Practical questions

What sort of identification data can be processed for the purpose of the corporate subscriber’s internal billing?

Identification data may be processed only to the point, which is necessary for the purpose of processing. Processing of information cannot restrict the confidentiality of communications or the protection of privacy any more than is necessary. In general, the processing of the amount of connections and their duration is sufficient for the purpose of internal billing If it is necessary to process contact information such as telephone numbers of B-subscribers for ensuring that the billing is carried out correctly, the information must in principle be processed in a way that the other party to the communication cannot be identified.

Can a corporate subscriber restrict the users’ access to a certain website, for example?

If the method for filtering communications is analysis of content or identification data, the filtering and the processing of identification data must be in accordance with the Act on the Protection of Privacy in Electronic Communications i.e. the filtering must be carried out in order to ensure the information security of the communications service. The content of communications or identification data cannot either be processed for other purposes than those governed by the law, unless the user has given his permission.

If the filtering means that not all domain names/IP addresses are “advertised” in name servers i.e. they are in a way non-existent for users, the Act on the Protection of Privacy in Electronic Communications does not set any barriers for activities since this concerns the right to the freedom of expression. (The freedom of expression is governed by section 12 of the Constitution of Finland and the Act on the Exercise of Freedom in Mass Media.) However, the provisions of the Act on the Protection of Privacy in Electronic Communications restrict the processing of information, which is possibly saved, on which the user has tried to access a non-existent IP address. In principle, this sort of information serves no legal purpose of processing under the Act on the Protection of Privacy in Electronic Communications, and therefore, the information should not be saved.

Can an employer store an employee’s e-mail address and e-mail account after the employment relationship has ceased in case the employee possibly still receives messages related to the employer’s activities?

Companies or organizations that process users’ confidential messages, identification data or location data in their communications networks, e.g. internal telephone or information network, are regarded as corporate subscribers. For example, a company that administers an e-mail server of its own, is a corporate subscriber.

Corporate subscribers have the right to process the identification data in communications of corporate users for the purpose of using network and communications services for internal billing and ensuring information security in the service (PPEC). A corporate subscriber may process identification data for the purpose of detecting a technical fault or error as well as for the purpose of technical development of the service. In addition, identification data may be processed in certain cases of misuse, where any fee-based network service, communications service or value added service is used for free or unlawfully in any comparable way.

The Act on the Protection of Privacy in Electronic Communications does not mention the employer’s right to read the employee’s e-mail in any detail. However, section 4 of the Act mentions the confidentiality of communications at a general level. And, according to the law, a party to the communication has the right to process its own communications. The motivation for the Act states that also a community, e.g. an employer company can be a party to communications when the communications solely concerns its activities and does not as such include any personal communications of the user employee.

The Act on the Protection of Privacy in Electronic Communications (795/2004) governs situations in which the employer can gain access to the employee’s e-mail system and open messages. The objective is not to endanger the secrecy of the employee’s confidential e-mails and that messages belonging to the employer can be used by the employer while the employee is prevented. The purpose of regulation is that finding and opening messages sent to the employee or the ones sent by the employee, but belonging to the employer organization would be based on the consent of the employer. However, the law represents an appropriate framework for the employer to find out the messages belonging to its activities in situations where it is not possible to obtain the consent and where it is necessary for ensuring the continuation of the employer’s activities to obtain information.

The above-mentioned laws do not expressly mention that an employee’s e-mail address should be removed after the employment relationship ceases, but this decision is in accordance with both laws. In case the e-mail address does not exist, the sender of the message usually receives an error message saying that the message could not be delivered.

Processing purposes in accordance with section 3 of the Act on the Protection of Privacy in Electronic Communications do not exist as to communications identification data related to the time after the employee’s employment has ceased. According to section 4 of the Act on the Protection of Privacy in Electronic Communications, messages (e.g. e-mail) are confidential. The above gives reason to think that it is right that, after an employment relationship ceases, an e-mail address can be closed so that it cannot receive messages anymore. Any deviation from this procedure must separately be discussed with the employee.

According to the Act on the Protection of Privacy in Working Life and the Personal Data Act, the employer has the right to only process required personal data of the employee. Therefore, the employer would not have the right to process messages sent to the employee after the employment relationship has ceased. The Data Protection Ombudsman monitors the compliance with the Personal Data Act and the Act on the Protection of Privacy in Working Life.