More than 6 years have passed since the General Data Protection Regulation (GDPR) came into force on May 25, 2018. Yet, even today, there are still several uncertainties if not omissions, regarding how the employer-company manages the email account provided to employees and/or collaborators.
In fact, there are several sanctions imposed on companies by the Data Protection Authority (DPA) each year.
Of particular interest is Order No. 127 of April 7, 2022, regarding a company’s violation of the management of the e-mail box of a former employee and specifically an exclusive agent, who complained – by filing a complaint with the DPA – that she had been denied access to the company’s e-mail box to retrieve personal content for a period prior to the termination of the agency relationship, and at the same time the circumstance that the said box – nominally assigned – had remained active after the termination of said relationship.
The DPA, upon receiving the complaint, proceeded with inspection at the company’s premises to find documentation relevant to the processing of personal data and related compliance with the GDPR and verify its correctness.
The company defended itself by stating that it had kept the e-mail box active for possible defensive investigations, as well as arguing that since the collaborator was not an employee of the company, certain “safeguards” enshrined in the GDPR would not apply.
Well, once the Guarantor found that the company was not even able to demonstrate the delivery to the agent of an information notice regarding the processing of data pursuant to Article 13 , as well as the non-existence of policies governing the use of the e-mail box, also in light of the Guarantor’s Guidelines for the use of e-mail and the Internet of March 1, 2007 (web doc. no. 1387522), the same Authority indicated first of all that, as to the distinction between a subordinate worker and other forms of collaboration, “while taking into account the structural diversity between a subordinate employment relationship and an agency relationship“(omissis) – “the processing of data carried out by means of information technology means, in the context of any employment relationship must comply with respect for the fundamental rights and freedoms as well as the dignity of the person concerned, in order to protect workers and third parties, as the case may be.“
Following this assumption, the following basic principles were then reiterated in relation to personnel bound to the employer with whatever form of agreement :
As a result of the above, at the outcome of the examination of the case and noting the various shortcomings in the management of the processing of the resource’s personal data, the DPA, (i) declared the processing carried out by the company unlawful; (ii) ordered the deactivation of the company’s account; and (iii) imposed an administrative fine of 50,000 euros.
The measure thus highlights the importance of adopting clear corporate policies on the management of electronic data and tools. It is crucial to provide detailed disclosures, ensure data minimization, and respect the rights of data subjects. In addition, failure to deactivate corporate accounts exposes companies to significant legal risks and potential violations of employee privacy rights, regardless of the legal nature of the employment relationship.