With reference to the processing operations performed on corporate e-mails after the end of the employment relationship, according to the principles governing the protection of personal data, accounts referable to identified or identifiable people must be removed.

This was stated by the Privacy Authority’s measure n. 547 dated 22 December 2016, adopted to respond to a multinational former employee’s complaint about the illegitimacy on the processing of  personal data by the company.

The Authority reaches such a conclusion by a balancing between the interests of the employer to access to necessary information to continue the efficient activities management and his obligation to respect the confidentiality of their employees and third parties. In fact, as several measures stated, the employer, while having the right to verify the exact fulfilment of the job performances and the proper use of tools by the employees, must still respect their freedom and dignity. Therefore, without a clear and precise policy about how to use the company's tools and about and the checks that are carried out, the employee can legitimately consider confidential some form of communication.

By personal data we mean any information which may enable to identify, even indirectly, the person to whom the information is referred; accordingly, the Privacy Authority’s choice has to be considered correct, especially because, notwithstanding their content, electronic communications are a source of personal data and the names of senders or recipients are directly considered personal data.

With the above-mentioned decision of 22 December 2016, the Authority defined procedures useful to manage employees and former employees’ emails.

First of all, it was found that a ten-year data retention on corporate servers of both external data and the contents of electronic communications, don’t comply with necessity, relevant and not-excessive principles (related to articles 3 and 11, first paragraph of the Privacy Code), unless the employer provides specific reasons which make retention necessary.

The reason why ten years retention does not comply with the principles is that the time does not appear commensurate with real needs to manage e-mail services, including system security requirements.

In addition, systematically collecting employees’ electronic communications and storing them for a ten-year period would allow companies to execute the control of employees’ activities violating new article 4 of Statuto dei lavoratori (i.e. workers’ reference Law n. 300 of 05.20.1970, as amended by the Jobs Act reform). That article does not permit the employer to perform activities able to achieve, even indirectly, a massive, long-term and indiscriminate control of an employee’s activities.

Another procedure deemed inconsistent with the principles stated above is to maintain mailboxes active for a time of up to six months after the end of work relationship.

Privacy Authority pointed out that providing an automatic reply message which alerts about the account closing process and invites to forward communications to another valid email address, does not comply with the rules laid down by the Code.

The Authority also provides guidance on steps that have to be observed to close email accounts. In particular, the aforementioned measure of last December, provides that before removing an account it is necessary to deactivate it, and, at the same time, implement automatic systems which inform third partied and provide them with an alternative email address related to the professional activity of the former employee.

Companies, however, can collect data contained in electronic communication if they have previously informed employees about the means of data collection and about the time that the account will remain active after the end of work relationship.

After stating the unlawful nature of further data processing of former employees carried out not only on the e-mail account but also on any other device supplied to employees, it is still possible for the employer to retain data with the purpose of protecting rights before a court, also respecting the limits laid down in Article 160, paragraph 6 of the Privacy Code which states that validity, enforceability and applicability of records, documents and measures related to judicial proceedings that are based on personal data processing which is not compliant with laws or regulations shall be regulated by the relevant procedural provisions concerning civil and criminal matters instead.

On the grounds of what briefly reported, it emerges that the Privacy Authority intention is to fully protect the privacy rights of employees and former employees, striking a balance between them and the employer’s right to control the activities of his employees.