Personal Data Protection Board ("Board") has published the Board Decision ("Decision"), dated 25.11.2021 and numbered 2021/1187, regarding accessing the corporate e-mail account of the data subject, who is a former employee, by the data controller employer, without informing the data subject.
The following allegations were submitted to the Board in the complaint by the data subject:
- Data subject is a former employee of the data controller. In the evidence lists submitted to the case files in which the data subject and the data controller are the disputed parties it has been seen that the conversation contents between the data subject and his fiancé via e-mail, personal bank statements and expenditure records of the data subject were accessed.
- The data controller has not made any statement or provided information stating that the e-mail addresses given to the company employees may only be used for business purposes, and the audit criteria regarding such have not been determined, and the e-mail contents regarding the personal life of the data subject were seized by the data controller in bad faith,
- The personal data of the data subject has been processed in violation of the processing conditions stipulated in the Personal Data Protection Law Numbered 6698 (''PDPL''), and transferred to third parties, and that the data subject has not been informed and explicit consent has not been granted by the data subject.
As a result of its inquiry, the Board evaluated that:
- According to the criteria included in the decisions of the Constitutional Court and the ECHR regarding this issue, a corporate e-mail account is allocated to the data subject by the data controller within the scope of the business relationship to be used in corporate activities and to the extent required by the business, however, the data subject was not informed that the account may only be used for the purpose of performing the business or that the e-mails of the employees may be examined/supervised by the employer. Examination of the e-mails of the data subject by the data controller violates the PDPL, since the data controller did not meet its obligation to inform the employeein accordance with the PDPL.
- Since the data subject has not intended to disclose her/his personal data to the public, even if the data subject has made all her/his correspondence via her/his corporate e-mail address, this shall not amount to the data subject making his personal data public.
As a result of its evaluation, the Board decided that:
- Administrative fines shall be imposed on the data controller, since the examination of the e-mails of the data subject by the data controller is not based on any legal grounds stipulated in the PDPL, due to the fact that the data subject has not been informed in accordance with PDPL,
You may reach the full Turkish text of the Decision via the link below.
https://kvkk.gov.tr/Icerik/7269/2021-1187
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.