Data Protection Authority: stop software accessing employee email

In a recent decision (see Data Protection Authority Newsletter, October 22, 2024 here), the Data Protection Authority fined a company €80,000 for creating backups of an employee’s email account during the employment relationship, affirming that an employer cannot access an employee’s email or use software to retain copies of messages.

The Garante intervened following a complaint lodged by a sales agent, revealing that, during the employment relationship, the company used software (“MailStore”) to back up email content, preserving both email content and access logs for the email account and the company’s management system. The company subsequently used this information in litigation against the employee.

Firstly, the Authority ascertained that the information notice provided by the company was inadequate and incomplete in fully explaining the characteristics and methods of processing, given that the processing involved primarily the data contained in the email account. The document allowed the employer access to employee and associate emails to ensure business continuity in cases of absence or termination, without clarifying the intent to create backups or specifying retention periods of these backups.

The Authority further determined that the company, using the MailStore backup software, systematically and automatically retained emails for three years post-employment and access logs for six months, without specifying the particular reasons for this retention. This processing was determined to be neither proportionate nor necessary for achieving the stated purposes of ensuring network security and business continuity.

According to the Garante, the company’s processing allowed it to reconstruct the data subject’s activities over time, effectively conducting unlawful monitoring of work activities, violating the principles of legality, data minimisation, and storage limitation (Art. 5, Para. 1, letters a), c), and e) of the GDPR).

Finally, regarding the use of data in judicial proceedings, the Garante noted that processing employee email data to protect legal rights applies to ongoing litigation, not hypothetical, indeterminate protection cases as in this instance.

In addition to the aforementioned fine, the Authority imposed a ban on further data processing through the use of email backup software.In a recent decision (see Data Protection Authority Newsletter, October 22, 2024 here), the Data Protection Authority fined a company €80,000 for creating backups of an employee’s email account during the employment relationship, affirming that an employer cannot access an employee’s email or use software to retain copies of messages.

The Garante intervened following a complaint lodged by a sales agent, revealing that, during the employment relationship, the company used software (“MailStore”) to back up email content, preserving both email content and access logs for the email account and the company’s management system. The company subsequently used this information in litigation against the employee.

Firstly, the Authority ascertained that the information notice provided by the company was inadequate and incomplete in fully explaining the characteristics and methods of processing, given that the processing involved primarily the data contained in the email account. The document allowed the employer access to employee and associate emails to ensure business continuity in cases of absence or termination, without clarifying the intent to create backups or specifying retention periods of these backups.

The Authority further determined that the company, using the MailStore backup software, systematically and automatically retained emails for three years post-employment and access logs for six months, without specifying the particular reasons for this retention. This processing was determined to be neither proportionate nor necessary for achieving the stated purposes of ensuring network security and business continuity.

According to the Garante, the company’s processing allowed it to reconstruct the data subject’s activities over time, effectively conducting unlawful monitoring of work activities, violating the principles of legality, data minimisation, and storage limitation (Art. 5, Para. 1, letters a), c), and e) of the GDPR).

Finally, regarding the use of data in judicial proceedings, the Garante noted that processing employee email data to protect legal rights applies to ongoing litigation, not hypothetical, indeterminate protection cases as in this instance.

In addition to the aforementioned fine, the Authority imposed a ban on further data processing through the use of email backup software.