Data Protection

Maltese Court of Appeal: Employee Email Addresses Constitute Personal Data

05 Dec 2018

3 min read

On the 5th of October 2018, in the case of Doreen Camilleri vs Commissioner for Information and Data Protection, the Court of Appeal reversed a decision previously taken by the Appeals Tribunal for Information and Data Protection and held that an employee’s email address constituted personal data.

Doreen Camilleri was employed with the European Union Programme Agency (“Agency”) and upon termination, the Agency requested a change of password to her email account  which resulted in the employee having no further access to her mailbox. In the original decision, the Tribunal held that an employee has no rights over his or her email identity as the email is chosen by the employer and the email is used for work purposes.

The parties agreed that a person’s name constitutes personal data and that the Agency processed such personal data on a lawful basis as it was in the Agency’s interest to ensure business continuity. However, it was subsequently revealed that following termination, emails had been sent from the employee’s email account by another person in the employee’s name. Effectively, this resulted in the employee’s email address, which included her name, being used for several days until the account was deleted following a complaint by the employee herself.

The Tribunal held that the applicable legal grounds for processing in this case were that the Agency was processing the personal data in order to comply with the law and that such processing is necessary for the performance of an activity in the public interest. The Court of Appeal disagreed with the Tribunal on the above and held that since the processing was taking place in order for the Agency to ensure smooth business continuity, then the legal ground applicable here is that of legitimate interest. Nevertheless, the Court expressed its reservations with respect to whether such processing was absolutely “necessary”.

The Court determined that the Agency did not follow the applicable procedure and had in fact asked for the password to be changed in the employee’s name, through her email address, and without her knowledge. The Court was not convinced that the appellant had been unavailable and remarked that a handover process should have taken place. Following an evaluation of the circumstances of the case, the Court held that the employee’s email address was classified as personal data.

For further information about how GVZH Advocates can help you with your data protection legal requirements, kindly contact us on