The issue of the meaning of “personal data processing” may still raise doubts for entities processing personal data. This was confirmed by a recently published judgment of the Supreme Administrative Court of 19.01.2024 (III OSK 2816/22) in a case concerning a housing association's sharing its member's personal data with his employer.
The seemingly innocent addition to “CC” in e-mail.
The ruling arose out of a conflict between a housing association and one of its members. In correspondence between the parties, the housing association member used an email address, including his name but containing the employer's domain name, indicating his place of employment. The housing association employees, noticing this detail, decided to act on it. By directing a reply to one of the member's e-mails, they also included in the message in “CC” his employer. This action, seemingly innocent but certainly aimed at causing problems in the member's workplace, resulted in the initiation of proceedings for a breach of GDPR. The consequence was the imposition of a decision granting a warning by the President of the Office for Personal Data Protection against the housing association.
Does it matter that the addressee already possessed this data?
There is no doubt that the employer holds personal data of its employees such as name and surname, or residential address. However, as the court rightly pointed out in the judgment in question, it is irrelevant, in order to determine the lawfulness of the data processing, whether the entity to which the data is disclosed was already in possession of the data. Indeed, the operation of personal data processing is legal when at least one of the conditions specified in Article 6 (1) of GDPR has been met. The housing association, on the contrary, by making the data available to its member's employer, violated the legitimate purpose for which it collected personal data of its members.
How should the employer react?
Apart from the lesson of extreme caution in sharing personal data, it is worth paying attention to preventive measures on the part of the employer. It is worth recalling that, in general, the company's e-mail inbox is the property of the employer, dedicated exclusively to the performance of business activities. It is advisable to take care of appropriate provisions and prohibitions in the workplace regulations, which will govern the monitoring of business e-mails, as well as the principles of processing employees' personal data for this purpose.
Author:
Jagoda Korzeniowska
Attorney at Law