Employee Monitoring: Thin line between employer rights and employee privacy
Nowadays, data protection is one of the trending topics in Turkey. Following the introduction of the long-awaited data protection rules into Turkish law in 2016, both global and local companies have been working hard to ensure compliance with the rules. This includes, among others, adopting data protection and information processing policies, changing practices, cooperating with data protection experts and establishing ethics and compliance departments.
When it comes to data protection rules, employee monitoring tops the list of concerns. Conflict between an employer’s management rights and an employee’s right to privacy, and whether one trump’s the other, is a constant threat to any company. Such conflict emerges especially when employees use company computers and e-mail accounts for their own personal business which raises the fundamental question: Does employee monitoring violate the right to privacy and freedom of communication? The answer to this question is hotly debated between employer and employee but court rulings can shed light on how to approach the matter.
The Turkish Court of Appeals accepts that employers have extensive monitoring and supervision authority over devices allocated to employees. The court states that employers can control employees’ e-mail correspondence to check whether employees use company devic- es for their personal business or if there is any insulting content targeting the employer, regardless of whether it of a personal nature or not. This monitoring activity does not violate employees’ rights to privacy and freedom of communication as devices allocated to the employee belongs to the employer. However, the employer must first obtain employees’ consent to monitor such devices.
The Turkish Constitutional Court addressed this matter in a March 24, 2016 ruling as well. The court stated that clearly communicating to the employee the company’s regulations on information security or workplace discipline means that the employee is well-informed on the rules and restrictions set by the employer and the employer can examine the employee’s personal correspondence made through company e-mail accounts. The court states that this surveillance has a legitimate purpose and an employer’s level of interference is proportionate and thus does not violate employees’ privacy.
The approach of the European Court of Human Rights (ECHR) on employee monitoring is slightly more conservative compared to Turkish courts. The ECHR’s September 2017 ruling provides precise guidelines on the employee monitoring: The decision was based on a dispute related to a Romanian sales employee who created, upon his employer’s request, a Yahoo messenger corporate account to communicate with clients. The employer monitored the account for nine days and found that the employee was using the account for his personal business. The employer, during the monitoring activity, obtained a 45-page transcript of the employee’s correspondence with his family members. The employee’s employment was then terminated for his breach of company regulations signed by him which prohibited the personal use of devices allocated for work. However, those regulations did not include any explicit provisions allowing the employer to monitor employees’ communications. The employee sued his employer for unlawful dismissal and violation of his right to correspondence and the right to privacy but lost the case at national courts in Romania. Consequently, he referred the case to the ECHR.
The ECHR first upheld the national courts’ rulings but then the Grand Chamber took a different approach and ruled that there was a violation of Article 8 of the European Convention of Human Rights regulating the “right to respect private and family life, his home and his correspondence.” The Grand Chamber stated that only prohibiting use of company computers and e-mail accounts for personal purposes does not constitute a legitimate reason to violate the right to respect privacy and family life. The court concluded that, among others, an employer’s monitoring activities are legal only if it duly informs employees of the nature and extent of such activities in advance.
Another recent and notable decision of the ECHR on this matter relates to the case concerning the dismissal of a railway company’s employee (French national) after the seizure of his work computer, which revealed pornographic content as well as forged documents. The employee complained that his employer had opened, in his absence, personal files stored on his work computer’s hard drive. The Court held that there had been no violation of Article 8 of the Convention, noting that French laws allow employers to open files on work computers unless they are identified as being personal, which can then only be opened in the employee’s presence.
The Court’s decisions make clear that employers can monitor employees’ company devices but this does not grant an unfettered monitoring right. When employers initiate internal investigations on suspicion of breach of employment contracts, they usually start from checking devices and e-mail accounts allocated to employees. While Turkish courts grant wider discretion to employers on employee monitoring, employers must pay attention not to breach employees’ rights during the surveillance. This essentially requires preparing company by-laws regulating the use of devices allocated to employees, setting out a detailed scope of monitoring activities and obtaining employees’ consent for such activities.