Access to the employee’s mailbox subject to approval

 In Employment & employee representation

Employers should be aware that the Works Council may have the right of consent with respect to the employer’s decision to access employees’ mailboxes.

The Works Councils Act stipulates that the employer needs the Works Council’s approval for any measures aimed at checking the employee’s presence, behaviour or performance at work. The intended purpose is irrelevant, as the Court of Appeal in Amsterdam decided in a case against the Municipality of Amsterdam.

The policy of the Municipality is directed at improved availability of their employees for citizens. In that context the Municipality instructed its employees to activate the out-of-office reply when on holiday and to allow a colleague access to their mailbox. If an employee forgets to activate the our-of-office reply, the Team manager is authorized to access the mailbox of that employee. The Works Council was of the opinion that the Municipality should have submitted this decision to the Works Council for consent. The Works Council claimed that decision meant the Municipality could access the mailboxes of the employees in question and thus check their behaviour and performance. The Court of Appeal agreed with the Works Council. The Municipality’s defence that access to the mailboxes was only intended to enhance the availability of municipal services for the citizens and not to check their employees was denied.

The conclusion may be that the right of consent does not only apply if the decision in question is explicitly directed at checking the employees but also if it could possibly check their presence, attendance and behaviour without actually being intended to do so.

Recent Posts
  • 4 April 2023

    INPLP Activity Report 2022

    Gwendolin van Rooy
    Hereunder you can read the Activity Report 2022 from our network INPLP (International Network of Privacy Law Professionals) of which our firm is a founding member since 2015
    Read More
  • 11 May 2021

    INPLP article May 11, 2021

    Wouter Huisman
    Bob Cordemeyer
    Fine of €475,000 for reporting data breach 22 days to late. According to a press release of April 6 the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) imposed a €475,000 fine on because the company took too long to report a data breach to the DPA into compliance with Article 33 GDPR.
    Read More
  • 15 September 2020

    The British Data Protection Authority ICO considers operating systems that are no longer supported inadequate security.

    Bob Cordemeyer
    If systems such as Windows 7 and Windows Server 2008 R2 SP1 are no longer supported by Microsoft, this may result in inadequate security, which could then be seen as an infringement of article 32 GDPR. Huge GDPR fines may be imposed because of this infringement.
    Read More

Leave a Comment