Management of corporate email after termination of employment: the limits according to the Italian Data Protection Authority
The Italian Data Protection Authority (i.e. “Garante per la protezione dei dati personali”) has once again provided guidance on how employers should manage corporate email accounts after the termination of employment, offering practical indications for companies and HR professionals.
The case originated from a complaint submitted to the Authority by a former executive who, following a disciplinary charge letter and subsequent dismissal, was denied access to his corporate email account, which remained active. By exercising his rights under the applicable data protection legislation, he requested the company to deactivate the account, forward the messages received during the period of inactivity to his personal email address, and activate an automatic reply informing senders of his new contact details. However, these requests, duly formulated under the GDPR, were not complied with.
The Authority reaffirmed a clear principle: requests for the exercise of data protection rights must always be handled within the statutory deadlines, even where they arise in the context of employment litigation. The fact that the request is formulated in a “non-technical” manner or that the relationship is conflictual does not relieve the employer from the obligation to respond within 30 days.
Returning to the issue of managing a former employee’s corporate email account, the Authority emphasised the established national and European case law according to which the protection of private life and correspondence extends also to the workplace.
An email account may contain personal data and communications falling within the scope of Article 8 of the European Convention on Human Rights, even where it is used for professional purposes.
It follows that accessing, forwarding or storing messages after termination of employment constitutes processing of personal data, which must comply with the principles of:
lawfulness;
data minimisation;
storage limitation.
The Authority clarified that business continuity needs do not automatically justify keeping a former employee’s email account active.
The correct approach is instead to:
promptly deactivate the account;
set up automatic replies to third parties;
avoid accessing the content of communications, except in exceptional and duly justified cases.
In the case at hand, the Authority found multiple violations of the GDPR and imposed an administrative fine of EUR 40,000, also ordering corrective measures and the publication of the decision.
The decision represents an important warning: the management of corporate digital tools after termination of employment requires clear, updated procedures fully compliant with data protection legislation.
As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force. It also introduces into the Italian legal system a structured framework on pay transparency, with…
Principle of Law In its recent judgment No. 17283 of 1 June 2026, the Italian Supreme Court (Corte di Cassazione) examined the legal consequences arising from the employer's…
Following the preliminary approval by the Council of Ministers, on 10 June 2026, of the first draft legislative decrees implementing the enabling law on artificial intelligence (Law No.…
As we celebrate our 50th anniversary, we have chosen to look to the future with the same care and dedication with which we preserve our roots. Those roots…
With Legislative Decree No. 96 of 7 May 2026, which entered into force on 7 June 2026, Italy transposed Directive (EU) 2023/970 on pay transparency, becoming one of…