Management of corporate email after termination of employment: the limits according to the Italian Data Protection Authority

The Italian Data Protection Authority (i.e. “Garante per la protezione dei dati personali”) has once again provided guidance on how employers should manage corporate email accounts after the termination of employment, offering practical indications for companies and HR professionals.

The case originated from a complaint submitted to the Authority by a former executive who, following a disciplinary charge letter and subsequent dismissal, was denied access to his corporate email account, which remained active. By exercising his rights under the applicable data protection legislation, he requested the company to deactivate the account, forward the messages received during the period of inactivity to his personal email address, and activate an automatic reply informing senders of his new contact details. However, these requests, duly formulated under the GDPR, were not complied with.

The Authority reaffirmed a clear principle: requests for the exercise of data protection rights must always be handled within the statutory deadlines, even where they arise in the context of employment litigation. The fact that the request is formulated in a “non-technical” manner or that the relationship is conflictual does not relieve the employer from the obligation to respond within 30 days.

Returning to the issue of managing a former employee’s corporate email account, the Authority emphasised the established national and European case law according to which the protection of private life and correspondence extends also to the workplace.

An email account may contain personal data and communications falling within the scope of Article 8 of the European Convention on Human Rights, even where it is used for professional purposes.

It follows that accessing, forwarding or storing messages after termination of employment constitutes processing of personal data, which must comply with the principles of:

• lawfulness;
• data minimisation;
• storage limitation.

The Authority clarified that business continuity needs do not automatically justify keeping a former employee’s email account active.

The correct approach is instead to:

• promptly deactivate the account;
• set up automatic replies to third parties;
• avoid accessing the content of communications, except in exceptional and duly justified cases.

In the case at hand, the Authority found multiple violations of the GDPR and imposed an administrative fine of EUR 40,000, also ordering corrective measures and the publication of the decision.

The decision represents an important warning: the management of corporate digital tools after termination of employment requires clear, updated procedures fully compliant with data protection legislation.