“The employer cannot access the employee’s or collaborator’s e-mail or use software to store a copy of the messages. Such processing of personal data not only constitutes a breach of the data protection laws but also amounts to an unlawful control activity over the employee”.
This has been stated by the Italian Data Protection Authority, which sanctioned a company with a fine of EUR 80,000, with decision no. 472 of 17 July 2024, published in the institutional newsletter published on 22 October 2024.
The facts
The case originated from a complaint submitted to the Authority by a former collaborator of a company, who reported that the company had maintained his email account active and accessible even after the termination of his collaboration.
The investigation revealed that the company had commissioned a forensic engineering firm to investigate the contents of the collaborator’s email using the “Mail Store” application installed on company’s laptops. During the collaboration, the company had backed up the email inbox and had retained both the content and access logs for the mailbox and the management system. The e-mails collected through the application had then been used in a legal proceeding brought against the complainant before the Court of Venice.
Furthermore, the company, based on the document titled “Equipment used by the worker to perform work activities and tools for recording access and attendance – modalities and limits of use”, attached to the notice given to the complainant as a collaborator and directed at the company’s employees, processed data from corporate e-mail accounts in violation of data protection regulations. The document informed that the company could access the emails of employees and collaborators for the purposes of business continuity, in case of absence or termination of the relationship, but did not mention the backup process or the corresponding retention period.
The position of the Italian Data Protection Authority
The Authority stated that the systematic retention of e-mails – in this case, communications were stored for three years following the termination of the collaboration – and the systematic retention of access logs for the e-mail and management system used by the employees were not compliant with the applicable laws. The retention was deemed disproportionate and unnecessary for achieving the company’s stated purposes of ensuring the security of the IT network and the continuity of the company’s business activities.
This also allowed the company to reconstruct the complainant’s activities in detail. The Authority noted that “even if, hypothetically, such processing were aimed at achieving one of the purposes explicitly indicated in Article 4, (1), of Law no. 300/1970, it appears that the company did not activate the guarantee procedure provided therein (agreement with the workers’ representatives or, failing that, authorization by the Labor Inspectorate)”.
Lastly, as far as the use of the data in a judicial context is concerned, the Authority recalled that processing carried out by accessing an employee’s e-mail judicial protection purposes refers to disputes already in progress and not to abstract and indeterminate hypotheses of protection, as in the case under review.
