Employee email accounts and data subject requests: lessons from the Garante’s latest decision

The investigation began after a complaint by a professor who discovered that the university continued to retain access to their institutional email account after the termination of their contract. The inquiry revealed that the account remained active for approximately two years, without any defined retention period or automatic reply message to redirect incoming emails. The main points emerging from the Garante’s decision are summarized below.

The Garante recalled that electronic correspondence, which is also a right protected at the constitutional level, must not be retained without a valid legal basis. Prolonged storage of emails in the absence of internal policies defining retention periods constitutes a violation of the GDPR principles of lawfulness, fairness, transparency, and storage limitation under Articles 5 and 6. In such cases, prolonged retention is in itself unlawful, regardless of whether the messages are accessed. The Garante also referred to its previous decision of 6 June 2024 on the retention of metadata related to email management, which stated that the collection and storage of email transport files should be limited to 21 days, extendable only where justified by proven needs.

Furthermore, the decision highlighted shortcomings in the handling of the employee's data subject requests under Articles 15 et seq. of the GDPR. The professor had asked for confirmation of ongoing processing and for their data to be erased. However, the university provided generic and delayed responses. The university claimed the delay was due to the request ending up in the spam folder. The Garante found this explanation irrelevant, emphasizing that data controllers have an obligation, as part of their accountability duties, to regularly check all incoming mail, including spam. The university had also justified its refusal to delete or stop processing the data by invoking the need to exercise or defend a legal claim. However, the Garante clarified that such justification must refer to an ongoing dispute and cannot be used in abstract or hypothetical terms. Data may only be retained for defensive purposes where an actual and specific litigation is pending.

Lastly, another issue identified by the Garante concerned the publication of internal documents online. The university, citing transparency obligations, had improperly published a transmission note and departmental opinion related to a teaching appointment. The former employee had also requested the removal of online search results linking to those internal documents. The Garante reminded that Article 19 of Legislative Decree no. 33/2013 authorizes the publication of notices, final rankings, and final acts, but not internal or procedural documents. The online disclosure of such records, especially when containing personal data of third parties, represents an unlawful processing of personal data.

The Garante’s decision is a concrete reminder for all public and private entities to revisit their internal practices and processes for managing personal data. Underestimating privacy obligations towards employees can result in significant financial and reputational costs—often exceeding those required to prevent the risk in the first place. Failure to comply with GDPR obligations may lead to fines of up to 20 million euros or 4% of global turnover, in addition to reputational harm and potential litigation.

In light of the issues identified, it is essential to adopt practical measures to avoid similar situations. Key recommendations include:

This decision reinforces the accountability expected of employers in handling employees' personal data. Proper management of institutional email accounts and of data subject requests must reflect principles of responsibility, fairness, and proportionality.