Already the existing guidelines or viewpoints of the information commissioner have pointed out that the employer has the legitimate interest to supervise the use of his company resources and to ensure a smooth and efficient workflow, however, also the employee certainly has the right to privacy at workplace, as the employee has to be treated as an individual who in addition to the obligations from employment relationship has also rights of personal nature. Therefore, the employer has the right to intervene with employee’s right to privacy only in cases when the legitimate interest of the employer prevails over the interests of the employee and provided that the supervision measures are proportional, minimally invasive with regard to the given circumstances, defined previously and the employee has been informed of them in advance.
Absolute prohibition to use company resources (e.g. telephone, internet and similar) for private purposes is unrealistic (particularly given the time that we spend at work) and unacceptable. This view is shared also by the recent judgment of the European Court of Human Rights (ECHR) issued in the matter Barbulescu v. Romania dated 5 September 2017. In the said matter, the employer prevented the employees from using any (company) resources for private purposes, and informed the employee that he is monitoring his communication. The employee violated employer’s instruction and used internet and Yahoo Messenger for private purposes (which resulted in his dismissal). Irrespective of employee’s violation, the ECHR established that by supervising communications, the employer breached employee’s right to privacy at workplace.
ECHR agrees that the employer has legitimate interest to organise efficiently the workflow and it is thus not deemed as unreasonable that he wants to check or control the purposefulness of use of his company resources, fulfilment of employee’s obligations from employment relationship, protect business secrets of the company and the like. On the other hand, the employee has the right to privacy at workplace, as “entering” employer’s premises and using employer’s company resources does not mean that thereby he waived fully his right to privacy. Since this is a conflict between two legitimate rights, it needs to be weighed in each particular case which right should be given priority to ensure a fair balance between employee’s privacy right and employer’s right to ensure a normal and lawful operation of the company.
The court stressed that irrespective of the limitations that were laid down by the employer in the present case regarding the use of company resources, employer’s instructions cannot reduce employee’s right to privacy at workplace to “zero”. The ECHR stressed that the measures for monitoring the correspondence and other communications of employees have to be applied in accordance with the principle of proportionality, thereby providing the employees with adequate guarantees in case of ungrounded or excessive interference with their right to privacy at workplace.
In relation thereto, the court has defined the factors that need to be taken into account when weighing the lawful interests of the employer and the employee. First, it needs to be examined whether the employee has been notified in advance of the possibility that his communications will be monitored or supervised and of the implementation of such measures (the notification of the employee on supervision and measures taken should be clear and given in advance in order for review and supervision to be lawful). The employee has to be informed of the extent of supervisory measures taken by the employer (e.g. which data is being collected and who has access to it). It also needs to be examined whether the employer has provided legitimate reasons to justify the monitoring of communications and accessing their content (reviewing the content, as a more invasive method, is allowed only as an exception). It is also always necessary to examine, whether it would have been possible to establish monitoring or supervision with less intrusive methods and measures. In this context, it has to be taken into account for what purposes the results of monitoring operation are being used by the employer and whether there were adequate safeguards available to the employee in order to prevent abuses.
Only if having regard to all the above-stated criteria the legitimacy of interference with employee’s right to privacy at workplace can be justified, the measure of supervising and reviewing employee’s communications is lawful. Thus, the employer can in no event rely on the fact that his behaviour is correct, because, for instance, in internal acts or agreements with employees he has laid down that any use of company resources (telephone, computer, internet …) for any private purposes of the employee is prohibited. Legitimate interest of the employer to review and supervise employee’s electronic communications will be demonstrated only to the extent that the lawful interests of the employer prevail over employee’s right to (communication) privacy at workplace. However, it should not be overlooked that also a person who sends a message (of private nature) to an employee who is subject to supervision by employer enjoys the right to communication privacy under the Constitution of the Republic of Slovenia, therefore by reviewing the content of messages received by the employee the employer may unjustifiably interfere also with the rights of third persons.
Thus, the employers have to be very careful when supervising employees’ communications. Therefore, the employers are recommended to check whether their practice in relation to monitoring and reviewing employees’ communications is lawful. Namely, if the conditions for interference with employees’ right to privacy at workplace have not been fulfilled, employer’s behaviour is deemed unlawful and may also involve elements of criminal offence. The current practice of the information commissioner is in line with the recent ECHR judgment or in some aspects even slightly stricter, therefore we recommend that the employers examine thoroughly the compliance of their policies with regulations on the protection of personal data and communication privacy.