DATA PROTECTION
Italian Data Protection Authority: systematic retention of employees’ e-mails and access logs for disproportionate periods of time is unlawful.
The systematic storage of employees’ e-mails - carried out for a considerable period of time (amounting to three years following the termination of the labour relationship) - and the systematic storage of access logs to e-mail and management software used by the employees is disproportionate and not necessary to achieve the employer's stated purposes, namely those of ensuring the security of the computer network and the continuity of the company's business.
This was established by the Italian Data Protection Authority by fining a company for 80 thousand euros.
For such disproportionate purposes, the employer may not access the employee's or collaborator's e-mail or use software to keep a copy of messages. Such processing of personal data, in addition to constituting a violation of data protection regulations, is likely to carry out unlawful monitoring of the employee.
The Italian Data Protection Authority, which intervened following a complaint filed by a commercial agent, found that the company in the course of the employment relationship, through software, had made a backup of the e-mail, preserving both the contents and the access logs to the e-mail and the company's management system. The information collected had then been used by the company in litigation.
The Authority also ascertained the unsuitability and deficiency of the information given to workers. In fact, the document provided for the possibility for the employer to access the e-mail of its employees and collaborators to ensure the continuity of the company's business, in case of their absence or termination, without mentioning, among other things, the making of the backup and the related retention time.
This, moreover, had allowed the company to reconstruct, in minute detail, the activity of the employee, thus incurring a form of control prohibited by the Workers' Statute (Law of May 20, 1970 no. 300).
Finally, with regard to the use of data in court, the Italian Data Protection Authority recalls that the processing carried out by accessing the employee's e-mail for purposes of protection in the judicial sphere refers to litigation already in progress, not to abstract and indeterminate hypotheses of protection as in this case.
In addition to the sanction, the Authority ordered a ban on further processing of data through the software used to back up e-mail.
This was established by the Italian Data Protection Authority by fining a company for 80 thousand euros.
For such disproportionate purposes, the employer may not access the employee's or collaborator's e-mail or use software to keep a copy of messages. Such processing of personal data, in addition to constituting a violation of data protection regulations, is likely to carry out unlawful monitoring of the employee.
The Italian Data Protection Authority, which intervened following a complaint filed by a commercial agent, found that the company in the course of the employment relationship, through software, had made a backup of the e-mail, preserving both the contents and the access logs to the e-mail and the company's management system. The information collected had then been used by the company in litigation.
The Authority also ascertained the unsuitability and deficiency of the information given to workers. In fact, the document provided for the possibility for the employer to access the e-mail of its employees and collaborators to ensure the continuity of the company's business, in case of their absence or termination, without mentioning, among other things, the making of the backup and the related retention time.
This, moreover, had allowed the company to reconstruct, in minute detail, the activity of the employee, thus incurring a form of control prohibited by the Workers' Statute (Law of May 20, 1970 no. 300).
Finally, with regard to the use of data in court, the Italian Data Protection Authority recalls that the processing carried out by accessing the employee's e-mail for purposes of protection in the judicial sphere refers to litigation already in progress, not to abstract and indeterminate hypotheses of protection as in this case.
In addition to the sanction, the Authority ordered a ban on further processing of data through the software used to back up e-mail.
