Two individuals were employed by an organisation that provides services to primary schools. Upon arrival at work, one individual found their personal email account open on their shared computer. A few weeks later, the individual’s employment was terminated on foot of disciplinary proceedings. During the course of the proceedings, the individual was presented with printed copies of several emails from their personal email account. The second individual was also dismissed. It became apparent that a third party had been hired by the organisation to handle the disciplinary proceedings and this third party was provided with a copy of both individual’s emails addressed to each other.

The reason given for the termination was that both employees had been discussing a business plan that would make them a competitor to their then employer. The emails had been accessed and printed by the employer. Both individuals had also made access requests. Following the disciplinary proceedings and the dismissals, the individuals contacted the DPC and made their respective complaints.  Both complaints referred to the processing of their personal data from their email exchanges found in the personal email account that one individual had left open on the shared access computer and the subsequent processing of it to conduct disciplinary procedures that resulted in the termination of both staff members’ employment.  T

he DPC began a parallel but separate examination of the complaints by asking the organisation to provide its lawful basis for processing the individuals’ personal data from the personal email account and personal emails. The organisation responded that when searching the email account for client information it was noticed that it was a personal email account but it was also noticed that there were discussions between two employees regarding the setting up of a competing business. The organisation claimed it processed the individuals’ personal data for a legitimate interest in that it was an attempt to protect the  business and its other employees. The organisation also claimed that it had processed the personal data lawfully as the individuals had consented to the processing of any/all of their personal data. It argued that this consent had been provided when they had been provided with a copy of the company privacy notice that informed them it would process their personal data (including all IT equipment and assets) and was evident in their signed contracts of employment. 

In terms of the reliance on its employee contracts and its company policy and privacy notice to indicate that the individual had provided their consent for the company to use its personal data, the DPC noted that consent to process personal data from personal email accounts was not a valid lawful basis for processing in the circumstances. Additionally, in order for consent to be valid it must be freely given, specific, informed and unambiguous. The reliance on signing a contract of employment to indicate consent for processing does not meet the criteria required to utilise this lawful basis for processing. 

The DPC found that the individuals’ data protection rights were infringed by the organisation under Articles 5(1)(a),(b),(f) of the GDPR, which relate to the principles of lawfulness, fairness and transparency; purpose limitation; and integrity and confidentiality. Further, the initial accessing and viewing of the individual’s personal email account was conducted in breach of their data protection rights, contrary to Article 32(1) and 32(2) of the GDPR. 

The organisation implemented a number of security measures to ensure that such an incident would not occur again such as staff training on GDPR and IT, internet and email usage including computer log-in processes.