1. If an employee is absent can we still access their inbox?
Answer: Of course you can!
Processing of employee data by the employer is lawful under the employment contract. In addition, the email inbox is not actually their data and is the property of the company.
Managers will need to check what messages have been received during their absence and allocate/respond accordingly and the content of the inbox is business-related so there is no expectation of privacy from the employee. The content should be work-based only and that is the reason the employer has access.
How else could a manager deal with misuse of company email, if they needed consent from the employee to access their inbox?
2. I wanted a manager’s email address and was told by another manager that I couldn’t have it due to GDPR; I’m an employee, is this right?
As an employee you need to be able to contact other employees, whether they are managers or not. If you need the email address to discuss a work issue, it falls within the employment relationship.
Businesses will shut down if their staff cannot speak to each other!
3. Our company has scrapped all dash-cams due to data protection. Is this needed?
Proportionate use of vehicle tracking/monitoring equipment is not a data protection breach.
The employer needs to know where its vehicles are and, if there is an incident; it can be useful for all parties to have dash-cam footage. Often police request copies of dash-cam footage to help with road incidents.
The Information Commissioner’s Office has provided guidance on CCTV and photographs and this says where the footage or photo is not ‘processed’ for the purpose of identifying someone then it is not processing in the sense of GDPR.
For example, having the recorder in a vehicle just in case there is an accident and setting it so that it records over itself if no action is taken, does not constitute ‘processing’ under GDPR.
If, however, the footage is taken and watched each day to identify people, this is processing.
Having the equipment in the vehicle is not a breach of data protection if a process or policy is in place to show it is used for a legitimate reason and is not held for longer than needed.
4. We ask for emergency contacts when staff join us, do we need their consent to have their details?
Staff should only give you details of people who would want to know if there is an emergency. I think it would be extremely unlikely that a person would tell you they didn’t consent to you having their name and telephone number in these circumstances.
Use of that information from the employer’s point of view, would fall under ‘vital interest’. In other words, you need to inform someone of an illness or accident.
I would be shocked if I called to say, ‘Michael has fallen badly at work and you need to meet him at the hospital,’ and the person replied, ‘I don’t believe I gave you consent to have my details. This is a breach of the General Data Protection Regulation’.
5. If the website has a sales@ email address, do I need consent to contact them?
There has been a lot of interest in whether an email address is personal data. If the email address is ‘sales@’ and does not identify a person, then it is not personal data and you are free to contact it. Whether you get a reply, is another matter!
Where you want to contact someone to offer services you believe they would be interested in, you need to consider whether this is genuine. For example, if you were to contact firstname.lastname@example.org trying to sell her a car, this is unlikely to be compliant with GDPR.
However, if you contact her to sell her beauty products or equipment, our understanding is that this may be possible under legitimate interest (you have an interest in making her aware of your product and she is likely to have an interest in your product or service). So this would be compliant as long as you include a clear and simple ‘opt-out’ in your message.
GDPR is intended to bring Data Protection into the 21st century, not to close down and stop all business and marketing.