The access to and review of corporate emails, other electronic communications and electronic files stored on the business computers of employees by the employers has always been a serious practical concern for Greek employers. It often arises especially in the context of internal audits or in cases of serious suspicions for breach of the employment obligations by the employees when the only available evidence is to be found in the electronic communications.
To date, there have been no specific guidelines either by the Greek Courts or the Hellenic Data Protection Authority to set the limits between the managerial prerogative of the employers and the right of privacy and secrecy of communications of the employees. On an EU level, however, several judgments have been issued by the Court of Justice of the European Union and important guidance has been provided by the Article 29 Working Party.
What is new is that, very few days ago, the Plenary of the Greek Supreme Court issued its Judgment 1/2017, by which it attempts for the first time to strike a fair balance between the lawful interests of the employers and the privacy rights of the employees in the context of the review of the electronic communications of the latter.
The court rules that employers have the right to review documents stored in the hard disk of employees, including emails exchanged from corporate accounts, without the consent of the employees when, on the one hand, there is a prevailing legal interest of the employer to conduct this review (such as to ensure its goodwill in the market) and when, on the other hand, the fundamental rights of the employees are not adversely affected (such as when the review involves processing of sensitive data). Consequently, copies of the retrieved data included in the emails and the corporate files of the employees constitute evidence that has been lawfully collected and can be lawfully used before the Greek Courts in relevant court proceedings.
The factors taken into consideration by the Court for reaching this judgment were mainly the following: (a) email communications were sent and received from the corporate accounts of the employees by use of their business computers; (b) the review by the employer was conducted as a result of the initial refusal of the employees to provide data to the employer, while at the same time no preventive monitoring of the emails was conducted by the employer as a matter of practice, and (c) no sensitive data of the employees were included in the communications (e.g. health data).
Without prejudice to the guidance offered by the judgment, and so stresses the judgment itself, the permissibility of such actions of employers should always be assessed on an ad hoc basis taking into account all the crucial facts of the case at hand each time.