The
Data Protection Authority, with “Measure
no. 216 dated 4 December 2019“, confirmed an already consolidated
position, according to which employers that keeps an employee’s company email
account active after the termination of the employment contract and accesses
the emails contained in the mailbox, commits an offence.
The case
A
company used the labour court against a former employee because he offered
products in direct competition with its own products. The information in
support of the action had been collected by the applicant company by logging in
to the email address account of the former employee even after the termination
of the employment contract.
The
worker thus complained to the Data Protection Authority, claiming that his
former employer had not deactivated his email account and had accessed the
messages he had received.
The
company, in challenging the complaint filed by the employee, stated that the
failure to deactivate the account and the simultaneous forwarding of emails to
the address of the head of the Information Technology department had been
arranged because (i) the former
employee had failed to send customers a communication with the new company
references. Adding, moreover, that (ii)
only correspondence containing business messages had been opened and not
personal messages and that (iii) the
former employee was aware of the “business
practice” according to which the employer, after the termination of
the contract, would check correspondence addressed to him.
Acknowledging
that the facts complained of are prior to the entry into force of EU Regulation
2016/679 and that the information was given to employees verbally, the Data Protection Authority in any
case declared the repeated use of the
individual company account of a person no longer belonging to that company
organisation unlawful.
The
Data Protection Authority, in fact, stated that the employer must act in
accordance with the principles of lawfulness, necessity and proportionality,
which are the foundations of the matter of personal data protection, ordering
the removal of corporate email accounts attributable to identified or
identifiable persons. At the same time as closing the account, according to the
Authority, the employer is obliged, if necessary, to equip itself with
automatic systems to inform third parties and provide them with alternative
addresses to contact. In addition, the employer must take appropriate measures to
prevent incoming messages from being displayed throughout the period when
the automatic system is active.
According
to the provisions of the Measure, it is the
implementation of appropriate technical and organisational measures that makes
it possible to balance, on the one hand, the interest of the owner (alias
the employer) to access the information necessary for it to continue the
management of the work activity and, on
the other hand, to ensure respect for the legitimate expectation of the worker
to confidentiality on correspondence.In addition, in the
opinion of the Data Protection Authority, the adoption of internal rules on the basis of which information on
technical and organisational management adopted is shared with employees is one
of the correct measures to be implemented.