Handling private e-mails in the company - data protection and compliance requirements in EMA®
As soon as the sending of private e-mails is permitted in a company, there is always an involuntary conflict between compliance requirements and the right to privacy - the right to be forgotten, the deletion of private e-mails. There must be the right to delete private emails and at the same time all business-related e-mails must be kept. Who ultimately decides what is private and what is not? How does a company deal with this issue?
In principle, it is advisable to exclude the use of private e-mails in the company. But rarely can you start on a greenfield site. So if private e-mails are allowed in a company or have been tolerated in the past, a concept must be developed on how access to such is protected. EMA as an e-mail and document archive offers many different options due to many years of experience with complicated requirements of a wide range of customers.
As a rule, private e-mails cannot be automatically recognized afterwards and marked (flagged) as such. However, if there is a rule that private correspondence is marked private by the user, it is possible to exclude these e-mails marked in this way from archiving as a matter of principle or to allow a right to delete privately marked emails for a limited period of time, e.g. 30 days. However, EMA can also be configured in such a way that an administrator can only edit private e-mails in a masked manner, but can neither open them nor see the subject. In order to circumvent this restriction, it would then again be necessary to have a 4-eye agreement with the works council.
EMA can generally follow any adopted rule here, but there must be a balancing of which requirement weighs more heavily. Erasure locks can be set up in a variety of ways, including optional case management for legal departments that need to quickly freeze large amounts of data.
In principle, there are the following more or less good ways to deal with private e-mails:
Filtering of e-mails marked as private
Filtering on subject [PRIVATE]
4-eyes principle for admin access, with works council
Access via admin restriction only to e-mails as of new company agreement
Works council may monitor and read EMA log
Employees may, for example, delete their mails in the archive for 30 days
Archive only by folder synchronization, after 30 days in which everyone can clean up and delete everything
Users may delete mails at any time
Users are allowed to set the "Private" attribute
In the end, however, there is always the question: Who monitors the monitors or who has the final say in the company? Ultimately, only each company can answer this question for itself. We are ready to advise you in finding the best solution.