- Date of decision: 7 October 2022
- National case
- Controller: Legal entity (private sector)
- Legal references: The principle of accountability (Article 5(2) of the GDPR), lawfulness of processing (Article 6(1) of the GDPR)
Summary of the Decision
Origin of the case
The Inspectorate examined a complaint in which the applicant stated that she had been unlawfully dismissed by the director of the Company for which she worked, by using her personal correspondence with another employee of the Company on the Facebook social network (hereinafter - the social network) as a ground for dismissal.
An employee, by leaving his or her social accounts open and password-unprotected on the work computer, does not lose privacy in the workplace. The privacy of the employee at the workplace may be restricted by appropriate monitoring and control measures used by the employer at the workplace, however, the use of such measures must comply with the requirements of the GDPR.
In the light of the principle of accountability (Article 5(2) of the GDPR), the Company, as a data controller, did not justify the legal basis for the lawful processing of the applicant’s personal data (her personal correspondence on the social network with another employee of the Company).
The Inspectorate considered the complaint as well-founded and decided that the Company handled the personal correspondence of the applicant on the social network (reviewed and used to initiate disciplinary proceedings) without a legal basis under Article 6(1) of the GDPR.
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.