“An employee may access the messages in their corporate email account and the documents stored on their computer after the termination of employment. Any limitations must be justified by specific and proven reasons, such as the protection of trade secrets”. This was established by the Italian Data Protection Authority (i.e. “Garante per la protezione dei dati personali”) in a decision issued on 12 March 2026 and published on 15 April 2026.
Following the termination of his employment relationship, the former employee requested the company to access his personal documents and folders stored on his computer, as well as the contents of his individual corporate email account. Initially, the company allowed only partial access, permitting the retrieval of files from the desktop but not from the email account, allegedly for technical reasons. At a later meeting, the company provided only the correspondence deemed “strictly personal” (such as exchanges with family members, tax certificates and expense reimbursements), excluding all communications related to work activities.
Faced with this limitation, the data subject formally submitted a request for access under Article 15 of Regulation (EU) 2016/679 (GDPR), asking for a copy of all emails contained in his corporate account from a certain date. The company replied that the request fell outside the scope of the right of access, arguing that the information contained in the email account was its property and that access should be limited to the employee’s personal data only.
The Authority found this approach to be non-compliant with the applicable legislation, reaffirming that the data subject’s right of access extends to all personal data relating to them, regardless of whether such data is classified as personal or professional:
“The content of email messages – as well as the external data of communications and any attachments – relates to forms of correspondence protected by confidentiality guarantees, also at a constitutional level, whose purpose is to safeguard the essential core of human dignity and the full development of personality within social formations”.
Accordingly, communications transmitted through an individualised account, even if work-related, constitute personal data of the account holder. The company’s claim that such communications were under its “full and exclusive control” was deemed an “erroneous assumption”.
The Authority also found unlawful the redaction and anonymisation activities carried out by the company. While the GDPR allows limitations to the right of access in order to protect the rights and freedoms of others (including trade secrets), the data controller must demonstrate a real and concrete risk of harm. In this case, the company failed to provide evidence supporting such risk, and the redaction of third-party data appeared unnecessary, as the information was already known to the complainant.
The decision also highlights further shortcomings in terms of compliance. The Authority identified deficiencies in the transparency of the privacy notices and found the data retention periods adopted by the company (five years for emails and 12 months for browsing data) to be disproportionate in relation to the stated purposes.
In light of the violations identified, the Authority imposed an administrative fine of EUR 50,000 and ordered the company to grant full access to the requested data, as well as to update its privacy notices and internal policies.