The Italian SA imposed a 40 000 EUR fine on a company for violating the confidentiality of a employee's email account after the end of his employment
Background information
- Date of final decision: 18 December 2025
- National case
- Controller: LTL S.p.A.
Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 15 (Right to access by the data subject) - Decision: Administrative fine, Compliance order, Erasure order or Add here your free text for the decision
- Key words: Administrative fine, Principles relating to processing of personal data, Transparency,
Right of access, Employment, Data subject rights
Summary of the Decision
Origin of the case
In a complaint submitted to the Italian Supervisory Authority (SA), an individual complained that, after receiving a disciplinary letter followed by dismissal, the company had denied him access to his company' email account, which remained active. Exercising his rights, the data subject asked the company to disable the email account, forward any messages received in the meantime to his personal email address, and activate an automatic reply informing any senders of his new email address. However, this request remained unfulfilled, even though it was formulated in compliance with the GDPR.
Key Findings
During the investigation, the Italian SA found that the company not only continued to receive emails addressed to the employee, but also forwarded them to another company email account. This unlawful practice had been going on for about two months, exceeding the 30-day limit set by the company's internal rules.
Decision
The Italian SA fined the company 40 000 EUR.
In determining the amount of the fine, the SA took into account the type and duration of the violations, the failure to respond to the employee's request to exercise his rights, and the absence of previous violations of data protection regulations by the company.
The Authority therefore ordered the company to allow the employee access to his company email account and ordered its subsequent deletion, without prejudice to the retention of what was necessary for the protection of company's rights in court.
For further information: Garante: l’accesso alla email del lavoratore licenziato vìola la privacy