Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



Employer's access to terminated collaborator’s mailbox: the Italian DPA reiterates its consistent opinion

PrintMailRate-it

​​​​​​​​​​​​​​​published on 25 November 2024 | reading time approx. 7 minutes


In a provision of July 17, 2024, the Italian Data Protection Authority (hereafter, “Authority”) reiterated the now-established guideline regarding the access and processing of data from the company e-mail account of the terminated employee or collaborator carried out by the employer, confirming the need of the latter to adopt a series of safeguards able to ensure that this activity is carried out in a lawful manner, both from the data protection and labor law perspectives. 

In particular, the Authority provided the informational and organizational requirements for the employer, which range from the prior provision of a document explaining as precisely as possible the operation of the company tools and the methods of interaction with them by the employer (better known as the company tools regulation), up to the delivery of specific information that gives notice of the modalities and purposes of the data processing related to access to the company mailbox once the employment relationship has ended.

Moreover, without forgetting the issue of the email account’s data storage and its backup: this processing, in the Authority’s opinion, must be anchored to a specific and proportionate data retention period towards the nature of the purpose to be reached (i.e., business continuity or corporate IT security).
Let's take it one step at a time.

The Authority's investigation originated from a complaint filed by a former collaborator (specifically, a commercial agent) of a company whose business is the electrical material trade sector (hereinafter, the “Company”): specifically, the former collaborator complained about the fact that the Company had kept his company mail account active, accessing all the contents of the correspondence, which would later be produced in the course of a litigation instituted before the Court of Venice.

As also confirmed by the documents produced before the Authority (with particular reference to the document pertaining to the regulation of the tools used to render work and to record access and attendance) the Company would have kept the former employee's account active in order to ensure business continuity, except for then using its contents, relating to the period of the employee's stay, to defend itself in the lawsuit above mentioned. A discrepancy that, as we shall see, the Authority did not fail to point out in its analysis.

Moreover, the mail account verification was allegedly commissioned to a third-party forensic engineering firm using Company-owned software installed on Company laptops, with the intention of safeguarding the Company's rights in the afore mentioned legal proceedings instituted against the former employee. 
Also, using this software, the Company would have:
  • performed a backup of the contents of the former collaborator's company mailbox for information security purposes, with specific reference to the protection of the integrity of the data against possible cyber-attacks, going on to keep the same backup for a period of 3 years from the conclusion of the collaboration relationship
  • retaining a series of log reports related to access to the former collaborator's corporate email account for 6 months.

In the light of these facts, the Authority initiated its own investigations, finding several violations of personal data regulations as defined by Regulation (EU) 679/2016 (hereinafter, as better known, the “GDPR”) as well as of Law 300/1970 (hereinafter, the “Italian Workers' Statute”).

More in detail:
  • the privacy notice given to employees and collaborators concerning the Company's modalities of access to company mailboxes was found to be non-compliant with the regulations of the GDPR, with particular reference to the purposes and forms of access – according to Authority’s opinion, provided in an incomplete and non-specific manner – as well as to the indication of the retention period of the personal data contained therein, erroneously identified as 10 years from the termination of the employment relationship for the fulfillment of all related activities;
  • the performance of backups – which is to all intents and purposes a processing of personal data within the meaning of the GDPR – was not covered by the afore mentioned privacy notice as it would not have been described in a detailed and compliant manner. Moreover, the same privacy notice would have failed to represent the data retention period corresponding to 3 years after the termination of the employment relationship;
  • the investigations regarding the contents stored on company devices would not have been the subject of appropriate notice towards employees and collaborators, since this activity does not appear to be regulated by the information documents prepared by the Company – lacking, moreover, also in the representation of the legitimate, specific and non-generic reasons underlying the checks carried out, as well as the related procedures;
  • the systematic and persistent retention of e-mails for a period of 3 years from the date of termination of employment would be unsuitable, as well as disproportionate, with respect to the purposes of ensuring business continuity – for which, in any case, the rule of preparing an automatic response for the re-addressing of the data subjects to an active account always applies – and information security. The same applies to the regular retention of access logs to e-mail and management software used by employees, which is likewise disproportionate to the purposes depicted above;
  • limited to the employment relationship, the retention of e-mails and their access logs is suitable to allow a control on the activity rendered by employees, in violation of the provisions of the Italian Workers' Statute. By using the afore mentioned software, in fact, the Company would have carried out data processing capable of reconstructing in detail and at time the employees’ work duties, both through the communications exchanged via e-mail and through the examination of the management software’s access logs.

Now, in view of the above represented, what can we learn from this latest fine imposed by the Authority?
First, that it is a good practice for the data controller to make the employee or collaborator informed in advance regarding tools provided to perform the work activity and the modalities, as well as the purposes, through and for which the employer reserves the right to access the mailbox. Bearing in mind that, according to the Authority's established opinion, the purpose of ensuring business continuity is ill-matched with such control, as the latter can be ensured through the adoption of document management systems suitable for archiving documents, guaranteeing their authenticity, integrity, reliability and retrievability over time.

Second, that it is crucial – first and foremost to fulfill the requirements of Art. 5(1)(e) of the GDPR – to implement a retention period for data, related backups and mail log data that is proportional to the purpose of the processing; that purpose, in this regard, could range from the need to gather evidence for the defense in a lawsuit against the terminated employee or collaborator – a judgment that, however, by the Authority's constant guidance, must be current and concrete, and not merely hypothetical – to the purpose of business continuity – which, however, as mentioned above, may be lawfully pursued through a tool other than e-mail system, given the inability of the latter in being able to guarantee the integrity, authenticity and reliability of the data.

Also, not to be outdone remains the need to set a congruous retention period for the log data collected through the e-mail system, especially considering the Authority's recent opinion condensed in the measure “Documento di indirizzo. Programmi e servizi informatici di gestione della posta elettronica nel contesto lavorativo e trattamento dei metadati”, according to which a long retention could result in the existence of remote control of the activity rendered by the employee – since, through the systematic collection of traffic data related to correspondence, the employer may be able to verify whether the same turns out to be fulfilled with respect to its work duties, risking in this sense – if the relevant safeguards on the subject of union agreement or union authorization are not adopted – to violate the provisions of Art. 4 of the Italian Workers' Statute.

Finally, you shall pay attention to the concept of “control” of the employer over the employee’s work duties and the meaning attributed to it by the most recent jurisprudence of the Italian Supreme Court in this regard: according to the latter, the employee's e-mail box represents his (or her) inviolable domicile and therefore remains protected by the Constitution of the Italian Republic; therefore, in order to justify such an imbalance of interests between, on the one hand, the employer's right to defend its own right in court and, on the other hand, the employee's right to the confidentiality of his (or her) correspondence, the control must be specific and to carried out ex post facto on the establishment of a “well-founded suspicion” that the employee has committed an offence. At the same time, it should not be forgotten that the applicable privacy safeguards will also have to be complied with, namely: prior provision of privacy notice pursuant to Article 13 GDPR, which shall be specific about controls, and prior provision to the corporate population of document attesting to the operation of the tools provided to employees to perform their work duties.

 DATA PROTECTION BITES

​​​Read all releases »​​

author

Contact Person Picture

Tommaso Mauri

Avvocato

Associate

+39 02 6328 841

Invia richiesta

Profilo

Contact Person Picture

Chiara Benvenuto

Avvocato

Senior Associate

+39 02 6328 841

Invia richiesta

Profilo

 RÖDL & PARTNER ITALY

​​​Discover more about our offices in Italy. Read more »
Deutschland Weltweit Search Menu