With decision no. 165/2026, the Italian Data Protection Authority sanctioned a company for denying a former employee full access to their corporate e-mail account and for retaining messages and internet logs without an adequate legal basis.
In the case examined by the Authority, following the termination of the employment relationship, the former employee requested a complete copy of their corporate e-mail account.
However, the company only provided messages deemed strictly personal, excluding those related to work activities and obscuring certain data without specific justification.
The Authority clarified that work-related e-mails also qualify as personal data of the account holder, in light of the definitions of “personal data” and “processing” set out inArticle 4 no. 1 e no. 2 of the GDPR, and must therefore be made accessible to the data subject.
Furthermore, the Authority found the company’s practice of obscuring and anonymizing emails in advance unlawful, generically citing the protection of third-party rights or trade secrets. The right of access may only be restricted in cases of manifestly unfounded or excessive requests, or for the concrete protection of third-party rights.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]