Business email addresses typically consist of the name and / or surname of the employee (in the form firstname.lastname@example.org, and the like). In accordance with the Law on Personal Data Protection (“Law“) such addresses indisputably represent personal data even in situations where instead of the full name and surname contain only the initials of the name or surname of the employee (in the form email@example.com and similar).
There are two main questions in connection with the above – (i) whether there is a legal basis for a business email address to be composed of the name and / or surname of the employee, or whether the employee can request that the email address from which he/she conducts business correspondence excludes the employee’s name and / or surname, and (ii) what are the rights of the employee with respect to the business e-mail address containing his/her name and / or surname after end of employment.
Formation of the employee’s e-mail address during employment
According to the Law, the use of first and last name in the formation of the employee’s email address represents processing of personal data. Legal basis for such processing may be the consent of the employee, as well as a legitimate interest of the employer, if the conditions provided by Law for its application as basis for personal data processing are met (we believe that other grounds for lawful data processing provided by law cannot apply to the forming of employee email addresses).
Employee’s consent is for sure the best and safest basis for data processing, and such consent should ideally be obtained when forming an address that would contain the name and surname of the employee.
However, that solution is not ideal. Firstly, there is the general problem of processing personal data in labor relations that arises from the unequal position of employer and employee, leading to the question of whether the employee is actually able to freely consent without fear of any consequences for their status (this is why employee’s consent to data processing is usually not required when entering employment contracts, being replaced by a notification on personal data processing, where the employee is informed on the data that will be processed and for what purposes, which are typically purposes provided by law or sometimes the contract itself. to ensure performance of employee’s contractual rights, such as private health insurance).
Additionally, when employee’s data is processed based on consent, there is an inevitable issue of what happens when such consent is withheld, or withdrawn.
To fully comply with the Law, if the employer intends to create a business address using the employee’s name and/or surname, it must establish a mechanism according to which withholding such consent cannot affect the employee’s employment status (whereby the. consent should be obtained only after signing the employment contract), and provide for the procedure of creating an email address without using the name and/or surname of the employee if the consent is denied.
Beyond consent, an employer’s legitimate interest can serve as the basis for the legal formation of an email address from an employee’s name and surname, but only if the legal conditions for its application are met.
The employer may have an interest to use the employee’s name and surname when forming an email address for many reasons, such as facilitating communication within the company or establishing a closer relationship with business partners. This in itself is, however, not enough, as the Law stipulates that the processing of personal data is allowed if it is necessary to achieve the employer’s legitimate interests, unless those interests are overridden by the interests or fundamental rights and freedoms of the data subject (i.e. the employee).
Simply put, in practice this means that the employer can use the employee’s name and surname when forming an e-mail address, but would have to be able to prove that such e-mail address formation is necessary to pursue his interests, and that the employee’s interests (for identity protection) do not outweigh the interests of the employer.
According to the available practice, this issue has not been officially commented on by the Serbian Commissioner for Information of Public Importance and Personal Data Protection (“Commissioner“), nor examined by the judiciary in the Republic of Serbia. Unfortunately, the Law does not establish criteria for the standard of “necessity” that could be applied to this issue with certainty.
In the absence of domestic official interpretations, when establishing procedures, it is necessary to use interpretations and contents of opinions of EU institutions, considering that the Law is based on EU directives dealing with personal data protection (“GDPR”). These regulations and interpretations contain mechanisms that give employers a lot of space to use the names and surnames of employees as part of business e-mail addresses. However, the fact that EU regulations do not apply on the territory of the Republic of Serbia cannot be ignored, and it is not always certain that the Serbian authorities will act in the same way as their EU counterparts. This especially considering that domestic authorities must adhere to the text of the Law, according to which the use of the name and surname of the employee in an email address without the consent of the employee must be necessary to protect the interests of the employer.
Employee’s email address upon end of employment
Unlike the issue of forming an employee’s email address where the Commissioner has not yet given an official interpretation of the legality of data processing, there is an official position in connection with such email addresses after the end of employment.
Namely, in the recently stated position (case number 072-16-110 / 2021-6), the Commissioner took the opinion that the email address of the employee containing his name and/or surname should be deleted after end of employment, and that the employer has no right to keep such an email account active after end of employment.
The Commissioner issued the said opinion based on a complaint from a former employee who asked his former employer to delete his business address (which contained the name and surname of the employee). Although the employer claimed that he had the right to process such personal data on the basis of legitimate interest and that the e-mail account contains data on concluded transactions and business correspondence which is crucial for the employer’s activities, the Commissioner took the view that an email account should still be deleted.
There is no doubt that, after the end of employment, the employer should shut down a former employee’s email address, and prevent further sending and receiving of messages from that address, as it would be difficult to defend the continued processing of personal data in the context of email after the end of employment.
The second issue is whether there is a basis for the employer to continue storing the correspondence that the (former) employee received / sent in the capacity of employee when the employee acted as a kind of employer’s representative to the public.
In its opinion, the Commissioner did not order the deletion of correspondence made from the e-mail account of the former employee. Having in mind the content of Article 12 of the Law that regulates legitimate interest, we believe that there may be a basis for storing the email correspondence of former employees, provided that it is necessary to preserve it to protect employer’s interests, such as in the case of e-mail correspondence which is proof of the assumed obligations and rights of the employer or proof of the services provided and the goods delivered.
In other words, after end of employment, if the email address contained the name and / or surname of the former employee, such an account must be permanently deactivated (without the ability to receive and send messages from that account), while part of the correspondence relevant to the employer, that was executed through that email account, can be stored by the employer as long as there is a need to keep that correspondence. In this regard, it would be desirable for the employer to check at regular intervals whether there is still a need to keep the former employee’s email correspondence, and to delete it when such checks indicate that further storage of such correspondence is not necessary to protect the employer’s interests.
Milorad Glavan, partner
Srećko Vujaković, partner
This text is written for informational purposes only and does not constitute legal advice. We are at your disposal for any additional information.