Can the Corporate E-mail Histories of Employees Who Leave Their Jobs Be Made Available to Another Employee? – An Evaluation in the Context of the Law on the Protection of Personal Data
06.05.2024
1. INTRODUCTION
Working life requires companies to create a corporate memory and use this memory in their operations. It can be said that this corporate memory is mostly composed of information and documents produced by employees. For example, a standard operating procedure created by an employee regarding sales processes or an employment contract prepared by a lawyer can be used by the relevant company for many years. However, apart from these documents, the e-mails in the corporate e-mail address of an employee also constitute the corporate memory of the company.
Companies can ensure the continuity of this institutional memory through a “handover” or job transfer from departing employees to new hires. However, this is not always possible. Therefore, even in cases where this is possible, the content of the corporate e-mail address used by the departing employees, i.e. the e-mails sent to and from this address (mailbox), may be allocated to the new employee or to another employee already employed.
The legal aspects of this situation arising from a commercial need should be examined. At first glance, it is possible to say that the issue should be evaluated in the context of commercial law, labor law, personal data protection law and constitutional law. In this article, we will examine the issue in the context of the protection of personal data.
Corporate e-mail accounts are e-mail accounts that people use for commercial activities at their workplace and are generally designed as “[email protected]”. Although these accounts are the property of the company, they are considered as “personal data” due to their content and extensions.
Article 3/d of the Law on the Protection of Personal Data (hereinafter referred to as “KVKK”) defines personal data as “any information relating to an identified or identifiable natural person”. In this context, there should be no hesitation that the corporate e-mail accounts and their contents are personal data.
2. PROCESSING OF PERSONAL DATA AND PRIVACY
The KVKK defines “data processing” as all operations carried out during the period from the acquisition of personal data to its destruction. Activities such as obtaining, recording, changing, transferring, and reorganizing data are defined in the law as examples of data processing.
The processing of data is subject to various conditions in line with the KVKK. Article 4/2 of the KVKK lists the general conditions for data processing as follows;
- Compliance with the law and the rule of honesty.
- Being accurate and, where necessary, up to date.
- Being processed for specific, explicit and legitimate purposes.
- Being relevant, limited and proportionate to the purpose for which they are processed.
- Being retained for as long as necessary.
Article 5 of the KVKK lists other conditions for the processing of personal data. Although the main rule is that personal data can be processed with the explicit consent of the person, Article 5/2 defines various exceptions and regulates that personal data can be processed without the need for explicit consent in the presence of these situations.
However, Article 10 of the KVKK defines the “obligation to inform” the data subject, i.e. the person whose personal data will be processed, “at the moment personal data is obtained”. In other words, before any data is processed, the data subject must be informed about it.
While evaluating the processing of personal data, it is also necessary to mention the right to privacy. This is because each data processing activity involves a certain area regarding the private life of the person whose data is processed. The right to privacy is one of the most fundamental human rights since Ancient Greece. The law on the protection of personal data has also emerged from this right.
The right to privacy is regulated in Article 20 of the Constitution, which states that “Everyone has the right to demand respect for his private and family life. The privacy of private and family life shall be inviolable”. The right to privacy has an important place when discussing corporate e-mail accounts and the contents of employees who have left their jobs.
3. PROCESSING CORPORATE E-MAIL CONTENT
In light of these explanations, the mere “storage” of the content of an employee’s corporate e-mail account on a server belonging to the company constitutes “processing” of the personal data contained in the content of this e-mail account.
Defining the corporate e-mail account in question to another new employee, storing it on that employee’s computer, or providing access to the e-mail account by that new employee, even if it is stored on cloud-based servers, qualifies as a “data processing” activity.
It is a common practice for a corporate e-mail account assigned to an employee to continue to be used after the employee leaves the company. There may be many reasons for this practice. For example, the relevant employee may be employed in areas such as sales or customer communication. In this case, it may be necessary for the company to continue to receive the messages sent by these customers to the same e-mail address after this person leaves the job.
Another example would be a person who holds an important position for the company and leaves the position without being able to transfer jobs. In such a case, the content or archive of the corporate e-mail account of the person in the critical position can be made available to the person who will be appointed to the relevant position. These practices are widely used in all sectors.
4. REQUIREMENTS FOR PROCESSING CORPORATE E-MAIL CONTENT
Storing, monitoring, and accessing the content of corporate e-mail addresses allocated to employees has been the subject of various decisions of the Personal Data Protection Board and the Constitutional Court.
For example, in its Decision No. 2023/86, the Board made a very detailed decision regarding the data controller’s monitoring of the contents of the e-mail address allocated to its employees upon the complaint of an employee. In the decision, it was noted that the employer fulfilled its obligations and therefore there was no violation in the context of the protection of personal data. The decision referred to previous decisions and findings of the Constitutional Court and the European Court of Human Rights.
In its decision no. 2021/1187, the Board made a detailed assessment on a similar complaint, and in its assessment in the light of the Constitutional Court and ECtHR judgments, the Board found a violation and imposed an administrative fine because the employer had failed to fulfill its obligations.
Finally, in its decisions numbered 2020/59 and 2023/1321, the Board evaluated the processing of the contents of the e-mail addresses of former shareholders who left the relevant company and reached a conclusion by using similar criteria.
In this context, the assessments made and the criteria set out by the Board, also based on ECtHR and Constitutional Court judgments, can be summarized as follows;
- The need to balance the employee’s right to protection of personal data with the employer’s right to control,
- Whether the employer has informed employees about the monitoring of communications or the use of the archive,
- The extent of monitoring and supervision by the employer and the degree of intrusion into the worker’s privacy,
- Whether part or all of the communication is monitored,
- Whether the monitoring activity is time-limited,
- Number of people with access to monitoring results,
- Whether the employer has legitimate grounds for such monitoring,
- Whether the worker is provided with adequate safeguards if the employer’s monitoring is intrusive,
- Whether appropriate and adequate safeguards are in place against abuse of the activity in question,
- Whether the intended outcome of the monitoring activity can be achieved in a less intrusive way.
In light of these principles, it is possible to monitor the communication of employees through their corporate e-mail addresses and to allocate the contents of the corporate e-mail accounts of employees who leave their jobs to another employee in terms of KVKK. However, the following conditions must be fulfilled;
- Employees must be informed that their e-mail addresses should only be used for business purposes.
- Employees must be clearly and in detail informed that the content of their e-mail addresses may be monitored by the company or may be allocated to another employee after the person leaves the job, and the obligation to disclose must be fulfilled.
- It should be determined for how long the content in the e-mail addresses of the employees will be allocated to another employee.
- How the content in the e-mail addresses of the employees will be destroyed at the end of the specified period must be determined and the employees must be informed about this issue.
- It should be determined by whom or by whom the relevant e-mail contents can be seen.
- A policy on the control of e-mail contents and their allocation to another employee should be prepared, or this issue should be included in the company’s Personal Data Protection Policy.
- A commitment letter regarding the protection of personal data and confidentiality should be signed by the employees to whom the contents of the e-mail address of the departing employee will be allocated.
- If the e-mail contents are kept on a server located abroad, necessary actions should be taken to transfer personal data abroad.
5. CONCLUSION
- Allocating the content of the corporate e-mail addresses of employees who leave their jobs to a new or already employed employee is appropriate in terms of KVKK.
- However, for this activity to comply with the KVKK, certain conditions must be fulfilled.
- It is very important to determine the boundaries of this activity and to put the process into a procedure. Employees must be informed about this situation and the requirement for employees to use their e-mail accounts only for work purposes.
- The monitoring and use activity must be limited to a period and the relevant data must be destroyed at the end of this period.