Processing of personal data carried out on company e-mail accounts shall be necessary and proportional

On February 1, 2018, the Garante per la Protezione dei Dati Personali, the Italian Data Protection Authority (DPA), prohibited an Italian company to store employees’ corporate emails for an indefinite period. This would violate the principles of lawfulness, necessity, and proportionality established by the Privacy Code.

The DPA explained that the company – instead of implementing such an invasive treatment – could have acted more efficiently and more respectful of the confidentiality of workers by setting up a document management systems able to selectively identify the documents that should have been gradually archived.

The extended and systematic storage of e-mails, their memorization for an indefinite – or prolonged – period and the possibility for the employer to access them for theoretical purposes (e.g. a general defense in court, the prosecution of a legitimate interest stated in abstract) allows for a type of control of the employees’ activity prohibited by the applicable labor law that does not authorize massive, prolonged and indiscriminate checks.

 

The decision n. 53 dated February 1, 2018, doc. web n. 8159221, is available (in Italian) at http://www.garanteprivacy.it

 

For more information on processing EU citizens’ data, contact Francesca Giannoni-Crystal and Federica Romanelli

Follow us on& Like us on