Search for:

A judicial decision, issued by the employment division of the Spanish Supreme Court (judgement No. 119/2018 of February 8, 2018), has confirmed the admissibility as evidence, to justify a dismissal, of the emails of the dismissed employee obtained in the course of an internal investigation.

This decision has its origin in a claim for unfair dismissal filed by an employee of a Spanish company which had been dismissed by the company for committing very serious infringements in accordance with article 54.2 of the Spanish Workers’ Statute. In particular, it was proven that the dismissed employee had accepted a bribe from one of the company’s suppliers consisting in two bank transfers for the acquisition of a luxury car. Needless to say, this was contrary to the company’s Code of Conduct.

The company first became aware of said potential infringement because the employee had printed the bank transfers’ receipts using the company’s printer. A work colleague found them by chance in the printer and immediately informed his superior. Subsequently, the company initiated an internal investigation of the facts during which the company reviewed the employee’s e-mails and found evidences proving the receipt of the bribe.

During the judicial procedure, the employee argued that his emails had been wrongfully obtained since his right to privacy had not been respected and, therefore, the emails could not be used as valid evidence to justify the dismissal.

However, the Supreme Court has ruled that the employee’s e-mails obtained in said investigation are valid evidence for the following reasons:

  • The company has internal regulations on the use of the information systems, which limit the use of the company’s computers to professional uses and forbids their use for personal purposes.
  • Before having access to the company’s information systems, all employees must accept the provisions of the company’s IT policy. The employees/users are warned that the company reserves its right to adopt the necessary monitoring and control measures to verify the proper use of the devices of the company.
  • The monitoring of the dismissed employee’s computer was agreed as a result of the “discovery by chance” by a work colleague of the bank transfers’ receipts, which suggested a potential breach of the company’s Code of Conduct.
  • The review of the e-mails carried out by the company was not generic and random. The company used key words to filter and select those emails relevant to the case. Furthermore, there was no need in this instance to access the employee’s services, since the reviewed e-mails were stored in the company’s server.

It is important to highlight that although in previous cases heard by the Spanish Constitutional Court a third party had been present during the e-mail review (e.g. a notary public, another employee, etc.), the Supreme Court found that absence of such third party did not invalidate the company’s control actions.

Finally, the Supreme Court weighed the plaintiffs’ right to privacy against the company’s right to exercise control over its employees and concluded that, in this case, the prohibition to use the company’s information systems for personal use implied that the employee could not have a reasonable expectation of privacy. In addition, the Supreme Court found that e-mail review had been carried out in compliance with the requirements set forth by the Spanish Constitutional Court. In other words, the Supreme Court deemed that the monitoring and control of the e-mails was necessary, appropriate and proportionate.

Companies should take this ruling into account when drafting IT policies (and related documents, such as user agreements) and conducting internal investigations.



Diego Pol is a senior associate in Baker McKenzie's Barcelona office. He focuses his practice on advising national and international clients in the area of corporate Compliance and prevention of legal risks, mainly in anti-corruption laws, export controls and sanctions, and corporate criminal liability. Diego likewise advises companies in corporate law and M&A transactions He has worked at various law firms in the United States and Spain and He teaches at the Master in International Business Law and the executive course on Corporate Compliance at ESADE Business & Law School).


Gemma Marce is an associate in Baker McKenzie's Barcelona office. She focuses her practice on advising on legal risk prevention and regulatory compliance, mainly in the area of the criminal liability of legal entities. She takes part in developing Corporate Compliance programs and advises companies in various economic sectors on devising their policies on regulatory compliance. She holds a degree in Business Management and Administration from Pompeu Fabra University.