The Italian DPA confirms the prohibition of the employer’s indiscriminate control of company emails and smartphones

By decision of 22 December 2016, the Italian Data Protection Authority (DPA) upheld a claim brought by a former employee. The employee complained the unlawfulness of the processing of his personal data which was carried out by the company he worked for, both during his employment as well as after its termination.

The claimant had contested, on one hand, the indiscriminate access to and storage of the data within his company email account – active even after his dismissal – and on the other hand, the company’s ability, thanks to the IT department, to distantly access and control the files saved on the claimant’s company smartphone, for purposes other than device maintenance.

With regard to the data within the email account, the DPA found that the company had not provided any notice to the claimant – nor was there any information inside the existent company policies regarding the use of IT tools by employees – about: i) the storage on the company servers, for ten years, of all the emails passed through the account; ii) the fact that such account, in case of employment termination, would only be deleted within six months of such termination; iii) the existence of a procedure allowing access to the data contained in the corporate servers. It also pointed out that, regardless of this lack of information, the company’s indiscriminate ten-year retention of all the claimant’s emails constitutes in itself unlawful data processing, being it totally disproportionate to the ordinary requirements for email services management, including the requirement for data systems security followed by the company.

Likewise, the data processing carried out by the company after the claimant’s dismissal was considered unlawful. The DPA stated that, in light of the principle that the data controller’s interest in accessing the data to ensure its business efficiency shall be balanced with employee and third party rights to secrecy of correspondence, the company email accounts referring to individual employees after the termination of their employment should be promptly turned off. This included adopting automatic reply systems informing third parties of the coming up switch off. Such measures were not adopted by the employer in the case at issue, it having on one hand maintained the claimant’s email account for a long time after his employment was terminated, and on the other having provided an automatic reply system informing third parties that the account was already turned off, when, actually, it was not disabled.

The company’s behaviour was not considered compliant with the rules for distance monitoring employee activities, which, even though they sanction the employer’s right to remotely verify the employee’s correct performance of their activities do not allow massive, prolonged and indiscriminate controls, in order to safeguard workers’ freedom and dignity.

Furthermore, with regard to the access and storage of files saved by the complainant on the company smartphone, the DPA found that, despite the existing company policy on the use of the smartphones describing the company’s ability to remotely access, store (without any time limit) and delete the data saved on company smartphones, the data processing at issue was not compliant with data protection principles such as necessity, adequacy and relevance – since the ability to access and control the data was provided in case of unspecific events. In addition – as already noted for data processing within the corporate email account – such remote access to and control of data, according to the DPA, violates the prohibition of a massive and systematic control of employee activity by the employer.

Thus, the DPA enjoined the company from continuing to process the contested data, allowing it to retain the latter for the sole purpose of legal defence in any litigation with the dismissed employee, and, at the same time, ordering the start of an independent enquiry to assess possible administrative penalties against the company.