The Data Protection Authority, with “Measure no. 216 dated 4 December 2019“, confirmed an already consolidated position, according to which employers that keeps an employee’s company email account active after the termination of the employment contract and accesses the emails contained in the mailbox, commits an offence.

The case

A company used the labour court against a former employee because he offered products in direct competition with its own products. The information in support of the action had been collected by the applicant company by logging in to the email address account of the former employee even after the termination of the employment contract.

The worker thus complained to the Data Protection Authority, claiming that his former employer had not deactivated his email account and had accessed the messages he had received.

The company, in challenging the complaint filed by the employee, stated that the failure to deactivate the account and the simultaneous forwarding of emails to the address of the head of the Information Technology department had been arranged because (i) the former employee had failed to send customers a communication with the new company references. Adding, moreover, that (ii) only correspondence containing business messages had been opened and not personal messages and that (iii) the former employee was aware of the “business practice” according to which the employer, after the termination of the contract, would check correspondence addressed to him.

Acknowledging that the facts complained of are prior to the entry into force of EU Regulation 2016/679 and that the information was given to employees verbally, the Data Protection Authority in any case declared the repeated use of the individual company account of a person no longer belonging to that company organisation unlawful.

The Data Protection Authority, in fact, stated that the employer must act in accordance with the principles of lawfulness, necessity and proportionality, which are the foundations of the matter of personal data protection, ordering the removal of corporate email accounts attributable to identified or identifiable persons. At the same time as closing the account, according to the Authority, the employer is obliged, if necessary, to equip itself with automatic systems to inform third parties and provide them with alternative addresses to contact. In addition, the employer must take appropriate measures to prevent incoming messages from being displayed throughout the period when the automatic system is active.

According to the provisions of the Measure, it is the implementation of appropriate technical and organisational measures that makes it possible to balance, on the one hand, the interest of the owner (alias the employer) to access the information necessary for it to continue the management of the work activity and, on the other hand, to ensure respect for the legitimate expectation of the worker to confidentiality on correspondence. In addition, in the opinion of the Data Protection Authority, the adoption of internal rules on the basis of which information on technical and organisational management adopted is shared with employees is one of the correct measures to be implemented.