The Italian DPA (Garante) has stated that it is not allowed for a company to keep the email account of a former employee active following termination of the employment relationship and to access the emails contained in the inbox. The Decision of the Garante follows a complaint from an individual who complained that their privacy rights had been violated by their former employer who failed to deactivate their email account and accessed messages stored on the account, which they became aware of by chance during a court case. The company in question kept the individual’s email account active for 1.5 years after the end of the employment relationship and was, in fact, deactivated only after receiving a warning.
The DPA considers “methods adopted by the company to be unlawful because they do not comply with the principles of data protection, which also require the employer to protect the confidentiality of former employees. Immediately after the termination of the employment relationship, a company must in fact remove e-mail accounts attributable to the employee, adopt automatic systems with alternative addresses for those who make contact with the electronic mailbox and introduce technical measures to prevent the display of incoming messages.”
In the opinion of the Garante aims to balance the interests of the employer access to necessary information for carrying out its activity with the expectation of privacy and confidentiality of correspondence of employees, collaborators, and third parties. Furthermore, the “The exchange of emails with other employees or with people outside the company allows one to become aware of personal information about the employee, even if only by viewing external communications data (date, time, subject, names of senders and recipients).”