What documents must we prepare to be able to monitor employees' work email?
ANSWER
At minimum:
- Purposes, scope and manner of monitoring in internal rules/regulations/notice
- Advance notice of the introduction of monitoring and written information before allowing access to work
- Marking equipment as subject to monitoring (e.g. a pictogram with monitoring information)
- GDPR information obligation
From a GDPR perspective, the following may be necessary:
- DPIA (e.g. report)
- Balancing test
- Update to the Record of Processing Activities (ROPA)
It is recommended to implement a comprehensive procedure for access management, control and forwarding. Procedures should specify, for example:
- purpose, scope and manner of monitoring,
- rules for using work equipment for private purposes,
- permitted uses,
- rules for accessing email,
- rules on forwarding or notifying about termination of employment and deactivating email,
- employee rights,
- rules on archiving, backups and retention,
- security rules,
- rules for reviewing procedures,
- information on employee participation in creating procedures
