shall in this context ensure that employees may express or reject their consent free of disciplinary consequences whatsoever. He may, however, make consent the condition for using corporate e-mailing and/or internet-systems.
Implementing such internal regulations triggers codetermination rights of the works council for implementing technical systems of any kind that may be used for monitoring employees’ behaviour at work. Where a works council is in place, a works council agreement would typically be the regulation of choice.
Private e-mail and internet use are not regulated in an appropriate manner in many companies. Such companies should carefully assess their internal regulatory framework. In this context, the worst solution is no internal regulation. In order to tailoring the fitting approach for each company, the data protection authorities’ guidance note provides valuable advice.