Corporate e-mail and the right to secrecy after the termination of the employment relationship

Data protection

The recent activity of the Italian Data Protection Authority confirms the centrality of the right to the confidentiality of communications and, more generally, the correct exercise of data subjects’ rights as an essential safeguard for the protection of individuals.

The Authority reiterated – with Decision No. 754 of December 18, 2025 (the «Decision») – that the content of corporate emails, contact data of communications, and any attachments fall under the concept of correspondence and, as such, are protected by the right to secrecy, which is constitutionally guaranteed to protect dignity and the full development of individuals in social relations. In this context, the Authority sanctioned a company for continuing to access and forward emails addressed to the former CEO to third parties after the termination of the employment relationship, despite a specific and correct request to exercise rights under the GDPR. The prolonged conduct over time and the failure to respond to the request from the individual led to a violation of privacy regulations, resulting not only in a fine but also in an order to delete the account.

The Decision also provides a complementary and equally relevant interpretation, shifting focus to the obligation of the data controller to promptly respond, in a complete and understandable manner, to data subjects’ requests for the exercise of their rights. In the case under examination, the Authority found the data controller responsible for violating Articles 12 and 15 to 22 of the GDPR, due to the failure to respond to a personal data access request submitted by the data subject via certified email (PEC), following the methods and documentation specified in the Authority’s official model.

The approach taken by the Authority in firmly rejecting the organizational justifications presented by the controller is particularly significant. The Authority clarified in the Decision that mere internal mishaps, routing errors, or overlaps with previous communications cannot ever be considered exonerating factors in relation to one of the core obligations of the GDPR (i.e., the right of access).

The right of access (and, more generally, the exercise of data subjects’ rights) is defined as a necessary and essential tool for enabling individuals to maintain control over their personal data and verify the lawfulness of its processing. For this reason, the controller is required not only to respond within the legal timeframe but also to provide genuinely useful responses, avoiding overly technical language or vague formulations that prevent the data subject from understanding who is processing their data, how, and for what purposes.

The interventions by the Authority convey a clear message to businesses and employers that respect for privacy is not limited to adopting policies or technological tools, but extends to effective organizational processes, timely responses, and truly transparent communication with data subjects.

The new AGCOM register for relevant influencers

Media & Communications

On July 23, 2025, AGCOM introduced the register of relevant influencers with Resolution No. 197/25/CONS. The measure aims to regulate the role of online influencers by establishing strict rules to ensure transparency and fairness in digital marketing.
The term «influencer» refers to individuals or legal entities, who, including through virtual characters, disseminate content to the public via digital platforms, particularly social media, and who can significantly impact the behavior and choices of that public, in a manner similar to or analogous to that of audiovisual media service providers under national jurisdiction.

Relevant influencers, and thus required to register in the AGCOM register, are those who meet one of the following criteria:

• a number of followers of at least 500,000 on at least one of the social media or video-sharing platforms they use;
• an average monthly number of views of at least 1,000,000 on at least one of the social media or video-sharing platforms they use (this includes the number of times content is viewed, including multiple views by the same user).

Registration is done online by submitting a form to the Authority, available on the official website, where personal information will be provided.
Once registered, influencers must comply with specific obligations:

• clearly label sponsorships, product placements, and infomercials with visible tags (#sponsored, #adv, #advertisement);
• avoid harmful content for minors and report the use of filters that promote unrealistic models;
• protect intellectual property, combat counterfeit materials, and ensure respect for human dignity by avoiding violent, discriminatory content or content that promotes hate;
• include “in AGCOM register” in their bios to ensure transparency;
• comply with advertising, sponsorship, and ban regulations (tobacco, gambling, alcohol, medicines, subliminal advertising).

Social platforms and companies working with influencers, so-called Talent Agencies, are required to collaborate with AGCOM, ensuring that influencers adhere to the guidelines and reporting methods imposed by the resolution, ensuring compliance with applicable laws and regulations.
Furthermore, AGCOM has implemented a monitoring and sanction system for influencers who fail to comply with the established rules. Violations may result in fines up to €600,000 and other corrective measures.

Cybersecurity: the EU relaunches with the revision of NIS2 and the Cybersecurity Act

Cybersecurity

On January 20, 2026, the European Commission presented a new legislative package to strengthen the Union’s digital resilience. The proposal revises two pillars of European regulation – the Cybersecurity Act and the NIS2 Directive – with the aim of updating them consistently to the new context: more hybrid threats, more supply chain attacks, and an increasingly fragile digital geopolitics.

On the Cybersecurity Act front, the revision introduces a new approach to the security of ICT supply chains, particularly for critical networks such as telecommunications, promoting joint risk management among member states. The European Certification Framework (ECCF) is also strengthened, covering not only products but also services, processes, and security postures, with positive effects on compliance with NIS2.

As for the NIS2 Directive, the amendments aim to simplify compliance requirements, increase the proportionality of obligations, lighten the burden for SMEs and micro-enterprises, and improve coordination among states. The role of ENISA is reinforced: not just as a technical agency, but as an operational player in incident response and in managing the single notification point.

The trajectory is clear: to make the European framework more streamlined, practical, and sustainable. However, the challenge for businesses and public administrations will be translating these reforms into solid organizational safeguards, avoiding merely formal approaches.

In the meantime, some practical advice on how to prepare for the new EU cybersecurity package:

• Verification of ICT supply chains: map critical suppliers and analyze risks of dependence on non-EU entities.
• Upcoming certifications: monitor the new European certification regimes (ECCF) for products, services, and processes.
• Reassessment of NIS2 risk: update your impact analysis in light of the upcoming changes.
• Governance structures: involve IT, legal, and compliance teams to build an integrated and scalable safeguard.
• ENISA’s role: follow the new operational guidelines and prepare flows for the single incident notification point.

The new EDPB Recommendations 1/2026 on Binding Corporate Rules for Data Processors

Data Protection

On January 15, 2026, the European Data Protection Board (EDPB) adopted, for public consultation, Recommendations 1/2026 regarding the approval request and principles to be included in the Binding Corporate Rules for Data Processors («BCR-P»). The document repeals and replaces previous documents from the Article 29 Working Party dating back to 2018, while maintaining their fundamental structure.

The Recommendations pursue four stated goals: (a) to provide a standard application form for BCR approval under Article 47 of the GDPR; (b) to clarify the necessary content of BCR-P; (c) to distinguish what must be included in the BCR-P from what must be presented to the Lead Supervisory Authority (BCR Lead) in the application; and (d) to explain and deepen their requirements.

BCR are outlined in Article 46(2)(b) of the GDPR as a safeguard for personal data transfers to third countries (outside the European Economic Area) that are not deemed to ensure an essentially equivalent level of protection as that guaranteed by the GDPR through an adequacy decision by the European Commission.

As emphasized by the EDPB, BCR-P are not suitable for covering personal data transfers directly from a Data Controller outside the Group, within the territorial scope of the GDPR, to a Data Processor belonging to the Group in a third country; in such cases, a different transfer instrument under Article 46 of the GDPR is required. Similarly, BCR-P will not apply, but rather BCR for Data Controllers (BCR-C), for transfers of personal data from Data Controllers within the territorial scope of the GDPR to Data Controllers or Data Processors within the same corporate Group established in third countries.

BCR-P, however, are applicable to personal data processed by Group members subject to Article 3 of the GDPR acting as Data Processors on behalf of external Data Controllers, when these Data Processors transfer the data to «internal» Sub-processors (i.e., other Group members) established in countries outside the European Economic Area, including any further transfers to other members of the BCR-P in third countries.

BCR-P alone are not sufficient. The external Data Controller must also appoint one or more members of the Group adhering to BCR-P as Data Processors under Article 28 of the GDPR, including a reference to the applicability of BCR-P to members of the corporate group in the appointment.

Among the various contents of BCR-P, the Recommendations require that at least one member of the Group established in the EEA territory accepts responsibility and liability for any violations committed by non-EEA members. This entity must demonstrate that it has sufficient assets to cover damages arising from violations. Furthermore, Group members must ensure full cooperation with the competent Supervisory Authorities and Data Controllers, accepting audit and inspection activities.

The Commission presents the proposal for the Digital Networks Act (DNA)

Digital Markets

On January 21, 2026, the European Commission presented a proposal for the Digital Networks Act (“DNA”), aiming to build a single market for networks and connectivity services within the European Union, overcoming current national fragmentation and promoting investment, innovation, and growth. Specifically, the DNA aims to establish robust, fast, and secure connectivity, necessary for strategic applications such as artificial intelligence, edge computing, and cloud services.

The DNA is designed to unify and simplify the European Union’s framework for electronic communications and connectivity, replacing and updating existing acts, and aligning with the regulatory framework and initiatives on cloud services, artificial intelligence, and cybersecurity.

One of the key innovations introduced by the DNA is the “Single Passport,” which, with the aim of reducing costs, will allow network and service providers to operate throughout the European Union based on a single notification and after confirmation from a national authority. To this end, the DNA sets out harmonized authorization conditions, coordination mechanisms, and mutual assistance between national authorities, as well as enforcement at the national level with the support of the new Office for Digital Networks (ODN).

The DNA also introduces specific provisions for the decommissioning (switch-off) of copper networks and the transition to fiber (FTTH), through national plans notified to the Commission. Until December 31, 2035, switch-off is only possible if the FTTH coverage in the area is at least 95% and connectivity services are available at affordable prices. After this date, member states must complete decommissioning in the remaining areas (with some exceptions).

Additionally, the DNA aims to complete the provisions of the “EU Space Act” proposal, promoted by the European Commission on June 25, 2025. In particular, recognizing the strategic role of satellite communications, the DNA establishes a centralized EU authorization for satellite services, ensuring fair access to the spectrum and improving security.

LEXIA’s Data & Technology Innovation team supports businesses and organizations in analyzing the regulatory implications of key digital innovations, offering tailored assistance to strategically and compliantly address the changes introduced by new European and national regulations.