The current focus on privacy highlights the importance of implementing a robust system for processing personal data contained in email accounts of employees, particularly when these individuals resign or are dismissed by the company.
By a recent decision dated 7 March, the Italian Information Commissioner (Garante per la protezione dei dati personali) imposed a significant fine on a company that failed to deactivate an employee’s email account after the termination of the employment relationship, thus violating the principles of legality, transparency, data minimization, and storage limitation as set forth by the EU General Data Protection Regulation.
In particular, in assessing the wrongfulness of the company’s data processing practices, three main factors were considered: (i) the lack of prior adequate information provided to employees regarding the processing of their personal data; (ii) the continued activity of the former employee’s account following the termination of the employment relationship; and (iii) the absence of appropriate automatic response systems and/or information that the account was no longer active.
Further issue was the absence of a sufficient legal basis for the data processing (e.g. processing for the purpose of defense in legal proceedings).
It is important to underline that the decisions of the Italian Information Commissioner should be interpreted in light of the specific circumstances under which they are issued; therefore, they should not be considered as universally applicable, but can certainly help companies in avoiding incorrect behaviors in personal data processing.
Given the complexity of this matter, our professionals are available to advise you in finding suitable solutions to manage email accounts, thereby reducing risks and protecting your business interests.