top of page

Italian company fined €80,000 for accessing former employee’s mailbox

13/12/2024

The  Italian Data Protection Authority (DPA) has  fined a company €80,000 for the unlawful access and processing of a former employee’s mailbox.


After the employee’s dismissal, the company engaged an external tech firm to examine the mailbox, suspecting potential misappropriation of business secrets. Using software, initially intended for backup as part of their business continuity and disaster recovery plan, the company accessed and downloaded emails from the former sales agent’s account.


The DPA ruled this violated Article 114 of Italian Data Protection Code (Codice in materia di protezione dei dati personali) in conjunction with Article 88 GDPR. The software used to backup data allowed the controller to check on employees’ activity without safeguards in place as required by Article 114.


The case highlights the importance of involving a Data Protection Officer (DPO) or privacy counsel to help navigate the complexities of employee data rights and ensure compliance with GDPR standards.


Although the company had a policy in place informing employees of possible access to their mailbox, the DPA found that the policy allowing for a three-year retention of emails after employment termination exceeded legitimate business needs and breached data protection standards.


The DPA ruled that the systematic storage of emails and access logs was disproportionate and unnecessary for security purposes, constituting an unlawful form of employee surveillance. The DPA also said email access for litigation purposes should be limited to active legal proceedings rather than speculative inquiries.


In addition to the fine, the DPA ordered the company to cease processing data through the email backup software. The authority also clarified that access to email data for judicial purposes should apply only to active, defined disputes, not speculative or undefined legal interests.


The case emphasises the need to ensure all monitoring practices are clearly justified, adhere to privacy principles, and are transparent to employees.


W Denis Europe arranges comprehensive insurance for EEA based businesses, large and small, including, Data Protection Infringement Cover, Cyber, Errors & Omissions, Directors & Officers Liability and much more.


For more information, please contact:


Eastern Europe

Vida.Jarasiunaite@wdenis.eu


Southern Europe

Christos.Hadjisotiris@wdenis.com


Western Europe &/or elsewhere worldwide

Mark.Dutton@wdenis.com

bottom of page