Do company managers have the right to spy on business email?

At first glance, correspondence by e-mail is protected by privacy. But when exchanges take place in the workplace, With the company's IT tools, the situation is more complex. HR directors and company managers are required to respect the privacy of their employees. Nevertheless, they must also take precautions to ensure that sensitive information is not disclosed. This does not mean that they have the right to spy on the professional email of their employees.

Why spy on professional email?

The consultation of employee exchanges by HR is not necessarily motivated by misplaced curiosity. When email communication takes up employees' time, their productivity suffers, which in turn affects their productivity. is detrimental to the smooth running of the company. Managers are then tempted to spy on professional email in order to understand this drop in productivity.

Let's also remember that the Internet is not without danger. Spyware and viruses are numerous to damage servers, via spam, URL links, etc.. A bad use of electronic mail can therefore cause significant damage to the hardware, but also to the files stored in the device (computer, tablet, smartphone) used. For this reason again, managers can spy on email of their employees.

Also note that every e-mail sent from the business mailbox is supposed to be sent on behalf of the company. A misuse would therefore harm the image of the company, a risk that managers do not want to take.

The plausible motives for spying on professional email are thus numerous. However, as soon as one speaks of espionage, one implies a consultation without authorization, which goes against the rights of the employee.

Would you like a free demonstration of our tool?

A complete and individual demonstration of our tool

I would like to book a demonstration

14-day trial

No credit card required ​

What does the law say ?

Whether traditional or electronic, all mail is subject to the principle of privacy. It is therefore forbidden to spy on professional email. Nevertheless, consultation is authorized, under certain conditions. In firstly, management is required to notify employees in advance, concerning the consultation of their professional electronic correspondence. Then, the provisions adopted (spam filters, analyses of URLs and attachments, etc.) must imperatively be declared to the CNIL.

The protection of employees must be at the heart of their employers' concerns. The law confirms this. Article L.121-8 of the French Labor Code stipulates that the collection of information is only authorized after informing employees of the measures planned for these purposes. Article 9 of the Civil Code also sets limits on the means of surveillance so that companies can monitor and not spy on email of their employees.

Furthermore, the monitoring measures adopted must be proportionate to the risks inherent in the use of electronic messaging.

Namely: the employer cannot impose an absolute ban on the use of professional e-mail for personal purposes.

Legal measures to counter espionage

As mentioned above, the control of numerical correspondence can only be done after information and the provisions adopted must in no case infringe on the privacy of employees.

But then, what measures make it possible to respect these fundamentals?

An automatic control system can be considered. Monitoring focuses on specific elements: forbidden keywords, types of attached files, etc. Employers can also Require their employees to identify private messages through a statement in the subject line of correspondence, for example. Exchanges identified in this way cannot therefore be controlled by company managers.

It makes more sense to focus monitoring on digital data to preserve the quality of the employer/employee relationship. The IT team will take care of encryption, securing the connection, creating keys, etc. access and to propose similar solutions. In particular, it is common practice to collect data in the same way as the websites consulted via the various workstations. Without necessarily having access to e-mails, the employer can monitor the list of visited sites and the frequency with which employees access them.

The electronic publishing charter is another option of choice. It is a document that specifies the rules for using the IT tools made available to employees by the company. This document can therefore supervise the use of professional e-mail. It is appended to the employment contract or to the internal regulations.

The charter must be as precise as possible in order to establish a climate of trust. It may include :

• A reminder that computer equipment and professional messaging should not be abused for personal use,
• An incentive to differentiate between private and professional directories thanks to labels,
• Details on the type of attachments that are prohibited (e.g. files that offend public decency),
• The list of keywords that may not appear in any private message,
• The way in which the employer consults the employees' mailboxes in their absence (redirection to an employee's mailbox, for example),
• The list of control measures put in place by the employer,
• Penalties applicable in the event of non-compliance with the charter,
• Etc.

Case of personal e-mail addresses

Employees are entitled to access their personal e-mail addresses during working hours and on equipment provided by the employer. The exchanges that result from this must be private and therefore, do not make no mention of the company or its activities. This type of precision can be included in the electronic charter in order to avoid misunderstandings.

From a legal point of view, no company is allowed to spy on professional email. Instead, we talk about control of exchanges of which employees must be informed beforehand. The declaration to the CNIL and/or the company's IT charter are then used as guidelines in order to preserve the privacy of professional data and the protection of privacy.