INFORMATION NOTE ON THE SUMMARY OF THE PERSONAL DATA PROTECTION BOARD'S DECISION DATED 25/11/2021 AND NO 2021/1187

---

23 June 2022

You may find below our notes on the Summary of Personal Data Protection Board’s (“Board”) Decision dated 25/11/2021 and numbered 2021/1187 on "accessing the corporate e-mail account of the data subject, who is a former employee, without informing the employee "

Subject: In the application, it is stated by the data subject that the contents of the correspondences that he/she had with his/her fiancée via e-mail, his/her personal bank statements and expenditure records were accessed by the data controller without any explanation or notification by the data controller stating that the e-mail addresses provided to the company employees shall be used only for business purposes and no controlling criteria in this regard have been determined and notified to the data subject; the personal data of the data subject has been processed and transferred to third parties, also after the cease of the data subject’s employment with the data controller, and the data subject has not been informed thereof and/or has been requested to provide his/her explicit consent. Furthermore, it is stated that since the information of the data controller’s customers and employees are stored in OneDrive cloud system provided by Microsoft, and the servers of the aforementioned service provider are located abroad, the aforementioned data processing needs to be carried out in accordance with Article 9 of the Personal Data Protection Law No. 6698 (“PDPL”), titled “international transfer of personal data”.

Board’s Findings:

The following points set forth under the decision of the Board are important:

• The e-mail address that the data controller has provided to its employees is qualified as personal data within the scope of PDPL.
• The arguments of the data controller that when exchanging private correspondence via the relevant e-mail account at the workplace and during business hours, the data subject had to kept in mind that the data contained in these correspondences may be accessible to the employer within the scope of the regular monitoring right of the employer and that data subject gave his/her explicit consent to the employer to process and record the correspondences in question and the data in question has been made public by the data subject itself are not appropriate. In order for the personal data to be deemed as publicly available, the relevant person must want his/her data to be public. In other words, there needs to be a will to make the data public. Otherwise, the fact that a person's personal data is in a place where everyone can access, does not mean that the data subject has the will for the data to be public.
• In addition, even in the case of publicly available data, personal data cannot be processed other than for the purposes for which it was collected.
• The decision also addressed the following matters: (i) If the applicant has a new claim, he/she should first apply to the data controller in this regard; (ii) The data controller's claim that "[data] cannot be deleted because it has been submitted to the court as evidence in a pending case" is valid; (iii) The claim that the data has been transferred abroad should be examined ex officio.

Review: The activities of monitoring the employees and controlling their communication should be carried out by the employers in a sensitive manner by taking into account certain criteria. Even if a corporate e-mail account has been provided by the employer for corporate activities and for business purposes, the employer has to inform the employee that the e-mail account will only be used for the purpose of performing the work and/or that his/her e-mails can be examined/controlled by the employer.