The Italian Data Protection Authority recently published guidance regarding the management of corporate email accounts following the termination of the employment relationship. We have prepared the table below which provides a summary outlining the approach that the Italian Data Protection Authority is now consolidating on this common practical issue.
In particular, the table highlights the general recommendation criteria (e.g., deactivation/removal of the individualised account, use of automatic replies providing alternative contact details, limitations on the forwarding of correspondence, as well as transparency and consistency of internal policies and retention periods), which may be inferred from the specific recommendations expressly set out by the Italian Data Protection Authority in the corrective decisions reviewed.
| Decision | Recommendations of the Italian Data Protection Authority |
| 12 marzo 2026 – docweb 10233328 | Correspondence in an individualized account falls within the protected sphere (even if “work‑related”): it is not lawful to restrict a former employee’s access to “strictly personal” emails only, nor to review the mailbox in advance in order to select which messages to provide. The retention of emails via backup for extended periods constitutes processing and must be transparent and comply with the principles of data minimisation, purpose limitation and storage limitation; business continuity needs should be met, in the first instance, through document management systems rather than the email system. There is a need for internal policies to be consistent and not mutually inconsistent as regards purposes and retention periods; moreover, the rules governing access and retention are also relevant for the purposes of the Italian framework on remote monitoring of employees. The “generic” redaction/anonymisation of the content of correspondence, carried out to protect third‑party rights or business/industrial secrets, is likewise deemed unlawful where the strictly limited grounds for restricting the right of access do not apply and/or where a concrete, substantiated risk of actual prejudice to the rights and freedoms of others is not demonstrated. |
| 18 dicembre 2025 – docweb 10213574 (caso LTL) | Post‑termination: the approach regarded as compliant by the Italian Data Protection Authority is to remove the account (after deactivation) and implement automatic systems that inform third parties and provide alternative contact details; in addition, appropriate measures should be adopted to prevent incoming messages from being viewed during the period in which the automatic system is operating. Forwarding incoming correspondence to other accounts, if prolonged and carried out for mere organisational needs, amounts to processing that is contrary to the principles of lawfulness, data minimisation and storage limitation. Where reliance is placed on litigation/defence needs to restrict or defer the exercise of data subject rights, an actual and concrete prejudice must be demonstrated and, in any event, the data subject must be provided with a reasoned and timely notice; a broad, general claim that the correspondence is the company’s “property” is not acceptable as a basis to narrow the scope of access. It is recommended that, when drafting internal IT policies/regulations, due account be taken of data protection principles and of the Italian rules on remote monitoring of employees. |
| 25 settembre 2025 – docweb 10184744 | Structural guidance (also relevant post‑termination): avoid “workarounds” whereby an individualized (named) account is used as a shared account. Individualized accounts should be attributable to, and managed by, the relevant individual; for operational needs, generic/non‑named accounts should be used instead. In internal policies, provisions allowing a departing employee’s account to remain active for extended periods, potentially with email forwarding and the “handover” of email archives upon request, are flagged as not aligned with the data minimisation principle; privacy notices and internal policies should therefore be reviewed so that they describe processing activities that are compliant. Concerns are raised as to clauses granting the system administrator the “right” to access email archives at any time: this implies the need to narrowly scope and objectively justify any access/review activities, and to ensure transparency as to any “systematic archiving” (or broader collection) of email communications. |
| 23 giugno 2025 – Provv. n. 364, docweb 10161563 | General post‑termination rule: individualized corporate email accounts should be removed after the employment relationship ends, following deactivation and the simultaneous implementation of automatic systems to inform third parties and provide alternative contact details; the deactivation period must be “reasonable”, as it should be linked to the technical time needed to put such measures in place, rather than the employer’s needs. Automatically redirecting/forwarding emails sent to a former employee’s account constitutes processing that makes information and content accessible, affecting the legitimate expectations of confidentiality of both the former employee and third parties; it should therefore be avoided or strictly limited in line with the principles of lawfulness, data minimisation and storage limitation. There is a need to provide employees with an appropriate privacy notice and to adopt an internal IT/email use policy; the absence of such rules (and the resulting accessibility of messages by unauthorised third parties) is highlighted as a compliance shortcoming. |
