Employee monitoring under the brand new Data Protection Law

An employer may collect and process his/her employees’ personal data for a variety of reasons starting from the very beginning of the employment relationship or even before. This mainly begins with the CV received by the employer, and continues until the end of the employment relationship or even further, in cases where the law allows the employer to do so. Personal data related to payroll and taxes are among the information employers usually collect. These data are vital for performance of the employment relationship as it is also employer’s duty to act in accordance with his/her legal obligations (social security, payment of taxes) and in most cases, they are expressly regulated and imposed by the law.

However, there may be cases where the law does not oblige the employer to collect and process, but the collection or processing might be crucial for the employer’s risk assessment and mitigation measures. Such collection and processing raises concerns related to privacy of employees’ personal data. Employee monitoring is one of these cases where employers process their employees’ personal data where there is a thin line between excessive invasion of the employee’s privacy and the employer’s legitimate interests in monitoring the employee. Turkey did not have a law providing principles and procedures pertaining to protection and privacy of personal data until April 7,2016. Therefore the gap in the legislation was filled with court precedents interpreting general provisions of the Turkish law case by case.

On March 24, 2016, before a data protection law was enacted in Turkey, Turkish Constitutional Court rendered a decision on a complaint filed by employees (co-workers) who were laid off from their jobs due to their personal correspondence revealing their love affair. Their relationship was noticed by one of these employees’ wife who reported this to the business executives of the company. Then the company conducted an internal investigation and fired both employees based on the e-mail messages exchanged between their corporate e-mail addresses, during the working hours. Employees claimed that this was a violation of their privacy of private life, employer denied these claims, and the dispute was eventually brought before the Constitutional Court. Turkish Constitutional Court rendered that monitoring of corporate e-mail accounts may not constitute violation of privacy of private life and that the employer’s interference with the employees’ privacy is proportionate, considering that the company rules expressly prohibited personal use of corporate e-mail accounts and there was no reason for the employees to have an expectation of protection with respect to their personal use of corporate e-mail accounts.

Then on April 7, 2016, Turkey enacted the Law No. 6698 on Protection of Personal Data (Law No. 6698), which sets out principles and procedures pertaining to personal data. The Law No. 6698 does not include any particular provisions pertaining to employment relations. However the Law No. 6698, which is quite similar to Data Protection Directive 95/46/EC, provides legal grounds for processing personal data without the data subject’s explicit consent (Article 5 of the Law No. 6698). According to this provision a data controller (e.g. an employer) may process personal data without obtaining prior explicit consent of the data subject (e.g. an employee) if the processing is necessary for its legitimate interests. The Law No. 6698 does not provide measures of interpretation of its provisions, the secondary legislation has not been issued and there is no precedents pertaining to implementation of the Law No. 6698 since even the data protection authority has not been established yet. Therefore, there is an uncertainty
as to application at this stage. Nevertheless, since the Law No. 6698 is based on the Data Protection Directive 95/46/EC, the European practice might guide us regarding interpretation of the provisions therein.

In the European Union, employers have the right to monitor employees’ computers, such as desktops, laptops, servers and their Internet activities. Any monitoring must be proportionate considering the risks that the employers face with and as well as the legitimate privacy and other interests of workers. Any personal data processed during monitoring must be adequate, relevant and not excessive for the purpose for which the monitoring is justified.

European Court of Human Rights (“ECHR”) evaluated that the act of verifying an employee’s performance at work is a legitimate purpose of the employer to monitor the employee’s corporate e-mail account (Halford v. United Kingdom). For example, writing private e-mails during working hours might reveal a misuse or hint that there is lack of attention which should have been paid to work related activities instead.

Nevertheless, the interests of the employee must be considered as well. In terms of checking employee's business e-mail account, the European case law provided certain conditions to establish a balance for competing interests at stake. According to ECHR, at the beginning, traffic and content data must be separated, as the court assumed that they represent a different level of privacy relevance, which has to be taken into consideration and analyzed (Copland v. United Kingdom). Second, it is important to check whether employer is prohibiting or allowing the private use of the corporate e-mail accounts. In the latter, the employee may have an expectation of higher level of privacy (Barbulescu v. Romania).

If an employer chooses to forbid the private use of the corporate e-mail account, he/she may think and act in accordance with the belief that the employee's corporate e-mail account does not contain personal e-mail messages. For instance, in an employment dispute Frankfurt Labor Court held that, using corporate e-mail account for private purposes constitutes violation of employment contract.

When it comes to the surveillance of e-mail content, employers must be cautious as it is a more serious intervention in the employee's general right of privacy. Content of a private e-mail message may contain intimate or confidential information about the employee. For example, employee may want to keep a reminder e-mail for the meeting of the employee’s “anonymous group for alcoholics” private. Consequently, checking the content of employee's e-mail messages might be considered unlawful in some cases.

On the other hand, although reading content of e-mail messages is a more intrusive way of monitoring, this does not mean that an employer cannot randomly check compliance of his work instructions. ECHR acknowledges that monitoring the employee's e-mail messages, even their content, might be in accordance with law. That being said, if the employer runs across private e-mail messages during regular monitoring, which can be understood by the private nature of the subject line or the recipient for example, employer should stop reading that particular e-mail message immediately. If the employer continues reviewing the content, then this might exceed the limits of the employer’s right to monitor its employees.