Introduction
A recent decision by the Italian Data Protection Authority (DPA) has underscored the challenges employers face when managing employee email accounts under Italian data protection law. The case has sparked renewed scrutiny of email monitoring practices and reinforced the need for companies to ensure compliance with stringent GDPR requirements.
Background
On 6 June 2024, the Italian DPA issued revised guidelines on workplace email management (the Guidelines), providing much-needed clarity for employers. The Guidelines narrowed the strict storage and processing requirements to email metadata only, leaving email content outside their scope. This distinction was well-received, as it reduced compliance burdens for companies. For additional context, see our earlier analysis of the Guidelines in our previous post.
However, a recent decision by the Italian DPA’s decision (no. 472 of 17 July 2024) marks a significant development. It reinforces the Italian DPA’s overall strict approach, emphasizing the importance of lawful handling of both email metadata and content.
Key facts of the case
The case stemmed from a complaint by a former collaborator (the Claimant), who alleged that their company continued accessing their individual company email account after their working relationship ended.
The company admitted to using forensic tools to access email backups as part of an internal investigation into alleged trade secret misappropriation. The emails were later submitted as evidence in legal proceedings. The company defended its actions, citing its legitimate business interests and claiming compliance with the privacy notice provided to the Claimant.
Highlights of the DPA’s Decision
The Italian DPA issued an administrative sanction of €80k, identifying several violations of Regulation (EU) 679/2016 (GDPR) provisions, including:
- Unlawful data retention: The company systematically backed up emails throughout the working relationship and retained them for up to three years post-termination. The Italian DPA found this retention period excessive and unsupported by clear and specific justifications, violating GDPR principles of data minimisation and storage limitation;
- Inadequate privacy notice: The company’s privacy notice failed to disclose key details, such as the extended retention of backups and the possibility of accessing email content post-termination. This was deemed non-compliant with transparency and information obligations under the GDPR;
- Improper use of forensic software: While the company claimed the software was intended for IT security and business continuity, the Italian DPA found that, in practice, its use extended beyond these purposes, including the use of emails in legal disputes. According to the Italian DPA, this divergence from the stated purpose highlighted a lack of proportionality and necessity in the processing activities;
- Employee monitoring: The systematic storage of emails for extended periods was considered a form of indirect remote monitoring of employee activities. This practice was considered in breach of the applicable Italian legislation on employee monitoring, which requires prior union agreement or authorisation from the Labour Office.
Conclusions
The Italian DPA’s decision reinforces that email monitoring must balance business interests with employees’ privacy rights. The authority’s position carries far-reaching implications, not only for daily operations but also in sensitive areas, like internal investigations and audits, where email reviews play a crucial role.
Internal investigations will be more challenging for Italian employers, as practices such as reviewing employee emails are likely to be subject to stricter scrutiny by Italian DPA and other public authorities including employment courts.
Considering the evolving data protection legal framework, marked the Guidelines and this latest decision, Italian employers should closely review their email management practices. Proactively reassessing these processes can help mitigate compliance risks and align operations with regulatory expectations.
