Authors: Dr. Gönenç Gürkaynak, Ceren Yıldız, Yasemin Doğan and Derya Başaran of ELIG Gürkaynak Attorneys-at-Law
On April 2023, the Turkish Personal Data Protection Authority (“DPA”) published a summarized version of the Personal Data Protection Board’s (“Board”) January 19, 2023 dated and 2023/86 numbered decision regarding "processing of personal data by the data controller by monitoring, accessing and storing the contents of the corporate e-mail address allocated to its employees" (“Decision”) [1] .
The Decision was rendered upon the complaint of the data subject who is a former employee as “Marketing and Internal Communications Manager” of the data controller company. Their employment contract was terminated by the company due to the fact that the data subject has sent the data within the company to his/her personal e-mail address via the e-mail address allocated by the company, and the phone call with another employee of the company was secretly recorded and sent to his/her personal and lawyer’s e-mail addresses. Accordingly, the data subject initiated a re-employment lawsuit against the employer company and also applied to the data controller company within the framework of its rights under Article 11 of the Personal Data Protection Law with No. 6698 (“Law”) [2] , but stated that the response he/she received from the data controller was insufficient.
Thereupon, the data subject submitted a complaint before the DPA, stating that the forms submitted by the company at the beginning of his/her employment did not contain content regarding personal data processing procedures, including all actions on the computer and email content, and in this sense, the forms/commitments attached to the employment contract were in the nature of blanket consent. Additionally, it was stated that the explanations in the documents contained ambiguities, and that this situation also constituted a violation of Article 5 of the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Clarification Obligation [3].
In addition, it is stated that the company also violated the "Ethical Rules and Disciplinary Regulation", which is the annex to the employment contract, as despite the expiry of the six working days and one-year deprivation periods mentioned in the article 26 of the Labor Law [4] and the relevant Disciplinary Regulation, the company used the e-mails at the termination date as reasoning. It was alleged that the e-mail messages were created 607 days and 149 days before the date of termination and this is an indication that the company monitors the e-mail messages, stores them indefinitely and has general control over the e-mails that constitute the claims of termination of the employment.
Another claim of the data subject was that the personal data processing activities in question were in violation of the principles of accuracy and proportionality, that two documents were submitted to the case file by the company lawyers in the re-employment lawsuit, and that the pages of three separate documents were changed to create the perception that the data subject has been informed, clarified or committed. Therefore, it was alleged that the personal data was processed unlawfully by monitoring, accessing and storing e-mail contents.
The data controller company in their defense stated that the data subject was working in a managerial position in the company, they have been informed about the privacy and personal data protection legislation, the said behavior of the data subject constitutes a violation of the provisions of the legislation, the employment contract, the protection of personal data and confidentiality commitments, and the employment contract has been terminated with valid reason. The data controller also stated that an inappropriate allegation was put forward on the company by stating that the pages of the appendices submitted to the case file have been changed with the intent to deceive and it is not possible for their company to resort to such a behavior.
The data controller has also mentioned in their defense about the DPA’s precedents stating that there is no illegality in accessing correspondence from company servers via company email account, and the precedents emphasized that "the e-mails of which there is no doubt when used for company-related business and transactions will not contain personal content". In this context, the company examined the e-mail accounts by sampling technique to control external communications and transfers. It is also stated that the employees were informed about that processing activity and that the personal use of corporate e-mails by various means should be avoided and that these e-mails can be audited.
As a result of the investigation carried out on the subject matter, the Board specifically addressed the following issues: (i) a balance of interests should be established between the right of the employee to protect the personal data of the employee under the control of the communication tools allocated to the employees by the employer for use and the purposes of ensuring the efficient use of resources, protecting commercial confidentiality and management risks, preventing crime by employees, protecting against criminal and legal liability, and controlling the flow of information, (ii) the Constitutional Court’s decision dated September 17, 2020 with application number 2016/13010 [5] and the European Court of Human Rights’ (“ECtHR”) "Bărbulescu v. Romania” decision [6] should be taken into account in terms of concrete cases, as these decisions briefly include evaluations on which principles the employer can carry out audits. In this context, the Board stated that, while balancing the right of the employee to protect personal data and the employer's right to audit, certain criteria should be considered and examined one by one for each case, such as whether the employer informs the employee about the possibility of taking measures to control the communication and the implementation of these measures, whether this information is made clearly before the monitoring, whether a distinction is made between the scope of the monitoring by the employer and the degree of interference with the employee's privacy.
The Board also referred to the International Labor Organization's guide on the protection of worker's personal data [7] , stating that if the employees are monitored, the International Labor Organization should be informed beforehand about the reasons for monitoring, the timetable, the methods and techniques used, and the data to be collected, and that the employer minimizes the interference in the private life of the employees. The Board, however, referred to the principles set out by the Article 29 Working Group in its working document on the surveillance of electronic communications in the workplace and emphasized that an evaluation should be made on whether the monitoring is transparent for the employees, whether this monitoring is necessary for the employer and whether the same result can be achieved with more traditional methods, whether the personal data to be processed is legal for the employees and whether the personal data is proportionate to the intended purpose.
The Board by reviewing the documents submitted by the data controller concluded that the work documents provide information on the purposes for which e-mail correspondences can be processed by the employer, in which cases personal data can be processed by monitoring emails, and indicate that corporate e-mails can only be used for work purposes, and personal use should be kept at the most reasonable level. Accordingly, the data subject has made a statement that they have read and understood the matters referred in the documents by signing them, and therefore, it has been evaluated by the Board that the data controller fulfilled its clarification obligation.
On the other hand, the Board evaluated that there is no concrete indication on the claim that the data controller tried to cause a false impression by misleading the contents in the clarification texts and explicit consent texts; and if there is a claim about the mislead on the documents signed by the data subject, the data subject should apply to judiciary, as is possible.
Regarding the purpose and legal basis of personal data processing activities carried out through e-mail control, the Board concluded that the data controller is a company engaged in commercial activities in the clothing sector, it has a justifiable interest in processing personal data by means of e-mail control, at the point of requesting that no business secrets or any information may be shared with third parties, and ensuring that corporate communication tools are not used for personal purposes, and the employee during the continuation of the business relationship cannot use those for its own benefit and cannot disclose the relevant data to others.
The Board emphasized the importance of distinguishing between the control of the communication flow and the contents of the communication in terms of controlling the communication, the monitoring of the contents of the communication depends on more stringent reasons, the purpose of the employer in controlling the use of e-mail is primarily contrary to the interests of the employer, rather than the content of the communication. The Board has found no illegality in the process, by considering that an audit should be made regarding the communication content after the detection of situations that may constitute a security, loyalty and usage violation, and therefore the data controller can reveal whether any violation has occurred only through content control, limited to only the relevant employee and personal data for the purpose, and that the personal data processing activity was carried out only within the scope of the intended purpose.
In addition, the Board evaluated that the personal data obtained through the e-mail control is directly related to the termination of employment contract. Accordingly, the Board stated that the employer as the data controller used their right of explanation and proof regarding the termination of the employment contract, and in this respect, found out that there is no unlawful action on subjecting the personal data obtained through e-mail control, which is in the nature of personal data, to the notice of termination.
Finally, the Board evaluated that the personal data processing activity carried out by storing the e-mail data for a period of approximately two years does not contradict the general principles regulated in law.
Accordingly, the Board decided that there is no action to be taken against the data controller within the scope of Data Protection Law.
[1] https://kvkk.gov.tr/Icerik/7593/2023-86 (Last accessed on April 26, 2023).
[2] https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=6698&MevzuatTur=1&MevzuatTertip=5 (Last accessed on April 26, 2023).
[3] https://kvkk.gov.tr/Icerik/5443/AYDINLATMA-YUKUMLULUGUNUN-YERINE-GETIRILMESINDE-UYULACAK-USUL-VEESASLAR-HAKKINDA-TEBLIG (Last accessed on April 26, 2023).
[4] https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=4857&MevzuatTur=1&MevzuatTertip=5 (Last accessed on April 26, 2023).
[5] https://kararlarbilgibankasi.anayasa.gov.tr/BB/2016/13010 (Last accessed on April 26, 2023).
[6] https://hudoc.echr.coe.int/fre#{%22itemid%22:[%22001-177082%22]} (Last accessed on April 26, 2023).
[7] https://www.ilo.org/wcmsp5/groups/public/---ed_protect/---protrav/---safework/documents/normativeinstrument/wcms_107797.pdf (Last accessed on April 26, 2023).