The Italian Data Protection Authority (the Garante) issued a decision (No. 165 – doc. web n. 10233328) against ITAS Mutua, an insurance company, upholding a complaint brought by a former employee under Article 15 GDPR in connection with access to his corporate email account.
The decision imposes a fine of €50,000. More importantly, it requires that the ex-employee is given full, unredacted disclosure of all correspondence in his work mailbox. Whilst broadly consistent with the Garante’s established approach, the decision raises concerns that deserve careful analysis.
A subject access request for work emails
Following termination of his employment, the complainant requested access to all of the emails in his work mailbox. The company responded giving access only to emails of a strictly personal nature, withholding work-related communications on the basis that these were company property.
When the full mailbox was eventually delivered, it had been partially redacted, with the company having removed content it considered to contain third-party personal data and trade secrets. The company also retained email backups for five years and internet browsing logs for 12 months.
The Garante found this approach unlawful on three grounds:
- all communications transiting through an individual account constitute personal data of the account holder: the company’s pre-emptive review and redaction exercise breached Articles 12 and 15 GDPR;
- the five-year email backup had not been disclosed to employees and was incompatible with the principles of data minimisation, purpose limitation, and storage limitation under Article 5 GDPR; and
- both the email backup and browsing log retention were capable of enabling remote monitoring of employees without the procedural safeguards required under Article 4 of Law No. 300/1970 (the “Workers’ Statute”) — namely, a prior collective agreement or authorisation from the National Labour Inspectorate.
Analysis
Trade secrets and a structural imbalance
The most difficult issue concerns trade secrets. The company had sought to rely on Recital 63 GDPR — which explicitly acknowledges that the right of access should not adversely affect trade secrets or intellectual property — to justify partial redaction of the correspondence.
The Garante rejected this, applying EDPB guidance on a data subject’s rights (No 1/2022) to the effect that a generic concern about potential harm is insufficient as the controller must demonstrate specific, actual prejudice. On the facts, the Garante noted that the redacted content was contained in communications the complainant had himself sent or received, rendering the restriction difficult to justify.
It is possible this is justified based on the specific emails. However, the decision offers no guidance on more commercially sensitive scenarios where the controller faces an invidious choice: grant full access and risk genuine harm to commercially sensitive information or restrict access and face a regulatory complaint.
As much as anything, there is a fundamental difference between an employee holding confidential or commercially sensitive emails as an employee and as a private citizen. In the former situation, the employee is subject to a clear duty of confidentiality, and the information is likely held securely on the employer’s IT systems. In the latter situations, none of these protections apply.
More generally, this creates a structural imbalance the Garante does not acknowledge: the right of access is construed broadly, with a high evidentiary bar for any restriction, whilst the protection of trade secrets requires the controller to demonstrate concrete, specific prejudice before it can be invoked. In the context of post-employment disputes — where access requests are frequently deployed as tactical instruments — this asymmetry strongly favours the data subject.
Retention of logs and emails — A genuinely complex problem
The Garante reiterated that email systems are not appropriate document management tools and that legitimate business continuity needs should be met through dedicated document management infrastructure.
This is sound in principle but overlooks a practical reality: email remains the dominant form of business communication, and transitioning to bespoke document management systems is a significant undertaking, particularly for organisations operating in heavily regulated sectors with long statutory retention obligations.
The tension between those obligations and the Garante’s data minimisation expectations is acute and is not resolved by the decision. As much as anything, the responsibility for filing those emails in the relevant document management system falls on the very employee making such a request.
A similar complexity arises with browsing logs: retention for information security purposes must be proportionate to that specific objective, whilst retention for defensive litigation purposes triggers the Workers’ Statute procedural requirements. Controllers must navigate all of these constraints simultaneously, with no clear hierarchy between them.
Weaponising subject access request
Underlying the decision is the assumption that the principal risk in employment-related access disputes is to the data subject. That assumption does not sit easily with the reality that post-employment access requests cost the employee nothing and are frequently made in the context of actual or threatened litigation or active competition from a former employee.
In those circumstances, the employer’s grounds for restriction are narrow, the evidentiary burden is high, and the cost of full disclosure — also in terms of trade secret exposure — may be significant.
Looking Ahead: The Digital Omnibus
The proposed EU “Digital Omnibus” package contemplates giving controllers the right to refuse or charge for access requests that are manifestly unfounded or excessive, including where the data subject pursues purposes other than the protection of their own data. This could, in theory, provide a partial legislative response to the tactical use of access rights in post-employment disputes.
However, the burden of demonstrating that a request meets that threshold would remain with the controller. Given the Garante’s demanding approach to restrictions on data subject rights, it is far from clear that this reform would alter the practical position meaningfully. For the time being, any choice a controller makes carries risk: granting full access risks trade secret exposure; restricting access risks an infringement finding.
Practical Takeaways
In light of this decision, controllers (in Italy) should consider the following:
- Audit privacy notices to ensure that email backup practices, retention periods, purposes, and legal bases are accurately and specifically disclosed to employees.
- Review email retention arrangements and assess whether existing document management systems can support business continuity without prolonged archiving.
- Ensure Workers’ Statute compliance before implementing any system — including email backup and log retention — that is capable of enabling remote monitoring of employee activity.
- Establish internal procedures for responding to access requests from former employees, including a protocol for assessing trade secret restrictions on a case-by-case basis, supported by documentary evidence of specific harm.
- Adopt a cross-disciplinary governance approach integrating data protection, employment law, information security and, as the case may be, IP/trade secret protection, and ensure decisions in one domain are taken with full awareness of the constraints imposed by the others.
For further information, please contact:
Eleonora Curreri, Linklaters
eleonora.curreri@linklaters.com
