Share This Article
The Italian Data Protection Authority (the Garante) issued a decision that significantly expands the right of access by former employees to their work related emails putting companies at risk of the disclosure of considerable trade secrets and confidential information. While the ruling reinforces the right of access under Article 15 GDPR, it also creates a difficult — and potentially risky — scenario for businesses handling corporate email accounts.
At its core, the decision states that a former employee can access emails stored in their corporate mailbox, and that the employer cannot pre-screen, filter, or alter the content before granting such access unless there is a “concrete risk” deriving from the disclosure. This means that companies might be forced to transfer to former employees business information that is highly valuable. Is this approach operationally sustainable?
Former Employees’ Email Access: What the Garante Decided
In the decision, the Garante found unlawful the company’s approach of reviewing emails in advance and limiting access only to those considered “strictly personal.”
According to the Italian Data Protection Authority:
- emails stored in a corporate account are not the exclusive property of the employer
- the employee retains rights over personal data contained in those emails
- the employer cannot manipulate or “sanitize” email content before disclosure
This means that former employees’ email access must be granted in a way that preserves the integrity of the data, without any prior filtering.
There is a limitation to such disclosure only in case there is a “concrete risk” deriving from it. The scope of this limitation is not clearly defined. It might be possible that the right might be limited in case of pending disputes, but what about business information that if disclosed might be communicated by the former employee to its new employer?
Why This Approach Is Problematic in Practice
The decision creates immediate challenges for organisations.
If companies cannot:
- review emails before disclosure
- remove third-party personal data
- exclude confidential or sensitive business information
then former employees’ email access may lead to the uncontrolled disclosure of information far beyond the employee’s personal data.
This includes:
- client communications
- internal legal or strategic discussions
- commercially sensitive information
- trade secrets embedded in daily correspondence
In other words, the decision risks turning former employees’ email access into a mechanism for transferring confidential information outside the company.
Trade Secrets and Confidential Information at Risk
One of the most critical implications of the Italian Garante former employees email access decision is the potential exposure of trade secrets.
Employers remain legally bound to:
- protect confidential business information
- comply with contractual confidentiality obligations
- safeguard third-party data
Yet, under this approach, they may be required to disclose emails without being able to mitigate these risks.
This creates a structural imbalance between:
- the right of access under GDPR
- the protection of trade secrets and business confidentiality
The lack of a clear balancing mechanism makes compliance extremely challenging.
Log Retention and Employee Monitoring Risks
The Garante also addressed the issue of log retention, adding another layer of complexity.
It reiterated that:
- logs retained for cybersecurity purposes must comply with the storage limitation principle, meaning retention must be strictly necessary and proportionate
- logs used for defensive purposes may qualify as employee monitoring, triggering the application of the Italian Workers’ Statute
This confirms that former employees’ email access cannot be assessed in isolation. It is part of a broader governance framework involving privacy, employment law, and cybersecurity.
The Need for a Very Conservative Approach
In light of this decision, companies may have no choice but to adopt a very conservative approach to email governance.
Practical steps include:
- restricting or clearly regulating personal use of corporate email accounts
- implementing data segregation and classification policies
- minimizing retention of emails and related logs
- defining structured procedures for handling access requests
The key shift is clear: risk cannot be managed at the moment of access, it must be addressed ex ante.
A Difficult Balance to Achieve
The decision of the Italian Data Protection Authority reinforces data subject rights but leaves companies facing a difficult trade-off.
On one side:
- a broad and almost unrestricted right of access
On the other:
- strict obligations to protect confidential information and trade secrets
Without a workable middle ground, organisations risk being caught in a compliance paradox — where any decision may expose them to liability.
The real question is no longer whether former employees have a right of access, but: how can companies comply with that right without compromising their most sensitive information? There is no doubt that, after this decision, companies will have to change the way confidential information is circulated within the company.
On a similar topic, you can read the article “The Garante Issues First GDPR Fine Over Employees Email Metadata Privacy Breach in Italy“.