Spotty M you are right - in the UK, the company would be in breach of the DPA and if the employee could be bothered, they could kick up a stink with the company's Data Controller. Particularly after all the recent data security breaches!
I don't know about data protection policies in other countries though... Any case - if there's no permission, it's morally wrong!