Secure emails in the workplace
Email inboxes are a personal matter. At least in the private sphere. But what about business e-mail addresses? Who can access it and what about data protection? Secure emails and the correct handling of them are important to ensure that no internal data is leaked. There should be rules for this.
Who can access the emails?
Employees’ email inboxes are essentially private. Although it is a company mailbox, the employer may only access it under certain circumstances. This is partly for reasons of employment law, but also to ensure compliance with the German Federal Data Protection Act (BDSG). Email inboxes are a personal area with personal data that may not be accessed without further ado. The BDSG permits the processing of personal data by the employer if this is necessary in the context of the employment relationship. However, the email inbox is unlikely to be used for this purpose. Access to emails is permitted at any time if it is necessary to uncover criminal offenses. In principle, access to the email inbox by third parties must be “appropriate and substantial for the purpose and limited to what is necessary for the purposes of the processing”. Or in plain German: you can’t just rummage through emails at random. There must be a good reason to read an email and only the email in question may be read.
Private use of the company e-mail account
Whether the company e-mail account may also be used privately depends on the employer. The employer may prohibit private use. If this is the case, compliance with this prohibition may be checked. This means that there is a reason to access the email account. However, legal requirements must also be observed. Employees must be informed that their email inboxes are being accessed. The scope of access must also be disclosed. In addition, it must always be considered whether there are other ways of monitoring. For example, general evaluations of traffic data can take place. In this case, the email inboxes no longer need to be accessed directly in order to ensure compliance with the ban on private use.
What do I need to bear in mind when accessing?
We have clarified that there must be a reason for accessing an employee’s email inbox. If there is a reason, there are a few things to bear in mind. Let’s assume you need to access an employee’s email inbox because they will be absent for a longer period of time. You first get a second pair of eyes. This means that you never access someone else’s mailbox on your own. For example, get a data protection officer or the works council involved. It is important that someone is present who, in case of doubt, can testify that the access was legal and within the law. Access may only be granted to emails that are important for the purpose – as we have already mentioned above. This also means, for example, that only emails from a certain time period may be viewed. In our example, emails from the period when the employee was still present may not be opened. A written log of the access can also do no harm. When did the access take place? Which emails were accessed? Why were these emails accessed?
Possible alternatives for access
If there is good planning in advance, there may be other ways than direct access to the e-mail inboxes of absent employees. A substitution arrangement for periods of absence can be defined in advance. In this case, for example, another employee can access the emails during the absence. Of course, the same rules for access then apply as for other reasons. It is also possible to set up forwarding of all incoming emails during absence. In this case, the emails go directly to the mailbox of another employee. Another option is the general use of generic email accounts. These are used by all employees in a department and everyone has access to them at all times.
Dealing with former e-mail addresses
If employees are given separate email accounts, sooner or later the time will come when certain email accounts are no longer used. Employees leave the company and new ones join. However, email addresses should no longer be used. At least no longer than necessary. Initially, some emails will certainly still come in until they are transferred to other accounts. As soon as the email inbox is no longer needed, the account should be deleted. Employees are entitled to the deletion of personal data after they have left a company. This includes the email account. However, it must be noted that retention obligations apply to emails. If there are still archived emails in the corresponding account, they must be archived somewhere else. A sensible method for this is to create a general email account that serves as an archive for all emails.
Conclusion
The handling of emails in the company should be subject to predefined regulations. Not only because legal requirements must be complied with. There should also be a structure within the company that all employees can follow.