Waselius & Wist Navigation
  • Our team
  • In Focus
    • Recent Work
    • News
    • Legal Updates
    • Publications
    • Rankings
    • Blog
    • Newsletter
  • About Us
    • Corporate Social Responsibility
  • Expertise
    • Banking and Finance
    • Capital Markets
    • Corporate and Commercial
    • Corporate governance and Investigations
    • Data Protection
    • Dispute Resolution
    • Employment and Incentives
    • Energy and Natural Resources
    • EU and Competition
    • Financial Regulatory and Compliance
    • Insurance
    • Intellectual Property and Technology
    • Marketing
    • Mergers and Acquisitions
    • Private Equity
    • Real Estate
    • Restructuring and Insolvency
    • Tax and Structuring
  • Careers
    • Lawyers
    • Law students
    • Support staff
    • Open Positions
    • Contact
  • Contact
  • Our team
  • In Focus
    • Recent Work
    • News
    • Legal Updates
    • Publications
    • Rankings
    • Blog
    • Newsletter
  • About Us
    • Corporate Social Responsibility
  • Expertise
    • Banking and Finance
    • Capital Markets
    • Corporate and Commercial
    • Corporate governance and Investigations
    • Data Protection
    • Dispute Resolution
    • Employment and Incentives
    • Energy and Natural Resources
    • EU and Competition
    • Financial Regulatory and Compliance
    • Insurance
    • Intellectual Property and Technology
    • Marketing
    • Mergers and Acquisitions
    • Private Equity
    • Real Estate
    • Restructuring and Insolvency
    • Tax and Structuring
  • Careers
    • Lawyers
    • Law students
    • Support staff
    • Open Positions
    • Contact
  • Contact
In Focus
Home In Focus Access denied – due care is required when monitoring employees' emails

Publications06.07.2022

Access denied – due care is required when monitoring employees’ emails

In Finland, work emails are protected under correspondence privacy laws, meaning that employers are entitled to access and review an employee’s emails under only limited circumstances. Failure to observe these strict requirements for accessing an employee’s emails may result in fines or even imprisonment.

Privacy of correspondence

The Constitution prohibits violating secrecy protections around confidential communication. Protections in this regard extend to modern means of communication, such as emails, text messages or web-based messaging platforms.

The authorities have taken the view that an email is deemed personal if it is addressed to a named person. This rule applies equally to private email addresses and email addresses that are provided by employers (eg, firstname.lastname@company.fi). The only exception is general corporate email addresses (eg, sales@company.fi), which are regarded as the property of the company.

An email address that has been given to a named person, whether work-related or private, is subject to privacy of correspondence rules – the main rule of which is that only the person who is named in the email address has access to that account.

Emails may be read with employee’s consent

In order to avoid situations where emails cannot be read or accessed due to an employee being absent or unreachable, the employer may ask an employee to authorise another employee to access their account. However, as the privacy of correspondence is guaranteed as a fundamental right that is recognised in the Constitution, an employee may not irrevocably give up their right to privacy of correspondence. In practice, this means that an employee may at any time revoke their authorisation for others to access their email account.

Accessing emails without employee’s authorisation

Legislators have recognised that employers may need to access employee email accounts in circumstances where it is not possible to obtain the employee’s consent (eg, due to time constraints). If consent cannot be obtained, an employer has the right to access an employee’s email with the assistance of the system administrator and under specific circumstances.

In order to have the right to access an employee’s emails, the employer must have implemented one of the below measures, the aim of which is to decrease the need for an employer to access an employee’s emails during their absence:

  • requiring the use of an automated out of office message that states their absence and provides an alternative contact;
  • setting up a system that automatically forwards emails that have been sent to an employee to another member of the company; or
  • requesting the employee to give another employee the right to access the employee’s emails during the employee’s absence.

Employers may freely choose which of the above options to offer their employees. If the employee refuses to adopt the offered measure,, the employer is still regarded to have implemented the necessary steps to avoid the need to access an employee’s email during their absence and, therefore, has the right to access an employee’s emails with the assistance of the system administrator if it is deemed necessary.

Accessing the employee’s emails without the employee’s consent should always be the last option and before accessing the employee’s email the employer shall always try to receive consent from the employee. The employer may access the account without consent only if the employee in question cannot be reached within a reasonable time and the employer reasonably suspects that emails have arrived in the employee’s absence which need to be handled.

When accessing an absent employee’s email account, as described above, an employer cannot freely read through all the employee’s emails. An employer may only open emails that can be identified as urgent business-related messages based on their subject, sender and recipients. The employer is also obliged to document the actions taken whenever the employer accesses an absent employee’s email account. The report prepared by the employer must specify:

  • who has had access to the employee’s emails;
  • which emails have been accessed and why; and
  • the exact time and date when this took place.

The report must be given the absent employee as soon as possible.

Email accounts must be closed when employment ends

Due to the personal nature of employee email accounts, employers have no legal basis to keep an employee’s email account active after their employment has ended. Even if an employee has not explicitly requested their email account to be closed, the employer may only keep it active after employment has ended if both parties have agreed to this.

Comment

Failure to comply with the regulation relating to the access and retrieval of employee emails may result in severe penalties. The Supreme Court recently sentenced a manager to fines after they had had kept an ex-employee’s email account open (without the employee’s consent) and instructed other employees to monitor the emails. In the case at hand, the employee had actually consented to the employer reviewing his emails during his absence, but as the consent did not expressly cover the time after their employment ended, the Court ruled that the employer did not have the right to keep the employee’s email account open and access its contents. The maximum penalty for violating the regulation on the privacy of correspondence would have been two years of imprisonment. In most cases, like in the case in hand, the penalty is fines, which can total a maximum of two months’ net income.

This article was first published by The International Law Office (ILO), 6 July 2022.

For more information

Jouni Kautto

Specialist Partner

Share:
Image

Contact info

Eteläesplanadi 24 A
00130 Helsinki, Finland

+358 9 668 9520
+358 9 668 95 222
ww@ww.fi

Quick links

  • Our Team
  • In Focus
  • About Us
  • Expertise
  • Careers

E-invoicing

E-address: 003710525214
Operator: Apix Messaging Oy
Service ID: 003723327487


BUSINESS ID 1052521-4
VAT ID FI10525214

Legal notice
Privacy notice
General Terms and Conditions

© 2022 Waselius & Wist

This website uses cookies to compile statistical data on the use of our website in order to enable us to evaluate and improve our site. OK Decline Cookie Policy
Manage Cookies

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are as essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT