Corporate email and employee rights: Critical issues arising from the Italian Data Protection Authority’s decision of 12 march 2026

1 Luglio 2026
Thanks to Rossella De Sio for collaborating on this article

By Decision of 12 March 2026 [10233328], the Italian Data Protection Authority (“Garante”) once again addressed the sensitive issue of the management of individualised corporate email accounts, imposing sanctions on ITAS Mutua for a series of violations of data protection legislation. While the decision rests on broadly sound premises, it raises significant concerns both in terms of consistency with the current legal framework governing remote monitoring of employees and in terms of compatibility with the Authority’s own prior guidance.

  1. Background facts

The case originated from a complaint filed by a former employee of ITAS Mutua who, following the termination of the employment relationship, requested access to the entire contents of his corporate email account. The Company granted access only to messages of a strictly personal nature, refusing to hand over communications relating to work activities on the grounds that such data was the property of the Company. The correspondence was ultimately delivered only in part, after anonymisation of data relating to third parties. With regard to data retention, it also emerged that the Company performed backups of email data for a period of five years following the termination of the employment relationship and retained Internet browsing logs for twelve months, without either of these processing activities being disclosed in the privacy notice provided to employees.

  1. The violations ascertained by the Authority

The Authority first censured the Company’s refusal to grant full access to the email account. According to the Authority, communications transiting through an individual’s account are inevitably attributable to the personal data of the account holder, regardless of whether their content is work-related or private.

The Authority further held that the retention of emails by way of backup for five years and of browsing logs for twelve months was unlawful, finding a violation of the principles of data minimisation, purpose limitation and storage limitation. The Authority specified that retention in backup form constitutes data processing in all respects and that email systems are not suitable for ensuring the characteristics of authenticity and integrity required for proper document management.

Finally, the Authority found a violation of the rules on remote monitoring of employees, holding that both the email backup and the retention of browsing logs constitute tools potentially capable of enabling monitoring of employee activity, in the absence of the safeguards required by Article 4 of Law No. 300/1970 (trade union agreement or authorisation from the Labour Inspectorate). The Company was fined EUR 50,000.00 and ordered to grant full access to the email account and to bring its policies into compliance within 90 days.

  1. The classification of remote monitoring: a step backwards from the Jobs Act

A first area of concern relates to the classification of email backups and the retention of browsing logs as remote monitoring tools within the meaning of Article 4(1) of Law No. 300/1970. As is well known, the reform introduced by Legislative Decree No. 151/2015 (the so-called Jobs Act) fundamentally reshaped the rules on remote monitoring, drawing a key distinction between tools from which “the possibility of remote monitoring may also arise”, which are subject to trade union agreement or Labour Inspectorate authorisation, and “tools used by the employee to carry out work duties”, for which no such formalities are required.

In the case at hand, the Authority appears to have included email backups and log retention under paragraph 1, classifying them as monitoring tools, without, however, adequately addressing the question of whether such functionalities might instead constitute ordinary components of the work tools used by the employee to carry out work duties. Email is, by definition, a work tool; backup and log retention are technical functionalities inherent to its operation. An interpretation that systematically subjects such functionalities to the safeguard procedure under paragraph 1 risks effectively reinstating the regime that existed prior to the 2015 reform, thereby undermining the innovative scope of the distinction introduced by the law.

  1. Inconsistency with the Authority’s prior decisions: the paradox between full access and the obligation to delete

A further area of concern arises from a comparison between the prescriptions of the Decision under review and the Authority’s own prior guidance. In the present case, the Authority ordered ITAS Mutua to grant the complainant full access to the correspondence contained in the individualised corporate email account. However, in previous decisions – notably the Decision of 22 December 2016 [5958296] and Decision No. 364 of 23 June 2025 – the Authority had consistently affirmed the opposite principle, namely that corporate email accounts attributable to identified or identifiable individuals must be removed following deactivation after the termination of the employment relationship, with the simultaneous adoption of automated systems to inform third parties and provide alternative addresses, within a reasonable timeframe commensurate with the technical time required to implement such measures. An evident paradox thus arises: on the one hand, the Authority requires the prompt removal of individualised accounts after the termination of the employment relationship; on the other hand, in the Decision under review, it orders full access to an email account that, according to its own prior guidance, should have already been deactivated and removed.

  1. Conclusions

This Decision addresses a matter of undeniable importance, namely the protection of employees’ personal data in the context of corporate email management. Nevertheless, the solutions adopted by the Authority are open to significant criticalities for businesses. It will be necessary to monitor the Authority’s position in future cases to assess the practical impact of the Decision.

Indietro
Seguici su