E-mail aziendale

Former employees and access to company email: Data Protection Authority guidelines

Last Updated on April 24, 2026

With its newsletter of 15 April, the Data Protection Authority (DPA) issued Measure 165 of 12 March 2026 sanctioning a company for non-compliant management of access by a former employee to their company email account, as well as for their methods for storing and processing emails and internet logs.

Access to company email

The measure originated from a complaint by a former employee who, after leaving the company, had requested access to the data in their company email account. The company had actually provided only emails deemed “personal”, excluding any of a work-related nature, on the assumption—considered incorrect by the Data Protection Authority (DPA)— that this content was exclusively company property. The company had also selected and redacted some of the content.

In justification of its decision, the DPA clarifies that the right of access applies to all personal data regarding the interested party, even when included in business communications. This is because the distinction between private and professional sphere is not clear: even in the workplace, relationships develop that fall within the notion of “private life” and “correspondence”, and as such are protected. Consequently, the employer may not filter the content of an email account in advance or restrict access solely to personal communications.

In this context, the DPA reiterates that the right of access can be limited only in those cases strictly provided for by the GDPR, namely in the event of manifestly unfounded or excessive requests or when necessary to protect the rights and freedoms of others. In the case of the latter, the Authority recalls that protectable rights also include industrial and trade secrets and intellectual property. However, even reference to these is not in itself sufficient to justify a limitation of the right of access since the data controller must provide tangible proof that fulfilment of the request would result in actual harm.

In the case in question, this proof was not provided. On the one hand, the data relating to third parties were included in communications already known to the interested party, making redaction unnecessary; on the other, the company did not produce elements that proved access to the correspondence could lead to an actual risk to confidentiality related to company information and/or third parties. In line with these principles, Measure 121 of 26 February 2026 also reiterates that the right of access is fully exercisable also for documents or information already in the possession of the interested party. In the case under examination, in fact, the Authority recognised the legitimacy of the request made by a former employee to obtain a copy of their employment contract documents, clarifying that the prior availability of data does not extinguish or limit the right of access.

Storage of email and internet logs

Regarding storage of corporate email, the DPA deems the following to be non-compliant:

  • backup for a period of 5 years;
  • the absence of clear, complete disclosure to employees about these processes;
  • the lack of consistency between information provided and company policies, which detail different storage periods.

The DPA also reiterates that, due to its very nature, email is not a suitable tool for the structured storage of company documentation, which should instead be managed using dedicated document systems.

With regard to the Internet browsing logs, the company stored these for twelve months, for the purposes not only of computer security but also of defence in court. In the opinion of the DPA, however, this choice may incur the possibility of monitoring employee activity.

In this regard, it is particularly important to refer to the legislation on remote control of employees: tools such as email and computer logs, when used in a way that permits work activity to be controlled, can only be used in compliance with the specific procedural guarantees provided for by Article 4, paragraph 1, of the Workers’ Statute, that is, with prior union agreement or authorisation from the Territorial Labour Inspectorate.

The measure confirms that the adoption of corporate IT tools requires an integrated assessment from a privacy and work perspective.

Toffoletto De Luca Tamajo is at your disposal for any support you may need in identifying the most appropriate solutions.

For further information: comunicazione@toffolettodeluca.it

Uncategorized

Vedi tutti gli articoli di Uncategorized
E-mail aziendale Former employees and access to company email: Data Protection Authority guidelines April 24, 2026 - The Italian Data Protection Authority provides guidance on access to company emails by former employees and on data retention and employee monitoring rules.
Test News 04 July 28, 2021 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam ac felis et augue elementum malesuada.
Test News 05 July 28, 2021 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam ac felis et augue elementum malesuada.
Test News 01 July 28, 2021 - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam ac felis et augue elementum malesuada.