The Italian Data Protection Authority (Garante) recently imposed a significant fine of 80,000 euros on a company, for mishandling a sales agent’s email data, highlighting once again the challenges and complexities of managing employee data, in particular when access to employees’ emails is required.
The issue arose when the company used a backup of the agent’s emails and access logs for litigation purposes, a practice that, according to the Garante, violated the principles of data minimization, proportionality, and transparency as required by GDPR.
Excessive data retention
The company retained the contents of the agent’s individual email inbox for three years following the end of employment. The GDPR requires that data be retained only as long as necessary for a specific, legitimate purpose. In this case, the Garante deemed this retention period to be disproportionate without specific, legitimate purposes and procedural adherence. This stance aligns with the Garante’s June 2024 guidance on employee email metadata retention, which sets limitations for such practices. For an in-depth look, refer to our blog article.
When it comes to data retention, particularly regarding work-related information, it’s crucial to balance security needs with employee privacy. Storing large volumes of employee emails long-term without valid reasons, or using them in unrelated contexts like litigation, can lead to serious compliance issues.
Transparency in Employee Privacy Policies
The company’s privacy policies lacked specific guidance on email backups, retention periods, and circumstances of potential access. Under the GDPR, transparency is fundamental; employees must be informed if, when and, most importantly, why their work data may be monitored, why it is stored, and how long it will be retained. A clear privacy policy should explain data handling practices, access and monitoring conditions, as well as retention timeframes to foster trust and reduce legal risks.
Unauthorized monitoring and use of email data
The company’s use of external software to back up and access employee emails allowed for detailed monitoring of activities, extending beyond the employment period. According to the Garante, this practice risked infringing on Italy’s Labour Law (Article 4 of Law 300/1970), integrated into GDPR via Article 114 of the Italian Data Protection Code. This law restricts employee monitoring to specific, lawful purposes and requires union agreement or authorization from the Labor Inspectorate when using monitoring tools.
The Garante emphasized that systematically retaining email content and access logs for monitoring, particularly without proper notification, legal basis, or required authorizations, constitutes a form of unlawful employee control. For companies, this case highlights the need to ensure all monitoring practices are clearly justified, adhere to privacy principles, and are transparent to employees.
Conclusions
As a result of the Garante’s investigation, the authority also clarified that access to email data for judicial purposes should apply only to active, defined disputes, not speculative or undefined legal interests, as was the case here. Alongside the fine, the authority ordered a prohibition on further processing of data through the backup software used.
This case underscores the importance of involving a Data Protection Officer (DPO) or privacy counsel to help navigate the complexities of employee data rights. Properly managing email data extends beyond business continuity; it requires a strategic approach to lawful processing. A DPO can aid in establishing proportionate data retention policies, defining access parameters, and ensuring compliance with GDPR standards for transparency and proportionality.
With a DPO’s guidance, companies can develop policies that respect both employee privacy and organizational needs. Comprehensive, clear policies foster a secure, transparent data culture that prioritizes compliance, accountability, and trust.