In a decision dated December 7, 2022, the data protection authority addressed the question of whether the monitoring of employee e-mail logs is permissible from a data protection perspective.
The proceedings were initiated on the basis of a complaint filed by three employees against the respondent, alleging a violation of the fundamental right to secrecy under § 1 para. 1 Data Protection Act (DSG) claimed. In summary, it was alleged that the respondent – without the consent and knowledge of the complainants – had checked the technical mail server logs of all 6,000 employees for a specific recipient domain. The reason for this control measure was the suspicion of a violation of the trade secret.
In the present case, the data protection authority pronounced that the respondent requires a legal basis to carry out such a control measure. A sufficiently determined legal basis for such a control measure was not apparent in the case at hand.
Assuming that the respondent relies on legitimate interests within the meaning of § 1 para. 2 DSG respectively Art. 6 par. 1 lit. f GDPR such a weighing of interests would be against the respondent. The data protection authority came to the conclusion that the control measure, which took place only six months after the triggering incident, was not proportionate due to the lack of temporal connection and timeliness. As part of the weighing of interests, the fact that, in the opinion of the data protection authority, there was no valid consent from the works council also had to be taken into account as a factor.
As a result, it was pronounced that there was a violation in the right to secrecy. This decision is not legally binding.
Source: DSB Austria