Bulgarian
English
Approximate reading time: 2m 16s
Corporate email is often the main channel for work communication. But although it is owned by the employer, it contains information related to a specific person. This is precisely what places it under the protection of the General Data Protection Regulation (GDPR).
If this topic is important to you, learn everything you need through our online personal data protection training. Sign up today for the Personal Data Protection Course and be prepared.
According to Art. 4 of GDPR, any work email address that includes a personal name or identifies a specific person (e.g. georgi.petrov@firma.bg) constitutes personal data. This means that any processing of such information – reading, storing, forwarding – must comply with the strict requirements of GDPR.
What does this mean for the employer?
Employers are controllers of personal data. They are responsible for the lawful, transparent, and secure processing of work emails. According to the guidelines of the Commission for Personal Data Protection, including in Bulletin No. 3/2025, employers must:
-
inform employees how work emails are used;
-
create a clear internal policy for electronic communication;
-
justify any monitoring or access to emails with a legitimate purpose;
-
take measures to restrict access to the emails of former employees.
In Decision No. Ж-63-146/2022, the Commission for Personal Data Protection found a violation due to the lack of internal regulation on access to work email after leaving the company, emphasizing the need for predictability and legal certainty.
And employees – what can they expect?
Employees have the right:
-
to know whether their emails are being monitored;
-
to be informed about the purposes and scope of processing;
-
to object to excessive monitoring;
-
to seek assistance from the Commission for Personal Data Protection in case of a violation;
-
to request deletion of personal messages when this is justified.
Is access to work email lawful?
There is no single answer – everything depends on the context. Case law, including the decision in Bărbulescu v. Romania (2017), places emphasis on the principles of transparency, proportionality, and necessity.
For access to be lawful:
-
the employee must be informed;
-
the monitoring must be carried out only when justified;
-
personal communications must not be affected.
Examples from the practice of the Commission for Personal Data Protection
In Decision No. Ж-204-252/2021, the Commission for Personal Data Protection ruled that access to the email of a former employee, without a regulated procedure, violates GDPR. A similar position was taken in Decision No. Ж-226-204/2020, where automatic forwarding of emails after termination was considered a violation.
These cases show that even when an email is “work-related,” unauthorized access to it can lead to serious sanctions.
How to comply with the rules – best practices
For the employer:
-
Introduce an electronic communication policy;
-
Specify whether and what monitoring is carried out;
-
Avoid automatic access to emails after termination;
-
Appoint a data protection officer (DPO), if required.
For the employee:
-
Use the work email only for work;
-
Do not store sensitive personal messages there;
-
Familiarize yourself with the company's internal policies;
-
Use alternative communication for personal matters.
What needs to change in organizations?
Companies must:
-
ensure legal compliance between IT systems and GDPR;
-
maintain a record of processing activities;
-
conduct internal personal data protection training;
-
perform regular risk assessments.
Conclusion: a balance between control and trust
Personal data protection in work email is not just a formality. It is a key aspect of a culture of trust and legal compliance. GDPR is not intended to restrict business, but to set clear rules – for both the employer and the employee.
Sign up today for the Personal Data Protection Course and be prepared, if you want to learn more about rights and obligations under GDPR, including in the workplace context.
