Decorative page background

A Personal Data Breach on Facebook and the Monitoring of Work Emails: What the Supreme Administrative Court Told Employers and Employees?

A Personal Data Breach on Facebook and the Monitoring of Work Emails: What the Supreme Administrative Court Told Employers and Employees?

Under certain conditions, employers may access an employee’s work email account. A recent judgment of the Supreme Administrative Court confirms that what matters is not who owns the account, but whether the employer has clear internal rules in place, whether the employee was informed in advance, and whether any monitoring is specific, proportionate, and time-limited.

In its judgment of 18 March 2026, File No. 6 Ads 21/2026 – 27,[1] the Supreme Administrative Court examined the case of a civil servant employed by the State Administration of Land Surveying and Cadastre (the “Office”). The case is of interest not only for its facts, but also for its practical implications for HR, compliance, and IT security.

What actually happened?

An Office employee posted a land registration document containing non-anonymised personal data to a public Facebook group. The matter did not end there. He also sent the same document by email to colleagues who were not authorised to access it, and even to two individuals outside the Office. The Court was not concerned with the employee's motives. What mattered was that a personal data breach had occurred and that the employer needed to establish its scope. It was against that backdrop that the employer proceeded to monitor the employee’s work email correspondence- a step the employee then challenged.

Can an employer monitor work e-mails?

The employee argued that monitoring his emails breached the confidentiality of communications protected under Article 13 of the Charter of Fundamental Rights and Freedoms and was contrary to Section 316 of the Labour Code, which prohibits surveillance. He further contended that the employer’s internal policy permitting access to an employee’s email in cases of “reasonable suspicion” was not sufficient justification, and that emails could not be read without court authorisation - even where unlawful conduct was suspected.

The Supreme Administrative Court ultimately sided with the employer, holding that the monitoring in this case was lawful and proportionate. The Court identified the following factors as decisive:

  • the employee had been informed in advance that monitoring might take place;
  • the Office had expressly reserved the right to monitor email communications in its internal policy;
  • the employee confirmed this ateach login;
  • the monitoring was not blanket - it did not cover all employees;
  • the employer had specific grounds for suspecting a personal data breach;
  • monitoring was limited to a period of three days; and
  • it was directed solely at establishing the scope of the personal data breach.

In other words, the Court did not sanction the routine reading of employees’ work emails. It approved a specific, purpose-limited interference in response to a security incident.

This is consistent with the European case law the Court cited - Halford v United Kingdom[2] and Bărbulescu v Romania.[3] In practice, employers should always be in a position to answer the following questions:

  • Was the employee clearly and unambiguously informed in advance that monitoring might occur?
  • Is there a specific, demonstrable reason for the monitoring?
  • Could the objective be achieved by less intrusive means?
  • Is the scope of monitoring limited to what is strictly necessary?
  • Are there adequate  safeguards against misuse?

Why have an internal policy in place before an incident occurs?

The judgment makes a strong case for clear, well-drafted internal rules. A properly prepared policy serves several important purposes:

1. Reducing legal risk

Transparent monitoring rules significantly reduce the risk of disputes about whether an employer’s interference with an employee’s privacy was proportionate.

2. Supporting security incident response

When a suspected personal data breach or cybersecurity incident arises, time is of the essence. An internal policy can set out in advance who is authorised to approve monitoring, the circumstances in which monitoring is permitted, how it should be conducted, how the process should be documented, and how the rights of the data subject are protected.

Without clear rules, employers risk not only challenges from employees, but also regulatory scrutiny and reputational damage.

The existence of pre-established rules can be decisive when an employer subsequently has to justify its actions to an employee, a court, or a supervisory authority.

What risks can well-drafted rules address?

In practice, the point is not simply to “keep an eye on employees.” Well-drafted rules can help protect an organisation against risks including:

  • personal data breaches;
  • leakage of trade secrets and confidential information;
  • breaches of sector-specific regulations or contractual confidentiality obligations;
  • loss of evidence relating to an incident;
  • employee disputes over alleged unlawful interference with privacy;
  • reputational damage; and
  • uncoordinated responses across IT, HR, compliance, and management.

Does this apply only to public authorities, or to the private sector too?

In this case, the Court emphasised that the Office handles data of a particularly sensitive nature maintained in a statutory register. This undoubtedly played a role in the proportionality assessment.

Depending on the circumstances, a comparably serious justification may exist where an employer handles, for example:

  • special categories of personal data;
  • banking or payment secrecy obligations;
  • medical records;
  • highly confidential client information;
  • trade secrets;
  • security-critical systems or infrastructure.

In the private sector, a blanket assertion that “it is a company email account” will not suffice. An employer must be able to demonstrate why monitoring was genuinely necessary in the circumstances.

What should internal policies cover?

If employers want to take practical lessons from the Court’s judgment - which adds further clarity to existing practice - their internal policies should as a minimum address:

  • the purpose and limits of using work email accounts;
  • whether, and to what extent, personal use is permitted;
  • the circumstances in which monitoring may take place, including a legitimate interest assessment;
  • who is authorised to approve and carry out monitoring;
  • the approval process for monitoring;
  • documentation requirements and audit-trail procedures;
  • safeguards to protect confidentiality and minimise the interference (data minimisation); and
  • coordination with HR, IT, compliance, and incident response functions.

In practice, it is precisely this alignment of legal, HR, and information security perspectives that so often proves decisive.

It is worth noting that the employee who had himself disclosed third-party personal data on a social media platform subsequently invoked privacy protection in relation to his work email communications. The Supreme Administrative Court addressed the issue with precision and in line with established European case law. The judgment confirms that monitoring work emails can be a legitimate tool - but only where it is grounded in clear rules, a specific reason, and a proportionate approach. For employers, it is a reminder that an internal policy should never be just a piece of paper gathering dust.

This judgment will be of particular relevance to employersputting monitoring policies in place, to HR and compliance teams, to cybersecurity and data protection specialists, and to employees who handle sensitive information.

Related articles