Austria: The limits of privacy in the world of work: Are employers allowed to read their employees' emails?

In brief

Email is the central means of communication in business organizations. Mailboxes are a valuable source of information, particularly in the event of termination of employment relationships or suspected breaches of duty. However, access to emails is restricted and requires careful consideration of the interests of both employer and employee on a case-by-case basis.


Access without any justification is unlawful

Both labour law and data protection law aspects must be taken into account when deciding whether the employer can access its employees' emails.

From a labour law perspective, the consent of the works council or individual employees is not required to inspect employees' emails, provided that it is an ad hoc inspection (inspection in individual cases, e.g., on suspicion of misconduct) and ongoing monitoring ("scanning") does not take place.

Individuals are entitled to the protection of their privacy and, therefore, also to the confidentiality of their personal data. Information contained in private emails is personal data within the meaning of the General Data Protection Regulation (GDPR). Therefore, any processing requires the fulfilment of one of the permissive provisions of the GDPR. According to prevailing doctrine, the employee's consent is not a suitable justification, as employees' free will is assumed to be diluted during the employment relationship. Therefore, in the context of labour law, the employer's overriding and legitimate interest is particularly relevant. When assessing the legality based on a legitimate interest, a balance must be struck between the employer's legitimate interests and the employee's interests and fundamental rights. Whether the inspection of emails is justified depends solely on the result of the weighing of the respective conflicting interests in the specific case.

Business use vs. private use

As part of the balancing of interests described above, it is necessary to distinguish whether the business email server may also be used privately by employees. If private email communication has been prohibited, employers can generally assume that only work emails are stored in mailboxes. In this case, the inspection can usually be justified by an overriding legitimate interest of the employer. However, even then, only those emails that are not already recognizable as obviously private by the addressee or the subject are permitted to be inspected.

The legal situation is different if private use of the business email server is explicitly permitted or merely tolerated. In this case, the employer must assume that there are also private emails in the mailboxes. If this is the case, the employer's legitimate interest in accessing the data must outweigh the employee's interest in confidentiality and privacy. Otherwise, the inspection would not be justified under data protection law and the inspection would not be authorized.

An overriding legitimate interest of the employer is to be assumed if mailboxes contain necessary information relating to communication with customers or contractual partners and the inspection is necessary to ensure undisturbed business operations. In weighing the conflicting interests, the understanding of the parties involved is particularly important. An indication that the employer's interests outweigh those of the employee may be recognized, for example, if the employee could reasonably expect an inspection (e.g., because they were also able to access their predecessor's mailbox). Thus, if employees can reasonably expect the employer to access their mailbox, inspection is permissible if the employer has a legitimate interest (e.g., necessary processing of further customer enquiries).

If the employer has other reasonable means of obtaining the necessary information to achieve the desired purpose (e.g., if the information can be obtained through other means), the inspection is not necessary and therefore not permitted. The inspection must therefore be limited to the necessary. As soon as a private email is inadvertently accessed, the inspection must be stopped.

How can infringements be avoided?

To avoid penalties and other sanctions under the GDPR, as well as possible consequences under civil law (compensation claims for damages, injunctive claims), it is important to properly weigh up the interests involved in authorizing access in each individual case. The following measures should therefore be taken:

  • Including clear rules in the employment contract or as part of a mutual termination agreement.
  • Establishing a strict separation between private and business areas when using the company email server during an ongoing employment relationship.
  • Providing employees with sufficient opportunity to check their mailbox for private data upon termination of the employment relationship.
  • Evaluating the existence of a legitimate interest, as well as the necessity and reasonableness, on a case-by-case basis.
  • Cancelling the inspection as soon as the private nature of an email is recognized.

Click here to read the German version.

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.