The motive may be innocent — for example, because the employee wants to work from home but does not have access to the employer’s digital environment there – or it may be for other, less innocent motives. In any case, when company information leaves the employer’s digital environment without permission, this can have harmful consequences. 

In a recent case in the Netherlands, an employee was rightly summarily dismissed because he sent 791 documents from his employer’s server to his personal Dropbox account, shortly after he was told that his fixed-term employment contract would not be extended. The employer had an IT policy that stated (among other things) that employees may not make copies of the employer’s data or store information from the employer on personal locations.  

According to the subdistrict court, taking company-sensitive and confidential information with him towards the end of an employment contract constituted an urgent reason for immediate dismissal, especially in view of the employer’s IT policy, which was known to the employee, and the repeated communication about it. The employer had recently sent an email to all employees reminding them that they were not allowed to take any documents or property from the employer with them at the end of their contract.  

According to the court, this meant that the employee was sufficiently familiar with the internal rules that prohibited the forwarding of company information to a private environment. The court therefore characterized the employee’s conduct as serious misbehaviour, so that he was not entitled to a severance payment. 

Tip 1: Have a clear IT policy 

This ruling confirms the importance of a clear IT policy and repeated communication about it. An IT policy can include clear guidelines and procedures on the use and protection of employer information. The policy can include (among other things) that employees are not allowed to make copies of employer data, to take data outside the employer’s digital environment, or to store employer information in a private environment. It is important that all employees are aware of this policy and understand what is expected of them. This prevents misunderstandings and mistakes. An employer can continue to ‘feed’ employees awareness of the policy, for example by providing training and sending reminders.

In the dismissal case discussed above, the employer also attempted to impose monetary penalties for breach of the confidentiality clause. However, the court held that the employer could not recover penalties because the clause was aimed at preventing company information from reaching third parties. Dutch case law provides that transferring company information to a private environment does not automatically mean that there has been dissemination to third parties. For this reason, the judge ruled that there was no breach of the confidentiality clause and the employee was not liable for any penalties. 

Tip 2: Extend the confidentiality clause 

Most employment contracts contain a confidentiality clause with an associated penalty clause. This clause is often aimed at preventing confidential and competition-sensitive company information from reaching third parties. However, even where it can be shown that an employee has transferred sensitive information to a private digital environment, it can be difficult and complex to prove that such information actually reached a third party. Employers should therefore consider formulating the confidentiality clause more precisely and with a broader scope, so that the transfer of information to a private environment is also covered.  

The employer can include a company data clause in the employment contract, specifically stating that the employee is not permitted to store company data in a private environment or otherwise take it outside the employer’s IT environment without the employer’s prior written consent. The clause can impose a penalty if a (former) employee nevertheless sends company information to a personal account. Whether such a clause will be upheld (and thus whether the employer can rely on it) will ultimately depend on the specific circumstances. 

Unauthorised transfer of employer information to an employee’s private digital environment can have serious consequences for both the employer and the employee. By taking proper measures and applying a clear policy (including appropriate sanctions), employers can minimise this risk.