Subjects
Annual Updates Subcategories
Anti-Bribery & Compliance
Anti-Trust & Competition
Collective Agreements
Data Protection & Privacy Subcategories
Disputes and Grievances
Employment Law
Employment Records
Employment Status Subcategories
Equality, Diversity and Equal Rights Subcategories
EU Legislation
Industrial & Workplace Relations Subcategories
International Mobility Subcategories
Parental Leave
Pensions & Benefits
Protection of Business Interests Subcategories
Recruitment, Termination of Employment Subcategories
Remuneration Subcategories
Social Security
Social Security Contributions
Termination of Employment
Terminations Subcategories
Working Hours & Pay Subcategories
Workplace Culture Subcategories
Workplace Investigations
Jurisdictions
Americas Subcategories
APAC Subcategories
Cross Border
EMEA Subcategories
Global

Italy: Expanded Employee Access Rights to Corporate Email Accounts

By - - Data Protection & Privacy, Employment Law

The Italian Data Protection Authority has recently issued a decision strengthening employee rights to access corporate email accounts following termination of employment. The decision shows a more expansive approach to what counts as personal data in the workplace and creates additional compliance considerations for employers managing email systems and retention practices.

Scope of Employee Access Rights

The Authority upheld a former employee’s request for full access to the contents of his individually assigned corporate email account after termination. The employer had limited disclosure to emails it considered personal, on the basis that the remaining correspondence related to business activity and contained confidential information.

This position was rejected. The Authority confirmed that where an email account is individually assigned, all communications within that account are treated as the personal data of the employee, regardless of whether the content is personal or professional. Employers can only restrict access where they can clearly demonstrate the presence of genuine trade secrets.

As a result, the employer was required to provide full access and was fined EUR50,000 for failing to comply with the original request.

Retention and Monitoring Concerns

The decision also addressed broader data protection compliance issues. The Authority found that the employer’s retention periods were excessive, criticising the five‑year retention of emails and twelve‑month retention of browsing logs as disproportionate.

In addition, it confirmed that email backups and browsing logs can amount to tools for remote employee monitoring. As a result, their use falls within the scope of Article 4 of the Workers’ Statute. This means employers must obtain either prior agreement with trade unions or administrative authorisation before implementing such measures.

Practical Implications for Employers

This decision materially increases the risk for employers managing corporate email systems, particularly where accounts are assigned to individuals. In practice, this means:

  • employers may be required to disclose the full contents of email accounts on request, not just personal correspondence;
  • reliance on “business content” as a basis to refuse access is unlikely to be sufficient;
  • data retention periods need to be clearly justified and proportionate; and
  • email storage and monitoring systems may trigger additional regulatory requirements, including approval processes.

For businesses operating in Italy, or managing employees based there, this reinforces the need to review email policies, access processes and retention practices to ensure they remain defensible if challenged.

This is a high-level general update only. Legal advice should be obtained on specific circumstances.
Scroll to Top