Polish court: Employer accessing employee's social media on work laptop violates GDPR

Poland's Supreme Administrative Court has issued a landmark ruling clarifying that social media login details, such as those for Facebook, are personal data protected under the General Data Protection Regulation (GDPR). This decision stems from a case involving an IT specialist employed by a Małopolska municipality.

Following the termination of his employment in December 2018, the employee returned his work computer. Months later, while preparing the device for a new user, an IT administrator discovered that the former employee had not removed his synchronization account for bookmarks and passwords. Consequently, he remained logged into his private Facebook account, where conversations involving current employees and their superior, the mayor, were visible.

The IT administrator printed these conversations, which then landed on the mayor's desk. The mayor used this information to initiate disciplinary proceedings against a current employee and a criminal investigation against the former worker. This action prompted the former employee to alert the President of the Personal Data Protection Office (UODO).

The UODO determined that the correspondence, retrieved from the work computer, qualified as personal data, as it allowed for the identification of participants, including the complainant. The office also noted that the data included special categories, such as religious beliefs, which are generally prohibited from processing. The UODO concluded that the data was obtained in violation of data protection laws and issued a reprimand.

However, the municipality appealed the decision. Initially, the Warsaw Voivodeship Administrative Court sided with the city, ruling that the UODO should not have been involved, as the conflict pertained to unlawful interference with privacy and correspondence secrecy, matters within the jurisdiction of common courts. The case highlights the complex intersection of workplace technology, employee privacy, and data protection regulations.

“

Schody zaczęły się, gdy ta pozyskane w ten sposób informacje wykorzystała do wszczęcia postępowania dyscyplinarnego wobec jednego z aktualnie zatrudnionych, a także karnego w stosunku do byłego już pracownika.