Italy's data protection authority expands employee rights over corporate email accounts

At a glance

• The Italian Data Protection Authority (Authority) has upheld a former employee's complaint seeking full access to the contents of his individually assigned corporate email account following the termination of his employment.
• The Authority classified all communications held in an individually assigned email account as personal data of the account holder, regardless of whether the content is personal or professional in nature.
• The employer was fined EUR50,000 for refusing full access and providing only emails it deemed to be of a personal nature.
• The decision also found the employer's retention periods to be excessive, criticising the five-year retention of emails and twelve-month retention of browsing logs.
• The Authority confirmed that email backups and browsing logs constitute potential tools for remote monitoring and therefore require a prior trade union agreement or administrative authorisation under Article 4 of the Workers' Statute.

On 12 March 2026, the Authority issued a decision that further expands the scope of employee data access rights in the context of corporate email accounts. The case concerned a former employee who, after the end of the employment relationship, requested full access to the contents of his individually assigned corporate email account. The employer refused to provide complete access, arguing that the bulk of the correspondence related solely to business activities and contained confidential company information. It therefore disclosed only emails it classified as personal, withholding those of a professional nature.

The Authority rejected the employer's position and ordered full disclosure of the email account's contents. Central to the decision was the Authority's finding that, where a corporate email account is individually assigned to an employee, all communications held within it qualify as that individual's personal data. The employer's ability to restrict access is limited to circumstances in which it can demonstrate the existence of genuine trade secrets. In addition, the Authority imposed a fine of EUR50,000 on the company for its failure to comply with the access request.

The decision also raised broader compliance concerns. The Authority found that the employer's data retention practices were disproportionate, taking issue with a five-year retention period for emails and a twelve-month retention period for browsing logs. Further, the Authority held that both email backups and browsing logs are capable of functioning as tools for remote employee monitoring. As such, their use falls within the scope of Article 4 of the Workers' Statute, meaning that employers must obtain either a prior agreement with trade unions or an administrative authorisation before deploying them.