Home

Internal

Global

Contatto

Rödl & Partner ha prestato la propria consulenza per il perfezionamento dell'acquisizione del Gruppo italiano FGV da parte di Hettich |

In tutto il mondo

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.

Unlawful access to employee email accounts: employee protection and company accountability

published on 22 May 2023 | reading time approx. 6 minutes

The Italian Data Protection Authority (“Authority”) has shown great attention to the unlawful monitoring of employees, especially through the access to the employee's company email in violation of mandatory privacy principles.

With reference to this type of processing, the Authority reminds that the employer shall properly assess the balance between the interests of the company and the rights of the employee to the confidentiality of his communication.

Introduction

An important trend that has been addressed by the Authority regards the monitoring of the employee's activity through access to his or her company e-mail account.

The Authority has ruled about these issues several times (most recently with Ordinance No. 9861827 of 11.01.2023) and has generally pointed out that in such cases an illegitimate access to an employee's company email may occur when there is no suitable legal basis for the processing and/or the privacy statement pursuant to Article 13 of the GDPR has not been provided to employees.

In this context, the correct balancing of interests between the protection of the employee's rights and the legitimate interests pursued by the company, becomes decisive in order to define when the monitoring of the company e-mail can be considered legitimate and which measures shall be taken to ensure this.

Analysis of the provision of the Authority

In the provision of 11.01.2023, the Authority stated that the company had made an unlawful access to the e-mail of a terminated collaborator and had also set up an automatic forwarding system to a different workers.

In fact, following the sudden interruption of the collaboration relationship, the company did not deactivate the employee's company e-mail account since the account was necessary:

to re-contact the prospects met by the collaborator at the fair event he had attended;
to protect the legitimate interest of the company in exercising its rights in court.

In the provision the Authority pointed out that, in this specific case, neither the need to maintain relations with prospect nor the interest in defending company's right in court were legitimate due to the absence of an appropriate legal basis allowing the company to access the collaborator’s mailbox. The Authority also clarified that usually the legitimate interest of the employer (to defend its interests in court) must in any case be balanced against the employee's right to confidentiality of correspondence, which represents a constitutional right.

Furthermore, according to the Authority, the company did not provide the privacy statement to the collaborator, in which it should have informed him of the potential access to his company e-mail account.

Considerations on the provision of the Authority

The Authority highlights that the employer is obliged to provide its workers (both employees and collaborators) appropriate privacy statement that, in a clear and transparent way, informs the worker of the possibility of the access to his email account.

The Authority reminds that the purposes to be indicated in the privacy statement for these types of controls may be connected to specific organizational, production and work security requirements (pursuant to Article 4, second paragraph, of Law No. 300/1970), or it may also relate to the exercise of a right in court.

In addition, employers must pay particular attention to carrying out a specific and careful balancing assess between the business needs of the company and the protection of the employees' rights to confidentiality. The balance between those interests is an essential aspect since the right to confidentiality is not only protected by the Italian constitution, but also by the European Court of Human Rights (“ECHR”).

On several occasions the Court affirmed that, in the event of unlawful controls conducted on the employee company account by the employer, the employee's right to the confidentiality of his or her communications is protected by Article 8 ECHR (e.g. the Barbulescu v. Romania case).

Conclusions - best practices to ensure the accountability of the data controller

The above considerations have been stated several times by the Authority in similar provisions (e.g. Ordinance No. 9771545 of 7.04.2022 and Ordinance No. 9809466 of 21.07.2022), in those cases the Authority has always emphasized the importance that the worker (both employee and collaborator) shall be previously informed by the employer about the processing activities and that the company shall carry out an adequate assessment on the balancing of the interests at stake.

In view of the large number of such cases, the Authority had adopted specific guidelines “on the subject of e-mail and the Internet” in 2007, which, although dated, still set out appropriate security measures that employers must adopt to ensure that the processing activities relating to the control of an employee's e-mail account complies with data protection regulations.

The Italian guidelines state in particular that the employer as data controller shall:

create and use non-nominative e-mail addresses (e.g. info@companyname.com), possibly alongside individual ones;
enable the worker to send automatic reply messages containing the 'coordinates' of another person or company contact in the event of planned absences (e.g. for holidays or out-of-office situations);
in the event of any unscheduled absences (e.g. due to illness), if the worker cannot activate the automatic absence message by himself, arrange, if necessary and by means of specially appointed personnel (e.g. the system administrator), the activation of a similar automatic message, notifying it to the worker;
in the event of sudden or prolonged absence, the data subject should be enabled to delegate another worker (trustee) to check the content of messages and forward to the data controller those considered relevant to the performance of the work activity. A record of this activity should be drawn up by the data controller and the worker shall be informed at the earliest opportunity;
graduate the extent of the controls that may be adopted: for example, initially carrying out a preliminary control on aggregated data referring to the entire work structure or to specific areas, and then only at a later stage carrying out more specific controls, whenever appropriate.

Additionally, it is important to mention that with the recent Ordinance No. 9833530 of 1.12.2022, the Authority pointed out that even the storage for long periods of time of metadata relating to the employees' e-mail (i.e. the day and time of sending, the sender, the addressee, the subject and the size of the e-mail itself), may result in the monitoring of the employees' work activity and thus it is necessary to adopt appropriate procedural measures in accordance with Art. 4, para. 1 of the Stat. Lav. as well as the privacy statement under Article 13 of the GDPR.

In conclusion, it is important to remember that, notwithstanding the adoption of the measures described above, any control will only be considered lawful if the principles of minimization and proportionality foreseen by the GDPR are respected, therefore only if prolonged, constant, or indiscriminate controls are excluded.