Access to employees' emails

Access to employees' emails

Access to employees emails during absences or after termination of employment

The issue of access to employees' email accounts given rise to many questions from employers and employees on how to proceed correctly, from a legal point of view. A particular issue is whether IT resources such as an email account or access to a server can be blocked once someone has decided to leave their job or when they are absent.

In general, do employers have the right to read their employees' emails?

A distinction must be made between private and business emails.

In welchen Fällen darf ein Arbeitgeber auf die E-Mails von Angestellten zugreifen, wenn diese aus einem vorhersehbaren oder unvorhersehbaren Grund abwesend sind?Employers have a legitimate interest in having access to their employees' business emails (security, limiting the risk of abuse, organisation and planning of work, checking that work has been done and business is progressing, etc.). Employers may in this case access employee emails in compliance with the principles of data protection, in particular proportionality and transparency, and in accordance with the framework specified in Article 26 of Ordinance 3 to the Employment Act (EmpO 3). 

However, employers are not allowed to read the content of employees’ private emails, provided these are indicated as such in the subject box (as 'personal' or 'private'), stored in a folder entitled 'personal' or 'private' or recognisable as such by the nature of the message. Employers may access employees’ private emails if they have a legitimate interest, such as a suspicion of criminal activity, even if the use of email for private purposes is prohibited by the company's internal regulations.

Where there is no indication of the nature (business or private) of an email and it is not clear from the addressee that the email is private, companies may assume that the email is business-related. If there is any doubt, the employer should clarify the issue with the employee. Both employees and persons sending emails to the company should be informed that emails not marked as private may be treated as business correspondence.

In order to better distinguish between business and private email, the company may also decide that business email should be sent with a company address (e.g. info@) rather than personal addresses (firstname.lastname@).

In the event of a dispute, it is up to the courts to assess the legality and proportionality of the employer's action in accessing the email system.

When can an employer access an employee's email when the employee is absent for any foreseeable or unforeseeable reason?

For the sake of transparency and predictability, we recommend that employers draw up internal regulations specifying the rights and duties of each person with regard to the use of IT tools. This helps to clarify the situation, prevent conflicts and may prove essential in the event of termination of employment or absence due to illness or accident. Internal regulations establish clear responsibilities, which can also encourage employees to take their own steps to protect their privacy.    The rules for using IT tools should be set out clearly in the regulations and should be explained to employees, for example in an internal training course, so that everyone is aware of what is required.

We recommend the following procedure for managing email and server access in the event of departures or absences due to illness or accident:

Access to the emails of employees who have left the company

When employees leave a company, they normally have to pass on outstanding business and their email correspondence to a colleague before leaving, 
Zugriff auf die E-Mails von Angestellten, die wegen Krankheit oder aus anderen vorhersehbaren oder nicht vorhersehbaren Gründen abwesend sindOften they confirm in writing that they have handed over to the company all documents of a professional nature. The company should offer employees the opportunity to copy their private e-mails and other private documents to a private data carrier, and also to deleting them from the company's servers. Items of a professional nature that are still of use to the company or that are unfinished business must be passed on to the person who is handling the departing employee’s work or to a superior. 

At the latest on the last day of work, the access rights to a departing employee's email (as well as to his or her other computer accounts) should be cancelled and his or her mailbox (as well as all other personal data carriers) deleted. Computer accounts should also be deleted after a certain period of time. If an employee is suspended or dismissed without notice, the account data should be secured immediately and the access rights eliminated, at the latest on the last day of work.

If an employee dies suddenly, his or her email account should be blocked immediately and the data saved.Emails and other private data should then be sorted through with the assistance of the deceased’s next-of-kin.People who send an e-mail to the employee after he or she has left should receive an automatic response telling them that the email account has been deleted and providing them with an email address to which they can forward their message. Emails should not automatically forwarded within the company.

Access to an employees' email when they are absent due to illness or for any other foreseeable or unforeseeable reason

In the event of a foreseeable absence (such as holidays, leave or military service), employees should activate their automatic out-of-office replies and write a message to be sent in response to any incoming mail. It is a good idea not to automatically redirect incoming emails to your superior's email address. Firstly, it is not possible to guarantee that only messages of a professional nature will be redirected, and secondly, senders have no means of preventing their messages from being redirected. It is therefore best for employees to provide an automatic out-of-office reply that indicates the email address to which the sender can forward the message (e.g. to the secretariat or other colleague), if he or she wishes to do so.
In order to prevent problems arising in the event of absence due to illness or accident, a replacement should be designated from the outset. If this has not been done and it is not possible to wait for the employee to return, mails should be read by at least two persons at any time.

Logins and passwords are confidential and should not be passed on to the employer unless there is an exceptional case and a good reason for doing so, for example, if an employee who is absent has business critical information on their workstation. For the company, it is advisable to list these rules in regulations, and to log every access to the company's mail server.

Adherence to these principles helps to ensure that an employee's departure goes smoothly and prevents problems arising from illness or accident.

Data processing by the employer

What are the requirements that employers must meet when processing personal data?

Recording conversations

Anyone who unlawfully records a conversation may be in violation of the Data Protection Act (DPA), not to mention the Criminal Code (SCC).

Video surveillance in the workplace

Video surveillance systems can affect the well-being, mental health and productivity of employees, and should therefore only be considered when less invasive measures are genuinely unsuitable.

Telephone monitoring in the workplace

There are many questions about telephone monitoring in the workplace, and in particular when monitoring is allowed.

Questions on data protection

Take a look at our FAQ or call our hotline.

The main provisions

Here you can find out more about changes to the Data Protection Act, which came into force on 1 September 2023.

Infocenter

Here you can download all documents sorted by topics.

Webmaster
Last modification 11.05.2023

Top of page