Share This Article
The Italian data protection authority (Garante) recently sanctioned a company for accessing employees’ company email after the end of employment in violation of the principles of lawfulness, minimization and limitation of data retention, as well as labor law regulations on remote control in Italy.
This decision sets a relevant precedent that requires companies to be more careful in setting the conditions allowing them to access to employees’ emails in case of internal investigations subsequent to the termination of employment relationship. Below is the review of the matter by my DLA Piper team mate Deborah Paracchini analyzing a very hot topic at the moment in the Italian market.
In the case at hand, the Garante imposed a fine of EUR 80,000, along with a ban on the continued processing of data extracted through email backup software for the former employer company of the employees involved. The case, in fact, stems from the complaint of a former employee of the sanctioned company who complained to the Italian privacy authority about the company’s access to his e-mail inbox in order to gather evidence for litigation concerning an alleged misappropriation of company secrets.
According to the Garante, the company implemented a data processing of its (former) employees’ email accounts in violation of the legislation protecting personal data due to the lack of transparency of the privacy information notice with respect to the checks that could be carried out on employees’ emails and the violation of the principles of lawfulness, minimization and limitation of storage, as well as the rules on remote controls.
Specifically, with respect to the violation of the principle of:
1) transparency, the Garante found that the notice provided by the company was inadequate and did not meet the minimum requirements of EU Regulation 679/2016 (GDPR). Specifically, the disclosure did not clearly inform employees with respect to:
- the existence of systematic backup of company emails and their retention for three years from the end of the collaboration with the collaborator;
- why the data were being retained for these three years after the termination of the employment relationship, referring instead to the generic need for โbusiness continuityโ; and
- the possibility for the company to perform audits on the content of the e-mails and how to perform them.
2) lawfulness, minimization and limitation of retention, the Garante judged the retention period of three years for e-mails and six months for access logs as excessive compared to the security and business continuity purposes stated by the company. In fact, according to the authority:
- the e-mail backup software used by the company allowed detailed monitoring of employees’ activities carried out on the e-mail system, in violation of the prohibition on remote control set forth in Article 4 of the Workers’ Statute, which requires, for such intrusive controls, a union agreement or authorization from the relevant labor inspectorate; and
- access to former employees’ e-mails, while motivated by the need to protect the company’s rights, had to be limited to concrete litigation situations and not to abstract or potential hypotheses.
How, then, can employees’ e-mails be legitimately used as evidence of wrongful conduct perpetrated by former employees themselves to the detriment of the company?
This decision is an important reference for understanding the position of the Garante on the issue of access to employee e-mail accounts for purposes of defense in court and the potential consequences of similar practices adopted in many companies.
However, it plays a key role in the Italian data protection authority’s assessments and quantification of the penalty:
- The adoption of appropriate processing minimization measures in order to limit investigations carried out on specific samples of communications that are actually relevant to the concrete exercise of rights (e.g., through appropriate filters);
- the non-use of automated solutions for indiscriminate monitoring, in accordance with labor law regulations on remote control;
- the existence of a well-founded suspicion of misappropriation of business secrets, which may motivate, if actually justified aimed at the defense in court, access to only those e-mails necessary to prove the illegal conduct.
In conclusion, this decision underscores the importance for companies to prepare comprehensive and specific data-processing disclosures, especially with regard to any defensive checks that may be made on e-mail accounts, even after termination of employment. This, however, must always be done in compliance with the prohibition of remote monitoring of workers in accordance with the provisions of Article 4 of the Workers’ Statute (i.e., adopting appropriate measures to minimize processing), in order to protect the dignity of workers and not undermine their fundamental rights and freedoms.
On a similar topic, you may read the article on the limitations imposed by the Italian privacy authority on the retention of metadata of employees’ emails available HERE.
