Monitoring an employee’s work email and trade secret protection – when may an employer lawfully review the inbox?

Key Takeaways

• Monitoring an employee’s business email is permissible, but only where it is necessary to ensure work organisation enabling full use of working time or the proper use of work tools made available to the employee.
• The employer must define the purposes, scope and manner of applying such monitoring in the work regulations, collective bargaining agreement or notice, inform employees of this no later than two weeks before it is implemented, and display appropriate notices.
• Email monitoring may not infringe the secrecy of correspondence or other personal rights of the employee, even where the employer has prohibited the use of the employee’s business mailbox for private purposes.
• Before implementing monitoring based on the legitimate interest ground, it is necessary to carry out a legitimate interest assessment (LIA) and a Data Protection Impact Assessment (DPIA), as well as to document compliance of the measures taken with GDPR requirements.
• Ad hoc, incidental email checks do not constitute monitoring within the meaning of the Labour Code, but they must also be proportionate, transparent and carried out with due respect for the employee’s privacy.

May an Employer Access an Employee’s Business Email?

Access to an employee’s business email is possible. This is supported both by the provisions of the Labour Code, which permit monitoring of employees’ email, and by the employer’s general supervisory powers. The use of a business mailbox is part of the performance of work and may therefore be subject to control.

An employer who entrusts staff with duties involving access to confidential information should have the ability to supervise whether such information is not being used improperly.

The possibility of accessing email is also supported by the nature of business correspondence: it is conducted on behalf of the employer, has business significance for the employer, affects the continuity of services and takes place in the course of performing employee duties. This does not, however, mean unrestricted and unlimited access to business email. The employer must meet specific requirements, including the principles of necessity, proportionality and transparency of the measures taken.

Employee Email Monitoring and GDPR 

Monitoring of an employee’s business email carried out by the employer, as well as access to such email that does not constitute such monitoring, involves the processing of personal data. Consequently, the employer, as data controller, must ensure that these activities also comply with GDPR requirements, in particular with the principles set out in Article 5 GDPR and the information obligation arising from Article 13 GDPR. This means, among other things, that the employer is entitled to process personal data derived from monitoring only to the extent necessary, with due regard to the principles of lawfulness, data minimisation, proportionality and transparency.

Which provisions govern the employer’s access to an employee’s business email?

Monitoring of business email should be carried out in accordance with the applicable rules, in particular the GDPR. With regard to employees, the Labour Code should also be taken into account, and with regard to collaborators – the Civil Code (although it does not directly regulate this subject matter, it applies, among other things, in relation to the protection of personal interests).

Persons providing work under civil law contracts are not subject to the rigours of the Labour Code, but the measures taken in relation to them must likewise comply with the law. The principles of proportionality, transparency and respect for dignity – arising from labour law – provide a good point of reference for analogous actions in this area. The relevant requirements, arrangements and consequences of their breach should be set out in contracts with such persons or in procedures with which they undertake to comply. In every case, action should be taken with due respect for dignity, privacy and the secrecy of correspondence.

The possibility of accessing business email should above all be formally communicated. The persons concerned must know that the employer may gain access to their email, as well as when this may occur and how it will be carried out. This is important in view of these persons’ informational autonomy: awareness of monitoring enables them to actually influence the scope of information provided to the employer (for example, they will not include private content in business correspondence).

As a rule, covert monitoring is regarded as unethical. Such a form facilitates infringements of personal interests, which further supports the view that access to email should always be transparent. The conclusion that transparency is necessary also follows from national and EU case law.

For example:

In its judgment of 3 April 2007 (application no. 62617/00), delivered in an employment case, the European Court of Human Rights held that the collection and retention – without the applicant’s knowledge – of information relating to her telephone calls, email correspondence and use of the Internet constituted an interference with her right to respect for private life and correspondence within the meaning of Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms.

In its judgment of 13 February 2014 (case ref. I OSK 2436/12), the Supreme Administrative Court held that employee monitoring must comply with the requirements of lawfulness, legitimate aim, proportionality and transparency, and must also take into account data protection rules. Transparency means that employees should be aware that they are subject to monitoring. The employer is therefore required to set out the rules of monitoring in detail and make them known to employees, who should confirm their knowledge and acceptance by signing an appropriate statement. The Supreme Administrative Court judgment was delivered on the basis of the then-applicable Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. In recital 33, that directive stated: „Data which, by their nature, are likely to infringe fundamental freedoms or privacy should not be processed unless the data subject gives his explicit consent”. For that reason, the judgment placed emphasis on the issue of acceptance, which is no longer relevant under the current legal framework.

How can trade secrets and other legally protected information be safeguarded?

Under Article 100 § 2 points 4 and 5 of the Labour Code, an employee is obliged to act in the interests of the employer, including by keeping confidential information whose disclosure could expose the employer to harm, and to observe any confidentiality obligations laid down in separate provisions. Information covered by protection undoubtedly also includes trade secrets.

Article 11(2) of the Act on Combating Unfair Competition provides that trade secret means technical, technological, organisational information of an undertaking or other information having economic value which, as a whole or in a particular combination and assembly of its elements, is not generally known to persons usually dealing with that type of information or is not readily accessible to such persons, provided that the person authorised to use or dispose of the information has taken, with due diligence, steps to keep it confidential.

A trade secret is a narrower concept than “information whose disclosure could expose the employer to damage”. To the latter category, the employer may also classify information that does not fall within the catalogue of trade secrets.

An organisation should define which information requires confidentiality and what consequences follow from breaches in this regard. Specifying these matters (e.g. in work regulations, internal orders, employment contracts and contracts with collaborators) can prevent doubts and disputes. This is one of the key actions an employer should take in order to keep information confidential and enforce compliance with the established rules.

When and how should email monitoring be introduced?

Employee monitoring is governed by the Labour Code. Email monitoring is addressed in Article 22³ and Article 22² § 6–10. In order to speak at all of the use of this form of monitoring, specific circumstances justifying its introduction must exist. The implementation itself must be carried out in a formal manner, as specified by the provisions of law.

Article 22³ of the Labour Code:

• 1. If necessary to ensure work organisation enabling the full use of working time and the proper use of the work tools made available to the employee, the employer may introduce monitoring of the employee’s business email (email monitoring).
• 2. Email monitoring may not infringe the secrecy of correspondence or other personal rights of the employee.
• 3. The provisions of Article 22² § 6–10 shall apply accordingly.
• 4. The provisions of § 1–3 shall apply accordingly to other forms of monitoring than those specified in § 1, if their application is necessary to achieve the purposes specified in § 1.

It follows from Article 22³ of the Labour Code that email monitoring is permissible if it is necessary to ensure:

• work organisation enabling the full use of working time and
• proper use of the work tools made available to the employee.

In legal scholarship, it is generally accepted that, notwithstanding the use of the conjunction „and” instead of „or”, a functional interpretation indicates that fulfilment of one of the prerequisites is sufficient for this form of monitoring to be applied.

It is worth noting that the prerequisites for the use of email monitoring differ from those applicable to video surveillance. In the case of the latter, one of the grounds for its use may be the necessity to preserve the confidentiality of information whose disclosure could expose the employer to harm. The legislator did not, however, provide for a comparable ground for monitoring business email. Nevertheless, the position seems well-founded (although it is sometimes disputed in legal scholarship) that checking whether an employee is not using business email in a manner that infringes trade secrets qualifies as an action verifying the proper use of a work tool.

What may be the scope and method of email monitoring?

Having regard to the stated purposes, the employer must assess whether the introduction of monitoring is proportionate and necessary to achieve them. Monitoring may be carried out only where it proves necessary. The assessment should also cover the scope of the monitoring: whether, for example, it is sufficient to analyse the number of messages sent and received, the time they were sent, response time or recipient data, or whether it is necessary to use more advanced measures, such as automatic scanning of attachments, detection of suspicious links, detection of mass data exfiltration or monitoring of keywords.

It is difficult to justify a situation in which the employer regularly reviews the content of an employee's correspondence. Such action may be excessive, may create the impression that it is targeted against the employee and, as a result, may lead to an infringement of the employee's personal rights. The scope of monitoring should therefore be clearly defined and communicated to employees. They should also know in which situations access to the full content of their correspondence is possible.

What documents are required when introducing monitoring?

The employer must expressly regulate the purposes, scope and method of applying the monitoring in the work regulations or in the collective labour agreement. If the employer is not obliged to establish work regulations and is not covered by a collective labour agreement, the appropriate document is a notice.

The purposes of monitoring arise from the Labour Code. The scope and manner of its implementation are determined independently by the employer. In this regard, it is worth proceeding on the assumption that the greater the transparency of the process, the lower the risk of infringing the dignity and other personal rights of employees.

How should the rules for using business email be regulated?

The employer should establish rules for the use of business email. For example, it may provide that business correspondence may not result in the disclosure of trade secrets or other confidential information to unauthorised persons. It is also worth specifying what information falls within this scope and what consequences may follow such disclosure. Disclosure may occur not only as a result of sending information to an unauthorised recipient who is a third party, but also when an employee sends it to their private email address.

A separate issue requiring regulation is whether an employee may use business email for private purposes. Allowing such use certainly creates an additional risk for the employer of infringing the confidentiality of the employee's correspondence or other personal rights. If the employer prohibits the use of business email for private purposes, it may assume that all correspondence conducted via that email is strictly business-related.

How should employees be informed about the introduction of monitoring?

The Labour Code obliges the employer to inform employees about the introduction of a new form of monitoring in the manner adopted within the organisation. The information must be provided no later than two weeks before the monitoring is activated.

Newly hired employees and those returning to work after a long absence during which monitoring was introduced should, before being allowed to work, receive from the employer – in writing or in electronic form – information about the monitoring introduced, its purposes, scope and manner of application.

The employer must also ensure that the area covered by monitoring is properly marked by means of signs or audible announcements. This must be done no later than one day before the monitoring is activated. In the case of email, the relevant information may appear, for example, as a message displayed when opening it, when logging into the user account in the system, or in the form of a sticker on the computer (it should be ensured that it is always placed in the appropriate location). The message should be visible and legible.

How to ensure that monitoring complies with GDPR?

GDPR requires that the legal basis for data processing in the area in question be identified. Processing must comply with the principles arising from this act, including lawfulness, fairness, transparency, purpose limitation and data minimisation. The provisions also require that processing be necessary for the achievement of the specified purposes and carried out to the smallest possible extent.

Processing should be transparent to the data subjects. They must be properly informed about how their data obtained in connection with access to business email will be processed. The employer must therefore fulfil the information obligation towards those individuals. This may be done as part of a general privacy notice for employees and contractors, provided when the contract is signed, or in the form of a separate privacy notice relating to monitoring.

Practical tips:

• The privacy notice may form an appendix to the employment contract (contract of mandate, B2B contract).
• A shortened information notice together with a link to the full text of the privacy notice may be displayed as part of the monitoring notice, e.g. when the email inbox is opened.
• The information obligation may be part of a written or electronic notice about monitoring provided to employees before they are allowed to start work.

When should a legitimate interest assessment be carried out?

The organisation should be able to demonstrate that monitoring is necessary for the purposes for which it was introduced. Since monitoring involves the processing of personal data, it is necessary to identify the appropriate legal basis for processing. If the basis is a legitimate interest (Article 6(1)(f) GDPR), a so-called legitimate interest assessment must be carried out. This involves assessing whether the rights and interests of the data subjects are not overridden by the rights and interests of the organisation as the data controller. Reliance on this legal basis for processing is possible only where the interest of the data subjects does not prevail over the controller's interest.

Legitimate interest assessment – interactive form

Is it necessary to conduct a Data Protection Impact Assessment before introducing monitoring?

Before introducing email monitoring, the employer should carry out a Data Protection Impact Assessment (DPIA). This obligation arises from the systematic nature of monitoring activities and the fact that they concern persons requiring special care. This group includes employees, due to the imbalance of power in the employee-employer relationship.

How long should data obtained through monitoring be retained?

Before introducing email monitoring, the employer should determine the retention period for data obtained in this manner. The retention period should be closely linked to the purpose of processing, and therefore the employer must assess on each occasion how long the data are needed to achieve that purpose. For example, where the purpose of monitoring is to ensure proper use of work tools, the determining factor for the retention period would appear to be the limitation period for any potential claims. However, regard should be had to the positions of the Polish DPA and to emerging court judgments, including those of the Supreme Administrative Court (e.g. III OSK 132/22), which indicate that potential, future and uncertain claims do not permit the processing of personal data.

Specifying the data retention period (or the criteria for determining it) is a mandatory element of the privacy notice.

How can compliance of monitoring with the law be documented?

The employer should remember the principle of accountability at every stage. The employer is obliged to demonstrate that monitoring is necessary to achieve the intended purposes and does not infringe the employees' personal rights.

In particular, the employer should be able to demonstrate that:

• the monitoring is genuinely necessary and is carried out for the purposes set out in the Labour Code,
• the scope of monitoring is adequate to the purposes it serves and its proportionality has been assessed,
• the monitoring was introduced in accordance with the requirements of the Labour Code and the GDPR,
• a legitimate interest assessment (LIA) was carried out with a positive result,
• a Data Protection Impact Assessment (DPIA) was carried out for the process of monitoring employees' email.

Is reviewing work email always considered monitoring?

The legislator has not introduced a definition of monitoring, which may give rise to interpretative doubts as to the scope of this concept. In legal scholarship, reference is made (though not unanimously) to the need to rely on the dictionary meaning. In this sense, monitoring means continuous supervision or observation, and its defining feature is systematic continuity.

If checks carried out by the employer are one-off and occasional, and therefore lack the permanence typical of monitoring, such actions are not classified as monitoring.

Even if, therefore, the employer has not implemented continuous monitoring of business email, it still retains the right to inspect this area in the exercise of managerial authority – especially where there is a suspicion that an employee has breached their duties or the law. This applies, for example, to suspected disclosure of a trade secret or other confidential information, or to cases of mobbing or harassment. Guided by the principle of transparency, the employer should duly inform employees and associates about the possibility of conducting such a form of control. As with monitoring, an ad hoc inspection should be proportionate, limited to what is necessary, and carried out with due regard for the rights of employees and associates. It should also be properly documented.

Employees should know when they are subject to monitoring and when the employer is merely carrying out an ad hoc inspection. The rules in this regard must be precise so as not to mislead.

How can business continuity be ensured without infringing privacy?

As noted in the introduction, the employer's access to an employee's business mailbox may result not only from monitoring or ad hoc inspection, but also from the need to ensure business continuity – the continuation of services provided and day-to-day work. However, these should be exceptional situations, arising for example from the employee's sudden absence, when there is an urgent need to access correspondence in order to assign other employees tasks that cannot be delayed (especially in critical areas), or after cooperation with a given person has ended.

Also in such cases, access cannot be fully unrestricted. The organisation should ensure that it is limited to the necessary scope. Access must not involve browsing the employee’s entire mailbox, but should be limited solely to searching for the required correspondence.

Practical tip:

It is worth introducing, in advance, a method for employees to organise their email, for example by creating thematic (subject-based or client-based) folders in their email inbox and continuously filing into them all correspondence relating to a given entity or matter. This will help the employer quickly find the necessary messages in situations requiring urgent access to email, while also limiting access to the absolute minimum.

How can an employee’s personal rights and the secrecy of correspondence be protected?

Access to a company mailbox should, in each case, be carried out by authorised persons who are obliged to maintain confidentiality. Article 22³ § 2 of the Labour Code expressly provides that monitoring of electronic mail may not infringe the secrecy of correspondence or other personal rights of the employee. A corresponding obligation follows from Article 11¹ of the Labour Code. This means that the requirement to respect these values undoubtedly applies to every case of an employer’s access to company email, not only to monitoring. This protection also covers relations with co-workers, to whom similar guarantees are provided by the Civil Code.

The employer should always take into account the risk of infringement of personal rights in connection with its actions and prevent that risk from materialising.

What should be done if the employer comes across an employee’s private correspondence?

If the employer is able to determine from the subject line of the message that it is private in nature, it should not open it. If, however, it recognises only after opening the message that it is private, it should immediately stop reading its content. This follows directly from the statutory prohibition on infringing the secrecy of correspondence and other personal rights of the employee. This prohibition applies even where the employer has stated that the company mailbox may not be used for private purposes.

Particularly problematic is the situation where the employer suspects that the breach occurred in correspondence which the employee has marked or treats as private. If the employer has documented evidence giving rise to a suspicion that the correspondence in question was the source of a serious breach, the most appropriate course of action appears to be to request the employee to provide explanations and voluntarily disclose the correspondence, and, if the employee refuses, to open the messages in the presence of a commission (the commission should be limited to the minimum necessary number of persons). Although the employee’s presence is desirable, if the employee refuses to appear, it appears permissible to carry out the activities without their participation. It is also important that the entire process be documented. The actions should be carried out in a manner that interferes as little as possible with the employee’s privacy and only to the extent necessary. If the private nature of the messages is confirmed, their content should not be disclosed to third parties. If the employer has appointed a Data Protection Officer (DPO), it is appropriate to involve them in this process as well.

May an employer monitor an employee’s work email?

Yes, monitoring work email is permissible if it is necessary to ensure work organisation enabling full use of working time or proper use of work tools. The employer therefore does not have the right to introduce employee monitoring for any arbitrary purpose – any form of control must comply with the applicable provisions, in particular the Labour Code, and be based on an explicit legal basis under the GDPR.

What documents are required when introducing monitoring?

The purposes, scope and manner of applying monitoring must be set out in the work regulations, collective labour agreement or in a notice, if the employer is not covered by a collective agreement and is not obliged to establish work regulations. The employer must inform employees about the monitoring in accordance with the requirements of the Labour Code. In addition, the employer should ensure a legitimate interest assessment (LIA), a DPIA and compliance with the information obligation towards employees under the GDPR.

How long may data obtained from email monitoring be stored?

In the case of video surveillance, the Labour Code specifies a retention period not exceeding 3 months, whereas for email monitoring the employer determines the period independently. This does not, however, mean complete freedom – the retention period should be strictly linked to the purpose of processing and may not extend beyond what is genuinely necessary.

May an employer read an employee’s private email stored in a company mailbox?

An employer may not monitor private correspondence and should stop reading a message as soon as it recognises its personal nature. This follows from the statutory prohibition on violating the confidentiality of correspondence and applies even where the use of a company email account for private purposes has been prohibited.

Is it necessary to obtain the employee’s consent for monitoring?

No, the employee’s consent is not the legal basis for processing in this case – the employer is entitled to process personal data as part of monitoring in accordance with the GDPR and the Labour Code – as a rule, this is based on the employer’s legitimate interest.

Does every review of company email constitute monitoring?

No – monitoring is characterised by systematic continuity, whereas an incidental, one-off review of email in a justified situation does not constitute monitoring within the meaning of the Labour Code. Nevertheless, such review must be proportionate and carried out in compliance with the principles arising, inter alia, from the GDPR.

Is it necessary to carry out a Data Protection Impact Assessment (DPIA)?

Yes, due to the systematic nature of the monitoring and the fact that it concerns employees – individuals in an unequal relationship vis-à-vis the data controller – carrying out a DPIA is necessary.

What are the consequences for an employer of unlawfully monitoring an employee’s email?

Breaches of personal data processing rules may result in the imposition of an administrative fine by the President of the Polish Data Protection Authority, potential inspections by the National Labour Inspectorate, and civil-law claims for infringement of the employee’s personal rights. The employer also risks losing the team’s trust and becoming involved in potential employment disputes.