Companies can monitor the websites that their employees view during the working day
The High Court of Justice of Madrid (TSJM) has ruled that it is lawful to monitor the websites visited by a worker with the company’s computer.
In its ruling, the Madrid high court details the doctrine on this matter.
It is number 403/2023, of 26 April, handed down by the judges Fernando Muñoz Esteban (president), Virginia García Alarcón (rapporteur) and Rafael Antonio López Parada, of the Second Section.
“This ruling is issued in the context of a labour dispute and analyses what happens when a worker surfs the Internet on pages unrelated to their work activity, during working hours and using corporate resources”, says lawyer Ramon Arnó Torrades, a specialist in legal aspects of the information society and digital transformation, CEO of La Familia Digital.
“This ruling clearly summarises the majority doctrine of the Social Courts in cases similar to the one analysed, in cases in which there is a prior prohibition by the company on the use of corporate resources for personal purposes”, he points out.
THE CASE
The SCJ ruled on the case of an employee of the company Alza Obras y Servicios who had been warned on several occasions by his hierarchical superior that he should not use the computer for personal use, with frequent comments from workers that the appellant habitually made personal use of the computer during his working day.
The company carried out monitoring of its own computer equipment used by the appellant to check whether such personal use was occasional or recurrent. This was carried out on 14 January 2022, between 10.00 and 15.01 hours.
The result was that on 7, 9, 10 and 11 February he visited websites such as parquetparedes.com, lacronica.net, guadalajararadio.com, leroymerlin.com, bricomart.com, coches.net, idealista.com, adidas.com, viking.es, coches.net, as well as connections to Youtube, Facebook and bank websites. And all of this during their working day.
On 23 February 2022, the company informed him of his disciplinary dismissal.
The employee then brought an action against the company, but it was dismissed by Madrid Social Court No 18, which declared the dismissal to be justified, and validated the termination of the contract with effect from 22 February, without the right to compensation or wages for processing.
Now, the SCJ has partially upheld the appeal for judicial review that the worker lodged against that decision, which it revoked, declaring the dismissal to be unlawful.
The company will have to choose between paying him compensation of 32,176.80 euros or reinstatement and payment of the wages lost since the dismissal until this judgment is notified or until the worker has found another job, as well as keeping him registered with the Social Security for the same period.
The company is authorised to impose a sanction for minor misconduct, within the ten days following the finality of this judgment, after the worker has been reinstated, provided that he has been duly reinstated.
THE MAGISTRATES’ ARGUMENTS
The TSJM explains that in this case there is no infringement of the worker’s right to privacy, as the contested decision and the Public Prosecutor’s Office rightly appreciate.
This is all the more so as “there has been no intrusion whatsoever into emails or documents he has produced, but simply a tracing of the search history carried out by him on the computer made available to him”.
Furthermore, the judges emphasise that it is “notorious that, not having deleted it, it could have been known by the employer and that the plaintiff knew that the equipment was for professional use, so he could not have had an expectation that this history would be protected against a possible investigation by the defendant”.
Consequently, it ruled that the dismissal could not in any event be declared null and void and that it was not appropriate to determine additional compensation. The appellant asked for a compensation of 7,501 euros.
In this case, the public prosecutor’s office stated in its report that there had been no infringement of the appellant’s right to privacy, in accordance with the case law cited, “as it is established that the use of the computer was only permitted for strictly work-related purposes, and that its use for personal purposes was strictly prohibited, in accordance with the message that appeared on the screen at the start of each session, considering that the monitoring measure carried out by the company achieved the intended purpose of ascertaining whether he was using the computer for personal purposes, so that the company’s action complies with the requirements demanded by the European Court of Human Rights (ECHR) in the Barbulescu judgment of 5 September 2017″.
In the alternative, the appellant sought a declaration that the dismissal was unlawful. In this regard, he argued that the letter of dismissal included three offences, one for fraud, disloyalty and abuse of trust and continued disobedience, in accordance with article 101 of the general collective agreement for the construction industry and article 54 of the aforementioned Statute; another for voluntary reduction in performance, in accordance with the same precepts; and finally, breach of good faith and abuse of trust, “there being no fact in the letter from which this voluntary reduction in performance could be deduced, nor is there any in the judgment”.
In this respect, it concludes that the employee’s conduct that has been accredited “does not constitute a very serious misconduct as it is classified as a minor offence”, and emphasises that this is an employee with almost twenty-four years’ seniority, who has not been warned by the company that his conduct could have the serious consideration and importance that he has been given, nor has he been required to cease it, nor has he caused any damage.
The magistrates point out that although for mere dialectical purposes it could be classified as more serious, in any case the provisions of article 102.2 of the agreement should be observed: For the application and grading of the penalties set out in point 1 above, account shall be taken of:
a) The greater or lesser degree of responsibility of the offender.
b) The professional category of the offender.
c) The repercussions of the act on the other workers and on the company.
WITH REGARD TO THE VALIDITY OF THE EVIDENCE PROVIDED BY THE MONITORING OF ACTIVITY ON WEB PAGES
With regard to the validity of the evidence provided on the basis of the monitoring of the appellant’s activity on websites, the SCJ of Madrid points to the unified doctrine of the Supreme Court set out in its judgment of 8 February 2018 (number 119/2018, appeal 1121/2015).
As it recalls, the SC pointed out in that ruling on company powers, that the Constitutional Court (TC) maintains that “the management power of the employer “is essential for the proper functioning of the productive organisation – a reflection of the rights proclaimed in Articles 33 and 38 of the Constitution – and is expressly recognised in Article 20 LET”; and that paragraph 3 of this article gives the employer the power to “adopt the measures he deems most appropriate for surveillance and control to verify the worker’s compliance with his obligations and duties at work, with due consideration for his human dignity in their adoption and application” (TC judgments 98/2000, FJ 5; 186/2000, of 10 July, FJ 5; and 241/2012, of 17 December, FJ 3 and 4).
The Supreme Court indicated that in application of this necessary adaptability of the worker’s rights to the reasonable requirements of the productive organisation in which he is integrated, it has been stated that “manifestations of the exercise of those rights which in another context would be legitimate, are not so when their exercise is assessed within the framework of the employment relationship” (TC ruling 126/2003, of 30 June, FJ 7)”.
In the same sense, the SC has indicated that “the employment relationship, insofar as its typical effect is the submission of certain aspects of human activity to the powers of the company, is a framework that must be taken into consideration when assessing the extent to which there must be coordination between the interests of the worker and those of the company that may collide with it” (TC ruling 99/1994, 11 April, FJ 7 and 3).
The High Court declares that within the framework of the powers of self-organisation, management and control corresponding to each employer, “there is no doubt that the organisation and regulation of the use of company-owned computer media by the worker is admissible, as well as the company’s power to monitor and control compliance with the obligations relating to the use of the media in question, always with full respect for fundamental rights” (TC ruling 241/2012, FJ 5) and (FJ 4).
It adds that the right to personal privacy, as a derivation of the dignity of the person (Article 10.1 of the Constitution), implies the existence of a private sphere reserved from the action and knowledge of others, necessary, according to the guidelines of our culture, to maintain a minimum quality of human life, and that “what is guaranteed by Article 18. 1 EC is the secrecy of our own sphere of personal life, excluding third parties, private individuals or public authorities, from delimiting the boundaries of our private life” (Judgment of the TC 159/2009, of 29 June, FJ 3; 185/2002, of 14 October, FJ 3; and 93/2013, of 23 April, FJ 8) (FJ 5).
But “the right to privacy is not absolute – as any fundamental right is not – and may yield to constitutionally relevant interests, provided that the limit that it has to experience is revealed as necessary to achieve a constitutionally legitimate aim and is proportionate” (judgments of the TC 115/2013, of 9 May, FJ 5; or 143/1994, of 9 May, FJ 6; and 70/2002, of 3 April, FJ 10) (FJ 5) (FJ 5).
On the inclusion of e-mail in the scope of protection of the right to privacy, the Supreme Court emphasises that “even though the allocation of individualised or exclusive spaces -such as the assignment of personal e-mail accounts to workers- may have relevance for the company’s supervisory action, it must be borne in mind that “the degrees of intensity or rigidity with which the company’s surveillance and control measures must be assessed vary according to the very configuration of the conditions for the availability and use of computer tools, it must be borne in mind that “the degrees of intensity or rigidity with which the company’s surveillance and control measures must be assessed vary according to the very configuration of the conditions of availability and use of the computer tools and the instructions that may have been given by the employer to that end” (TC ruling 241/2012, FJ 5)” (FJ 4), reports the TSJM.
The High Court adds that the use of email by workers in the workplace falls within the scope of protection of the right to privacy; the accumulation of information stored by its owner on a personal computer – among other data on his private and professional life – is part of the constitutionally protected sphere of privacy; also that the computer is a useful instrument for sending or receiving e-mails, and the right to personal privacy may be affected “to the extent that these e-mails, whether written or already read by the addressee, are stored in the memory of the computer terminal used” (Judgment of the TC 173/2011, 7 November, FJ 3); (FJ 5).
As it explains, the scope of coverage of this fundamental right “is determined by the existence in the case of a reasonable expectation of privacy or confidentiality. Specifically, we have stated that a “criterion to be taken into account to determine when we are faced with manifestations of private life that can be protected against unlawful intrusions is that of the reasonable expectations that the person himself, or any other person in his place in those circumstances, may have of being shielded from observation or scrutiny by others” (TC Judgement 12/2012, of 30 January, FJ 5)” (FJ 5)” (FJ 5).
Regarding the adequacy of the employer’s control, the TC maintains that since there is a collectively established provision prohibiting the use of the computer for personal purposes, it can be concluded that, in the employment relationship, the worker was only allowed to use the company-owned e-mail for professional purposes.
It adds that, since use for purposes outside the scope of employment was classified as an offence punishable by the employer, the company had “an express prohibition on the use outside the scope of employment, and there is no evidence that this prohibition had been mitigated by the company”.
This being the applicable regime, “the company’s power of control over the company-owned IT tools made available to the workers could legitimately be exercised, ex Article 20.3 LET, both for the purposes of monitoring compliance with the work performed through the professional use of these tools, and to check that their use was not intended for personal purposes or for purposes unrelated to the content of their work”.