We often encounter the practice that employers provide employees with official devices (phones, computers, and other work equipment) for the purpose of performing work tasks.
The boundaries between business and private use of these devices often become unclear, which can lead to legal issues, especially when it comes to the protection of personal data.
In this regard, this article considers the decision of the High Court of Ireland in the case McShane v. Data Protection Commission, case no. (2025) IEHC 191 dated April 3, 2025 (“Decision”).
In the specific case, the question arose whether the employer could bear responsibility as a data controller in a situation where an employee uses an official device for personal purposes, without the knowledge and consent of the employer. Through analysis of the circumstances of the case, the procedure before the competent data protection authority, and the Decision, we conclude on the boundaries of the employer’s liability under the General Data Protection Regulation (“GDPR”) in the context of the employment relationship.
Circumstances of the Case
According to the described factual situation, the employee received an official mobile phone from the employer, which was supposed to be used exclusively for business purposes.
Subsequently, the employer suffered a significant security incident and a ransomware attack, which compromised a large number of the employer’s official computers and devices, including the official phone assigned to the employee.
On that device, in addition to business data, there were also the employee’s personal data which were not related to his employment, including access to his personal email account and cryptocurrency trading account.
In this regard, the employee, as the data subject, noticed that his personal email account and personal crypto account, which he accessed via the official phone, had been compromised, and that cryptocurrency worth EUR 1,400 was stolen.
Proceedings before the Commission
Since he was not satisfied with the employer's response to the complaint he submitted regarding this incident, the employee, as the data subject, filed a complaint with the Irish Data Protection Commission (“Commission”).
In the response that the Commission sent to the data subject regarding the issues he raised, it was stated that the employer was not the data controller in relation to personal data not connected to the job, which were located on the official phone, because the employee was obliged to use the device exclusively for business purposes.
Therefore, it was determined that there were no grounds, within the meaning of the provisions of the GDPR, for the employer to be considered responsible when personal data (personal email and crypto account) were stored on the device without the employer’s knowledge or consent.
Court Proceedings
Since he was not satisfied with the Commission’s decision, the employee challenged it before the High Court of Ireland.
The employee claimed that business data are considered personal data under Article 4(1) of the GDPR, that the employer was the data controller in relation to that data under Article 4(7) of the GDPR, and that the Commission erred in its conclusions. He characterized the Commission’s decision as “unreasonable,” referring to case law, and thus challenged it.
On the other hand, the Commission emphasized that the decision did not concern business-related personal data on the device.
The Court, through the Decision, rejected the employee’s request and upheld the Commission’s decision.
Conclusion
The Decision confirms that the liability of the data controller, under Article 4(7) of the GDPR, cannot automatically be attributed to the employer in all cases where an employee uses official devices, especially not in cases where they are used for personal purposes, without the knowledge and consent of the employer.
At the same time, the case highlights the importance of clearly and precisely regulating the issue of using official devices, through internal acts and/or the employment agreement, i.e., defining clear rules and consequences for their violation.
Author:
Borinka Dobrnjac, Senior Associate
Email
borinka.dobrnjac@prlegal.rs; legal@prlegal.rs;