Italian DPA: new stop on software allowing access to employees’ emails

With Resolution No. 472 of July 17, 2024 (the “Resolution”), the Italian Data Protection Authority (the “Garante Privacy” or the “Authority”) once again addressed the issue of email management in the workplace, imposing a fine of 80,000 euro on a company for violating data protection regulations. Specifically, the Garante Privacy found that the company:

 

  1. kept the corporate email account assigned to a former collaborator active after the termination of their employment relationship;
  2. backed up emails and access logs during the collaboration period and retained them beyond the end of the relationship for an unjustified retention period;
  3. used such information in a legal dispute against the former collaborator, analysing it through forensic investigations.

Facts underlying the complaint to the Garante Privacy

The case arose from a complaint submitted to the Authority by a former commercial agent who had collaborated with the sanctioned company. The former collaborator alleged that the company accessed its email account after the collaboration ended. The company claimed the access was necessary to gather evidence for a dispute concerning alleged unfair competition involving the theft of company information.

During its investigation, the Garante Privacy discovered that the company had engaged a forensic engineering firm to analyse the complainant’s email content using the Mail Store backup software installed on corporate PCs. Through this software, the company stored both the email content and access logs, retaining them even after the termination of the employment relationship. This occurred without providing employees with an adequate privacy notice.

At the conclusion of the investigation, the Authority deemed this practice unlawful, constituting unauthorized monitoring in violation of the fundamental principles of Regulation (EU) 2016/679 (“GDPR”), particularly those regarding lawfulness, data minimization, and storage limitation. Additionally, the practices breached the provisions of the Italian Workers’ Statute (Law No. 300/1970, as amended by Legislative Decree No. 81/2015).

Findings of the Garante Privacy

  1. Inadequate and incomplete privacy notice

The Garante Privacy determined that the company’s privacy notice was inadequate and incomplete, failing to satisfy GDPR requirements. In particular, the privacy notice did not inform employees about the characteristics and methods of data processing, particularly the retention period for emails and the methods and purposes of corporate monitoring. Specifically:

  • the privacy notice did not disclose that individual email accounts were backed up during the employment relationship or that their content were retained for three years after the employment relationship ended;
  • the privacy notice and company’s internal policy on the use of IT tools (the “IT Policy”) lacked specific details about potential monitoring of data stored on corporate devices.

The IT Policy allowed the company to access employees’ email accounts during periods of absence or after the termination of the employment relationship to ensure “business continuity”. However, the Authority emphasized that legitimate business needs related to operational documentation and business continuity should be addressed through document management systems. Such systems should incorporate appropriate organizational and technological measures that ensure the authenticity, integrity, reliability, readability, and accessibility of stored documentation. By their nature, email systems cannot guarantee these characteristics, as the Garante Privacy previously clarified in the Resolutions No. 53/2018  (web doc No. 8159221) and No. 214/2020 (web doc No. 9518890).

Additionally, corporate documents concerning monitoring activities failed to specify legitimate, specific, and non-generic justifications for monitoring. They also did not establish methods compliant with the principles of lawfulness, proportionality, and necessity (as outlined in the Garante Privacy’s Guidelines on email and Internet).

 

  1. Unlawful processing of email content

The Garante Privacy found that the company used software to back up email accounts during the employment relationship and for three years after its termination. The Authority observed that:

  • the company did not specify reasons for retaining email content for such an extended period for system security purposes;
  • the company failed to justify retaining access logs for six months. The Garante Privacy cited its “Guidance document: programs and services for email management in the workplace and metadata processing”, published on June 6, 2024 (the “Guidance Document”), which establishes a maximum retention period of 21 days for metadata/logs (for further details, please refer to our previous contribution available here, in Italian);
  • the software was used for purposes other than IT system protection. Specifically, the company analysed employee emails, examined their content, and initiated legal proceedings, thus violating principles of lawfulness, data minimization, and storage limitation. The Authority emphasized that personal data in employment relationships may only be lawfully processed if: (i) the processing is necessary for managing the employment relationship or fulfilling specific legal obligations; and (ii) the processing is adequate, relevant, and limited to what is strictly necessary for the intended purposes and for the time required to achieve them.

These activities also constituted a form of monitoring prohibited by Article 4, Paragraph 1, of the Italian Workers’ Statute, referenced in Article 114 of the Privacy Code (Article 4 of the Italian Workers’ Statute constitutes a condition for lawful data processing in the workplace). The company failed to implement safeguards under this provision, such as obtaining trade union agreements or, in their absence, authorization from the labour inspectorate.

 

  1. Improper use of data in legal proceedings

Regarding the use of data in legal proceedings, the Garante Privacy clarified that accessing employees’ emails for judicial protection purposes shall be limited to ongoing disputes or pre-litigation situations, not hypothetical or indefinite protection scenarios, as occurred in this case.

Final considerations

The Garante Privacy’s resolution underscores, once again, the critical balance between protecting employees’ (and collaborators’) privacy rights and safeguarding corporate assets. While the fine highlights the need for strict compliance with data protection regulations, it also raises questions about the practical challenges businesses face in managing these issues in an increasingly digitalized world.

Achieving a balance between privacy protection and security requires a careful and measured approach. Unauthorized access to employees’ data not only contravenes legal requirements but also breaches trust within corporate relationships, potentially leading to significant repercussions. Companies should implement adequate safeguards to protect their informational assets, which are crucial for maintaining competitiveness and preventing harmful practices such as the theft of trade secrets.

The growing digitalization of business processes and the proliferation of advanced technologies exacerbates these challenges, necessitating not only technical solutions but also significant investments that not all businesses can afford. Ensuring strict compliance often means investing in technology, training, and human resources — a burden particularly heavy for SMEs, which could lead to disparities in data security and compliance across organizations, leaving some entities more vulnerable to risks and sanctions.

A more multidisciplinary and flexible approach could make compliance more sustainable for all businesses. For example, the Authority could provide more practical and detailed guidelines tailored to various operational realities and clarify technical and organizational requirements. Such measures would help businesses navigate complex regulations and adopt compliant practices. Similarly, legislators could consider updating laws where necessary to account for technological advancements and address the practical needs of economic stakeholders effectively.

Companies, for their part, should prioritize investing in training and awareness programs for employees to foster a deeper understanding of data protection’s importance and to mitigate the risk of errors or regulatory violations.

In conclusion, the protection of personal data should be harmonized with legitimate business needs, without imposing undue burdens on companies. Constructive dialogue among regulators, businesses, and legislators is essential to fostering a balanced system that upholds individual rights and corporate security, ultimately contributing to sustainable economic development.