Unauthorized Monitoring of Employees' Email - A Case from Italian Practice

This article analyzes the Decision of the Italian Data Protection Commissioner ("Commissioner") No. 472 of July 17, 2024 ("Decision"), which concerns the monitoring of employees' official computers and emails, and the protection of personal data in accordance with Italian regulations and the General Data Protection Regulation of the European Union, which was adopted on April 14, 2016, and came into force on May 25, 2018 (“GDPR”).

Relevant Provisions of the GDPR

Article 5 of the GDPR outlines the principles regarding the processing of personal data. Personal data must be: 

• Processed lawfully, fairly, and transparently in relation to the individuals whose data is being processed (lawfulness, fairness, and transparency principle);
• Collected for specific, legitimate purposes and not further processed in a way that is incompatible with those purposes. Further processing for archiving in the public interest, for scientific or historical research, or statistical purposes is not considered incompatible with the initial purposes, according to Article 89(1) GDPR (purpose limitation principle);
• Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (data minimization principle);
• Accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that inaccurate personal data is erased or rectified without delay (accuracy principle);
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed. Personal data may be stored for longer if processed solely for archiving in the public interest, for scientific or historical research, or for statistical purposes, in accordance with Article 89(1) GDPR, provided that appropriate technical and organizational measures prescribed by GDPR are implemented to protect the rights and freedoms of the data subjects (storage limitation principle);
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (integrity and confidentiality principle).

The data controller is responsible for, and must be able to demonstrate compliance with, paragraph 1 of this article (accountability principle). 

Thus, any processing that does not comply with the aforementioned principles of the GDPR is unlawful and constitutes a violation of individuals' personal data.

Factual Background

On June 6, 2024, the Commissioner issued revised guidelines regarding the management of email at the workplace. These guidelines narrowed the strict requirements for data retention and processing, applying them only to email metadata and excluding the content of emails from their scope, thus reducing the employer's obligations.

A specific issue arose when a former employee claimed to the Commissioner that his former employer had accessed his business email account after his employment had terminated.

The company admitted to using forensic tools to access backup copies of emails as part of an internal investigation into alleged illegal appropriation of business secrets. The emails were later used as evidence in legal proceedings. The company justified its actions by citing legitimate business interests and argued that it was in compliance with the privacy notice sent to the employee.

Decision of the Commissioner

In this case, the Commissioner issued a decision in which it found violations of several principles under Article 5 of the GDPR:

• Data retention limitation and data minimization principles, as the company systematically created backup copies of emails during the employment period and retained them for up to three years after the employment terminated. The Commissioner considered this retention period to be too long and unsupported by clear and specific justifications.
• Lawfulness, fairness, and transparency principles, as the company's privacy notice did not provide key details, such as extended retention of backup copies and the possibility of accessing email content after the employment relationship terminated.
• Purpose limitation principle, as although the company claimed the software was used for IT security and business continuity purposes, the Commissioner deemed its use exceeded these purposes, including the use of emails in legal proceedings.

Finally, the Commissioner found that the employer's actions were contrary to applicable Italian legislation on employee monitoring, which requires prior agreement with trade unions or approval from a relevant authority. In this context, the systematic retention of emails for an extended period was considered a form of indirect remote monitoring of employees' activities.

As a result, the Commissioner imposed a fine of EUR 80,000 on the company.

Conclusion

The Commissioner’s decision confirms that email monitoring must balance business interests with employees' right to privacy, and such employer actions will be subject to stricter review by data protection authorities and courts.

In this regard, the employer is required to inform employees about the processing of their data in accordance with the GDPR and to adhere to the GDPR’s provisions when processing this data. 

The implications of the decision are significant, as emails and their metadata are frequently used for internal investigations and to determine employee contract breaches and disciplinary accountability.

Borinka Dobrnjac

Senior Associate

borinka.dobrnjac@prlegal.rs; legal@prlegal.rs;