Visit the dedicated page or use our interactive tool.
Calculate the quote
In the context of the employee-employer relationship, a controversial issue concerns the control of the employee’s email account. Access to an employee’s email account, both during employment and after termination of employment, is a sensitive issue that requires a careful balancing of the employee’s rights and the employer’s interests.
The company email box is undoubtedly a working tool that the employer makes available to the employee. Remember, after all, that the employee about to change jobs cannot download his mail or store it in external storage media. Nor can he or she access his or her “old” mailbox because he or she would be committing an offence and would be liable to prosecution for abusive access to a computer system under Article 615 ter of the Italian Criminal Code, according to which “Anyone who abusively breaks into a computer or telematic system protected by security measures […] shall be punished by imprisonment of up to three years.“
It is equally true, however, that company emails also contain sensitive and strictly personal data and are protected by constitutional guarantees. In fact, the worker has a right to his or her privacy, the secrecy of correspondence, and the protection of his or her personal information.
Therefore, both the worker and the third parties involved may have a legitimate expectation of confidentiality with respect to certain forms of communication, especially in the absence of an appropriate policy. On the other hand, the employer has a legitimate interest in ensuring effective business management, protecting the security of company information, and ensuring the business continuity of the company in the event of the worker’s absence and/or termination of employment.
To avoid disputes and comply with privacy regulations, it is essential for the employer to adopt certain practices regarding the employee’s e-mail account:
1.- Internal Policy: From the beginning of the employment relationship, it is essential to prefigure and publicize an internal policy regarding the proper use of company tools and any controls. The company mailbox should be used for business purposes only, being in fact a company tool available to the employee. Making employees aware of the potential risks and consequences of misusing such tools is always a good thing.
In addition to informing the employee in advance and gathering his or her written consent, the employer should communicate the possibility of random or scheduled checks. The check should be targeted on the risk area and should take into account data protection regulations and the principle of secrecy of correspondence.
2.- Disclosure to Employees: In addition to this burden, the employer must also inform the interested parties in accordance with Article 13 of the Code, delivering to the employee the information regarding the processing of personal data, including the use of the e-mail box. Said notice, in order to be complete and in line with the regulations, should clarify-first of all-the use that the employee can make of the e-mail box and inform him or her of what the retention and access policies are.
In particular, it is important to include in the notice the length of the retention period as well as the purposes and methods of access/monitoring during the relationship.
3.- Adherence to Privacy Principles: The employer must adhere to the principles of necessity and relevance when handling employee personal data. The processing and subsequent and eventual control of data must be limited to specified, explicit and legitimate purposes.
The employer has the right to check workers’ emails to verify the regular performance of duties, but the check should only concern the company’s email address and only in certain cases and according to precise rules, set out in the Privacy Authority’s Guidelines. Indeed, some important principles are enshrined in the 2007 Guidelines:
(a) the principle of necessity, according to which information systems and computer programs must be configured by minimizing the use of personal data and identification data in relation to the purposes pursued (Art. 3 of the Code; para. 5.2 );
b) processing must be carried out for specified, explicit and legitimate purposes (Art. 11(1)(b) of the Code: paras. 4 and 5), observing the principle of relevance and nonexcessiveness (para. 6). Employers must process data “to the least intrusive extent possible”, and monitoring activities must be carried out only by those authorized and appointed to do so (par. 8). They must also take into account data protection legislation and, where relevant, the principle of secrecy of correspondence (Opinion No. 8/2001, cited above, paras. 5 and 12 ).
The same principles were reaffirmed in 2019, again by the Privacy Authority, in Order No. 216 of Dec. 04, 2019: an intervention that reiterates how privacy protection extends to the work environment as well.
In the case addressed by the Authority, a former employee filed a complaint because his former employer had accessed his company email account a year after he was terminated from service.
By keeping his mail account active for more than a year after the end of his employment, the company had in fact accessed communications received by him during that period, posing a violation of privacy regulations.
The Authority found that the methods adopted by the company were unlawful because they did not comply with data protection principles. He emphasized that the employer must protect the confidentiality of the former employee as well and inform employees in advance about the manner in which personal data is processed, including the use of company e-mail tools during the employment relationship and upon its termination.
The Privacy Authority, since 2019, highlights how the employee has a legitimate expectation of confidentiality on certain forms of communication, and the employer upon termination of employment must close the company email account entrusted to the employee and cannot keep it active or entrust it to another employee. Of course, he or she must inform – through the use of automated systems – that the account has been deactivated as well as provide an alternative company account to which new communications can be directed.
However, it is not permissible for the employer to implement an automatic redirect system, i.e., a mechanism for immediately forwarding mail received from the former employee to another account since it would be tantamount to leaving the account active.
To sum up, the retention of the account and the e-mails associated with it after the termination of employment would constitute a violation of privacy legislation and could be sanctioned. In fact, the former employee in case of failure to deactivate the e-mail account can file a complaint with the Garante, which can order sanctions or even inspection visits by the Tax Police to verify all the details of the grievance.
Controlling an employee’s e-mail account is a sensitive issue that requires careful management by employers. Complying with privacy regulations, adequately informing employees and adopting clear internal policies are key steps to avoid litigation and penalties. Employers should treat their employees’ personal information with the utmost care and respect, recognizing and protecting their rights to privacy and confidentiality of communications.