The European Court of Human Rights (ECHR) recently ruled that it was contrary to the right to privacy that a Rumanian employee had been dismissed due to private use of a Yahoo account set up for work purposes. This was the case even though the internal rules prohibited use of for instance work-related Internet accounts.

At the employer's request, the employee had registered a profile on the chat website Yahoo to communicate with the customers.

According to the company’s internal guidelines, which the employee had signed, all personal use of computers, Internet, etc. was prohibited. The guidelines did not mention the possibility of monitoring, but the company had subsequently prepared an addendum to the rules in which it was emphasised that the company expected observance of the guidelines and that violations would be monitored and sanctioned.

The employee had communicated in private which the company found out about.


Both the court of first instance and the court of second instance dismissed that the employee had violated the guidelines. The national courts found that the monitoring was in accordance with national labour law and was not a violation of the right to privacy. The courts referred to the fact that monitoring was a necessity to avoid IT problems and illegal use of the Internet, and that the monitoring took place to substantiate a suspicion of abuse of the company’s Internet contrary to the company’s internal guidelines.

The court of first instance of the ECHR found that these grounds and their result were in accordance with the Human Rights Convention.


The Grand Chamber - being the supreme authority of the ECHR - found, however, that the national courts had not made a sufficient review of the alleged violation of the right to privacy.

Article 8 of the Human Rights Convention determines the right to privacy, including the right to respect for the individual’s private correspondence, and the court stated that the correspondence in question was not covered by the right to respect for privacy and correspondence in article 8.


As the case concerned a private company which was not directly bound by the Convention, the court investigated whether the Rumanian state - in this case, the national courts - had observed the positive obligations applicable to states. The state’s positive obligations must provide the required safety that also private persons observe the Convention’s rights of freedom.

The court stated that when assessing the legality of monitoring, the national courts must take into account the following criteria:

  • Was the employee informed in a clear and lucid manner about the possibility of monitoring?
  • How intense was the monitoring? Did the monitoring only observe the presence of private correspondence or was the content of the correspondence reviewed?
  • Did legitimate considerations justify the monitoring?
  • Could other, less radical, measures have achieved the same results?
  • What were the consequences for the person monitored?
  • Was the person monitored sufficiently protected against abuse of the possibility to monitor?


In cases like the present concerning the state’s positive obligations, the court tests whether the state strikes a  balance between opposing considerations - in this case, the employee’s right to respect for privacy versus the company’s wish to avoid abuse of the Internet.

The court found that the national courts had not sufficiently reviewed the observance of the above criteria. For example, the courts had not sufficiently investigated the intensity of the monitoring, the legitimate considerations or the possibility of less radical measures. At the same time, the courts had blurred the transparency by accepting the possibility of comprehensive use of monitoring during disciplinary hearings. It was thereby impossible for the individual to know when he/she could risk being monitored.

For these reasons, the court found that the national courts had not struck a balance between the opposing considerations. The Rumanian state therefore had to pay compensation to the employee which amounted to the verifiable loss caused by the employee’s dismissal.


The judgment shows that it is important that the employer informs its staff about the possibility of monitoring and the extent thereof.

Danish law is in line with the judgment. Danish personal data law and criminal law lay down the same restrictions as to whether and to which extent Danish companies may monitor the employees’ use of emails etc.

On 4 November 2015, the Supreme Court also attached importance to the fact that a company did not search through and read private messages to a further extent than necessary to be able to separate the part of the email correspondence relevant for the purpose of the investigation. Compensation was therefore not awarded.


Maria Schmiegelow

Partner (L)