Control of internet and email usage

For the exercise of their professional activity, employees have at their disposal a computer workstation which can be connected to the Internet and equipped with an electronic messaging system. The use, in the workplace, of these IT tools for purposes other than professional ones is generally tolerated. It must be kept reasonable and must not affect network security or the productivity of the company or administration concerned.

Control of internet use

The employer can set the conditions and limits for the use of the internet. These limits do not in themselves constitute an invasion of the privacy of employees.

For example: The employer can set up filtering systems for unauthorized sites (pornographic, pedophile, incitement to racial hatred, revisionist sites, etc.). It can also set limits dictated by the security requirement of the organization, such as the prohibition to download software, the prohibition to connect to a forum or use the "chat", the prohibition of '' access a personal mailbox via the Internet, taking into account the risks of viruses that such access is likely to present, etc.

Need to inform employees

Employees must be informed of the arrangements in place and the methods of controlling Internet use:

The works council must have been consulted and informed (article L2323-32 of the labor code);

Employees must be informed, in particular of the purpose of the control system and of the duration for which the connection data are kept. A retention period of around six months is sufficient, in most cases, to deter any abusive use of the internet.

If disciplinary proceedings are likely to be initiated on the basis of these files, employees must be explicitly informed (for example by means of a charter).

How to declare?

When the company or the administration sets up an individual control system for employees intended to produce a statement of connections or sites visited, item by item, the processing thus implemented must be declared to the CNIL (normal declaration). unless a data protection officer has been appointed, in which case no declaration is necessary.

For example : Internet use control software making it possible to analyze the connection data of each employee or to calculate the time spent on the Internet by a specific employee.

When the company or the administration sets up a system which does not make it possible to individually control the activity of the employees, this system may be the subject of a declaration of conformity with reference to the simplified standard n ° 46 (management staff from public and private organizations).

For example: software allowing only statistics on Internet use to be made at the level of all the employees of the company or at the level of a specific department.

Control of messaging usage

Security, prevention or network congestion control requirements may lead companies or administrations to set up messaging control tools.

For example: tools for measuring frequency, size, e-mail messages; attachment analysis tools (virus detection, "anti-spam" filters intended to reduce unsolicited messages, etc.).

Need to inform employees

The messaging control systems must be the subject of a consultation of the works council or, in the civil service, of the joint technical committee or any equivalent body and of individual information to employees.

In particular, they must be informed of the purpose of the device and the duration for which the connection data is kept or saved.

In the event of automatic archiving of electronic messages, they must also be informed of the methods of archiving, the retention period of the messages, and the methods of exercising their right of access.

How to declare?

Professional messaging must be the subject of a declaration of conformity with reference to the simplified standard n ° NS-046 (personnel management of public and private organizations). If an individual messaging control system is set up, it must be declared to the CNIL (normal declaration), unless an IT and freedoms correspondent has been designated.

For example: software for analyzing the content of incoming or outgoing electronic messages intended to monitor employee activity.

Access to the computer station or messaging

The employer must respect the secrecy of private correspondence. Electronic communication sent or received by an employee may have the character of private correspondence. The violation of the secrecy of correspondence is a criminal offense punishable by articles L.226-15 (for the private sector) and L.432-9 (for the public sector) of the Penal Code.

The Court of Cassation affirmed, in a judgment of October 2, 2001 (“Nikon” judgment), that an employer cannot take cognizance of an employee's personal messages without infringing on his private life (article 9 of the Civil Code) and the principle of the secrecy of correspondence (article 226-15 of the penal code), even if use for private purposes has been prohibited by the employer.

However, the principle of the secrecy of correspondence knows limits in the professional sphere. It can also be lifted as part of a criminal investigation or by a court decision.

Anything that is not identified as “personal” is deemed to be professional so that the employer can access it freely.

The Court of Cassation considers that a message sent or received from the workstation provided by the employer is of a professional nature, unless it is identified as being “personal”, in the subject of the message for example ( Court of Cassation, May 30, 2007).

It is up to the employee to identify messages that are personal. In the absence of such identification, messages are presumed to be professional.

The personal nature of a message may appear in the subject line of the message or in the name of the directory in which it is stored.

The CNIL recommends making employees aware (for example in a charter) of the principle adopted to differentiate professional and personal mis webmail (qualification by subject, creation of a specific directory dedicated to private content, etc.).

The case of files and directories created by an employee

It has been ruled that the files created by an employee using the IT tool made available to him for the performance of his work are presumed, unless the employee identifies them as personal, to be of a professional nature (Cour de cassation, October 18, 2006).

Any file that is not identified as "personal" is deemed to be professional so that the employer can access it without the presence of the employee.