How to manage a former employee’s company email account

Contents

The management and retention of company email addresses, particularly those belonging to former employees, is a crucial issue for companies. Often, questions arise about the legality of redirecting emails intended for a former employee to another employee’s address and whether it is permissible to retain the contents of the former employee’s inbox to prevent the loss of important communications related to business activities.The Italian Data Protection Authority (Garante) has addressed this issue in several rulings, clarifying the boundaries between professional and personal use of email. Sometimes, company emails may contain personal data, and it is therefore necessary to balance the protection of such data with the operational needs of the company.

Regulatory Framework

The Garante first addressed this issue in 2007 by publishing specific guidelines on the use of email and the internet in the workplace, establishing that employees must be informed about the processing of their personal data. These guidelines promote measures to prevent the misuse of email and provide for the adoption of automated response systems in case of planned absences. Furthermore, the ruling imposes limitations on the retention of emails through automatic deletion systems.

Subsequently, the Garante clarified that upon termination of the employment relationship, the former employee’s email account must be deactivated, and a system should be implemented to generate an automatic message informing that the email address is no longer in use.

Additionally, in decision no. 216/2019, the Garante reaffirmed the employer’s obligation to delete the company email account at the end of the employment relationship, criticizing the widespread practice of using email accounts as long-term archives for company documentation. Prolonged retention of emails is not proportionate to the purposes of email services and does not comply with minimum security requirements.

Employer Obligations

In light of the Garante’s rulings, the employer is required to deactivate the company email account assigned to the employee upon termination of employment. This process should be carried out with maximum transparency, possibly in the presence of the employee, to avoid disputes regarding the use of the account after the termination and to allow the employee to save any information unrelated to work activities that they might be interested in (such as LinkedIn invitations or cultural event notices). The employer should also set up an automatic message notifying the closure of the address and suggesting an alternative contact. Finally, after an appropriate period, the employer must permanently delete the former employee’s account.

The employer cannot implement an automatic email forwarding system from the former employee’s account to another account, as it would require keeping the account active after the employment ends. This could result in the third party becoming aware of personal information intended for the former employee, compromising their privacy.

However, it is understood that it is possible to retain emails for security reasons and to protect rights in judicial proceedings, provided there are ongoing disputes with third parties or concerning specific pre-litigation situations, excluding, however, any massive retention of such emails. The employer must retain only the emails that are strictly necessary and must always be able to justify this choice.

Compliance Measures

Every company should adopt tools and procedures to manage this situation effectively, ensuring compliance with regulations, including:

An internal procedure for document archiving: This procedure should ensure that all documents and communications necessary to ensure business continuity are systematically saved in repositories identified by the company, making it unnecessary to perform a massive backup of electronic communications on company servers when an employee’s employment ends.

A procedure for the use of company email addresses and email services.

An automatic message deletion system.

Moreover, the privacy notice provided to the employee upon hiring must specify the data retention periods within the company accounts as well as the purposes and methods of access and control of email accounts, clarifying that the accounts may only be used for purposes related to professional activities.

Conclusion

The retention of personal data in email management must comply with the principles of minimization, necessity, and retention limitation established by Regulation (EU) 2016/679. It is, therefore, the employer’s responsibility to ensure a balance between the protection of employees’ personal data and the company’s needs, ensuring compliance with regulations and the protection of privacy.

Download Area
Download the PDF
Download
Date
Speak to our experts