The short answer is: not without limits. The fact that an email account, computer, or Microsoft Teams environment belongs to the business does not remove an employee’s data-protection and privacy rights. At the same time, those rights do not make every form of employer access unlawful. A specific and limited inspection may be lawful when it serves a genuine business or legal need, is strictly necessary and proportionate, and employees have received clear advance notice.
Purpose and method make the difference. Looking for a defined company message after credible evidence of a confidential-data leak is not the same as routinely reading every conversation to decide who is working “enough.” The first may be justified in appropriate circumstances. The second is much harder to reconcile with necessity and proportionality.
A company account is not a privacy-free zone
The employer normally controls the technical environment: it creates the account, pays for the licence, sets security rules, and may have administrator privileges. Technical capability is not, by itself, legal permission. Opening, searching, copying, exporting, or retaining messages is processing of personal data and requires a lawful basis and a defined purpose.
Even a fully professional message may reveal information about behaviour, working relationships, performance, health, trade-union activity, or personal circumstances. Messages also contain information about clients, colleagues, and other people. An inspection therefore affects more than the employee whose account is opened.
The legal framework in Greece
The General Data Protection Regulation requires lawfulness, transparency, purpose limitation, data minimisation, limited retention, and security. Greek Law 4624/2019, Article 27, also provides that employee data may be processed for employment purposes where this is strictly necessary.
Employers often rely on legitimate interests such as protecting confidential information, securing systems, investigating fraud, establishing legal claims, or maintaining a critical business function. Legitimate interest is not a blank cheque. The purpose must be genuine, access must be necessary, and a less intrusive measure must not be able to achieve the same result.
Employee consent is rarely the strongest basis because the imbalance in the employment relationship raises doubt about whether consent was freely given. Lawfulness should rest on an objective need, not on a broad acceptance box signed at recruitment.
When targeted access may be justified
No list automatically makes an inspection lawful, but limited access may satisfy the tests of necessity and proportionality in situations such as:
- a serious and documented suspicion that trade secrets or confidential files have been leaked,
- an investigation into a cybersecurity incident, malware, fraud, or unauthorised access,
- a search for defined business correspondence required for active litigation or a regulatory duty,
- recovery of critical company information during sudden and prolonged absence when no less intrusive continuity measure works,
- a compliance check in a highly regulated environment, provided that the measure is known, limited, and documented.
Even then, the search should be limited by time period, account, search terms, or file category. Security logs, metadata, or company records may answer the question before anyone opens message content. Only authorised people should have access, every action should be logged, and copied material should have a defined retention period.
When monitoring becomes problematic
Permanent or opaque content monitoring is highly intrusive. Curiosity, a wish to measure “commitment,” an administrator’s technical ability, or a vague reference to productivity is not enough. Particularly problematic practices include secret and continuous reading, mass collection for performance scoring, reuse for a purpose that was never announced, access to clearly private areas without compelling justification, and indefinite retention or unnecessary disclosure.
European workplace guidance favours prevention over continuous surveillance. Data-loss controls, sending restrictions, separation of privileges, and security alerts can often protect the organisation while interfering less with message content.
What is different about Teams?
The same principles apply to Teams, Slack, and similar platforms. Teams is more than chat: it can include private messages, channels, attachments, meeting recordings, presence data, calendars, and activity logs. Combined, these records can create a detailed picture of an employee’s working day.
A message labelled “private chat” is not necessarily technically invisible to the organisation. Conversely, the availability of eDiscovery, retention, or administrator tools does not make every use lawful. The organisation should define who may search, whose approval is required, which incident is being investigated, and how access is logged.
Advance notice must be meaningful
The Hellenic Data Protection Authority states that employees must be told in advance, clearly and appropriately, about monitoring methods, purposes, and procedures. A workable email and collaboration-tools policy should explain whether incidental personal use is allowed, which technical data is logged, how long it is kept, when content may exceptionally be accessed, who approves access, how clearly private material is handled, and where employees can exercise their rights.
A vague statement that “the company may monitor everything” does not cure excessive surveillance. The policy must be specific, accessible, and applied consistently.
What Decision 43/2019 shows
In a case concerning employer access to company email, the Hellenic DPA found the particular inspection lawful because internal rules prohibited private use and allowed internal checks, while evidence justified an investigation. The decision was not a general licence to monitor. In the same matter, the Authority found other infringements, including unlawful CCTV use and failure to respect the employee’s right of access.
The practical lesson is that lawfulness is assessed measure by measure. A justified email inspection does not legitimise every other surveillance system and does not release the employer from the duty to respond to employee rights.
Absence, sickness, and departure
Business continuity does not automatically require opening an entire mailbox. Good organisation comes first: shared mailboxes for functional addresses, case allocation, out-of-office messages, authorised cover, and storage of company records in shared workspaces rather than a personal inbox.
When an employee leaves, the account should be disabled under a controlled process. Access to historic correspondence should be limited to what is necessary for outstanding business. Long-term automatic forwarding of every new message creates additional risks and should normally be replaced by notifying senders and providing a new contact address.
Deleted messages may still exist
Deleting an item from an inbox or Teams does not always erase it immediately. Retention rules, backups, or legal holds may preserve a copy. That does not make every recovery lawful. Recovery remains processing and requires the same assessment of purpose, legal basis, necessity, access control, and retention.
What an employee can do
- Read the policy. Ask for the acceptable-use policy, employee privacy notice, and rules for email, Teams, and logs.
- Request specific information. Ask what data was inspected, for what purpose and legal basis, by whom, with whom it was shared, and how long it will be kept.
- Write to the employer or DPO. A calm and focused written request creates a clear record and gives the organisation an opportunity to respond.
- Exercise applicable rights. The right of access is not absolute and must respect third-party rights, but it cannot simply be ignored.
- Do not copy unrelated data in bulk. Evidence should be preserved lawfully. Exporting client or colleague correspondence without advice may create a separate confidentiality problem.
- Seek specialist help early. Disciplinary action, dismissal, sensitive-data exposure, or serious surveillance requires individual legal assessment. A data-protection complaint may also be submitted to the Hellenic DPA.
Employer checklist before access
- Is the exact purpose and lawful basis recorded?
- Is there concrete evidence making access necessary?
- Could metadata, logs, or another less intrusive method achieve the purpose?
- Was staff informed in advance through a clear policy?
- Are the time period, accounts, and search terms narrowly limited?
- Are approval, role separation, and an audit log in place?
- Is there a retention and secure-deletion deadline?
- Is a data protection impact assessment required, especially for systematic or high-risk monitoring?
Conclusion
An employer does not gain an unlimited right to read messages merely because it provides the email or Teams account. A specific access request may have a lawful purpose, but the employer must be able to demonstrate necessity, proportionality, transparency, and security. Employees should neither assume that every company message is completely private nor accept that “company-owned” means “anything goes.” The answer depends on the policy, the real circumstances, and the way the inspection was carried out.
Official sources
- Hellenic DPA: workplace monitoring FAQs
- Hellenic DPA: Decision 43/2019 on company email access
- Regulation (EU) 2016/679 (GDPR)
- Greek Law 4624/2019, Article 27
- Hellenic DPA complaint procedure
Article photo: Karola G / Kaboompics via Pexels. The people shown are illustrative and are not associated with Nomika Epilekta.
This article provides general information based on sources available on 14 July 2026. It is not individual legal advice and cannot replace examination of the relevant policy, facts, and evidence.
Comments
Share your thoughts about this article.
No comments yet. Be the first to comment.
Submit a comment