The Italian Data Protection Authority recently fined an insurance agency for not having acted properly in in managing the email accounts of two former employees, who filed a complaint with the Garante. The Authority initiated an inspection as a result of which, the agency was fined.

In the course of the inspection activities conducted by the Garante, the agency defended itself by claiming that it had promptly notified IVASS (the insurance regulator) of the employees' resignations and also blocked the two accounts, which were then deactivated in the following 120 days. According to the agency, this activity was necessary to ensure business continuity. For this purpose, the agency had noted that the address could receive emails, which were automatically redirected to a "sorting manager," who was then forwarding them to new account managers.

Later, the agency further clarified that:

  • the agency had adopted a policy governing the use of company IT resources, and that the relevant document, had been provided to all employees and contractors;
  • there was no access in the accounts, as the block was ordered without entering the accounts, and Aruba, the service provider, was guaranting the IT security;
  • in addition to the redirection to the sorting manager, the agency was confirming that it was not possible to retrieve any correspondence or documents, as there was no backup;
  • an automated message was entered informing customers of the change of manager within the agency;
  • the recording and preservation, without time limitation, of the logs of the e-mail system, as well as the contents of the mailbox and other assigned resources, were carried out for reasons related to the company's business.

The Guarantor, because of its inspection activities and having examined the agency's defenses, confirmed the violation of the legislation on the protection of personal data, and in particular of Articles 5 and 6 of the GDPR. In this regard, the Guarantor has, preliminarily, noted how the statements were unclear and contradictory to each other (e.g., first it was assured that the accounts were blocked, but later the agency itself admitted that the person in charge was sorting messages to other employees).

In conclusion, The Guarantor found that:

  • accounts were kept active for 120 days after termination, and during that period e-mails were automatically forwarded to a manager. This period was considered excessive, both because the agency claimed to have informed clients in 30 days and because IVASS indicated a maximum of 7 days to indicate the new agent to the customer;
  • no evidence was produced of the automated message to clients, nor that the person in charge could not actually access the content of the emails, a circumstance belied by the documents in the record (in any case, even the "external data" of an email, such as sender and subject, constitute personal data).

The Guarantor specifies that "It follows that the employer, after the termination of the [employment] relationship, must provide for the removal of the individualized business e-mail account, after deactivating it and simultaneously adopting automatic systems aimed at informing third parties and providing them with alternative addresses, thus avoiding the viewing of incoming communications on the individualized account assigned to the person concerned."

Second, the Guarantor confirmed the non-legitimacy of the sine die retention of the logs and contents of corporate accounts. The agency, in fact, did not produce any evidence regarding the lack of backups mentioned above and in general the existence of a specified retention period.

In this regard, the Guarantor recalled its guidance on the preservation of corporate e-mail, reiterating that "the legitimate need to ensure the preservation of documents necessary for the ordinary course and continuity of business ... is ensured, first, by the provision of document management systems with which through the adoption of appropriate organizational and technological measures identify the documents that in the course of the business must be gradually archived ..... Electronic mail systems, by their very nature, do not make it possible to ensure such characteristics".

The Guarantor issued a fine of 5,000 euros and ordered the agency to bring its corporate regulations into compliance.

Corporate account management is a hotly debated and topical issue, and a compliant system can certainly be a solid defence in the event of inspection activities by authorities.

Originally Published by 15 September 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.