Written by: Danica Černá Valentová, Marek Bugan, NITSCHNEIDER & PARTNERS

The Slovak data protection authority ruled on two cases where employers failed to deactivate the email accounts of former employees, concluding that the employer breached data privacy rules in both cases.

The Office for Personal Data Protection of the Slovak Republic (DPA) has now dealt with the issue of employers keeping access to a former employee’s email account, twice. The first case involved a private sector employer; the second a public sector employer. What were the findings of the DPA and what were the consequences of GDPR violations?

The case of the private sector

The procedure was initiated by a former executive who objected that the employer had not deactivated his email account after his termination and that it was still active and monitored by another executive within the company.

In its defence, the employer used the argument of legitimate interest. He claimed that the reason for not deactivating the email account was to protect the employer’s property, given the former manager’s former business contacts, many customer responses and even inquiries had been sent to this email.

However, the argument remained only at the level of assertion since the employer failed to submit to the DPA a test of proportionality in relation to this legitimate interest, and therefore to prove it. Moreover, the employer did not prove that the controller had received relevant information about the processing for this purpose, denying him the right to object to the processing and the duration of the processing. These are the main reasons why the DPA ruled against the employer.

In the reasoning for the decision, the DPA also stated that legitimate interest may be an appropriate legal basis for this type of processing, however, processing can only be carried out for a period of time necessary; ten months cannot be considered necessary. Of course, this only applies if the employer has properly fulfilled his other obligations under the GDPR when processing.

The case of the public sector

After her job was terminated, a former municipal employee created a fake email account. Subsequently, she used this fake account and sent a question to her municipality’s email address. His goal was to find out whether or not the municipality had deactivated this email account. Once she received a response, and therefore had evidence of a possible GDPR breach, she filed a complaint with the DPA.

The municipality claimed that the former employee had not submitted her diary correctly. This was important because she communicated with various state authorities, social security agencies, health insurance companies and took care of rental apartment diaries, among other things. The municipality was therefore obliged to monitor this email account to avoid being held liable for any damage or illegal behavior.

Although the municipality used reasonable arguments, it failed to prove that it had formally fulfilled its obligations under the GDPR. Specifically, the DPA pointed to the lack of evidence of a demonstrable legal basis. Accordingly, the DPA did not address other related issues such as the obligation to inform the data subject, the proportionality or the duration of the processing (in this case, four months after the termination of employment), and ruled that the employee’s rights under the GDPR had been violated.

Consequences and Practice Notes

In both cases mentioned, the DPA imposed minor fines of EUR 500. However, the violation in both cases involved only one employee, and we can only assume that a more widespread violation would result in a larger fine.

In any case, these violations would not have occurred if employers had asked and answered the following simple questions prior to treatment:

• Will we keep an employee’s email account active after termination?
• If so, do we have a legal basis for this processing?
• Have we developed a proportionality test to support our legitimate interest?
• Have we informed the employee concerned about such processing of their other personal data?
• Will we only process an employee’s emails as long as necessary? (note: in Slovakia, ten months was considered to exceed what is “necessary”)