Contrary to what is commonly assumed, organizations have specific data protection obligations even after employment ends. Even if the company has legitimate interests in retaining such data (historical records of client and supplier contacts, preservation of evidence for potential future litigation, etc.), it must still respect all the principles typical of data protection frameworks, ensuring employees' rights.
In this context, the Italian Data Protection Authority (Garante per la protezione dei dati personali) fined the company Sicurnet Liguria S.r.l. €8,000 for violations of the European Union's General Data Protection Regulation (GDPR). The decision came after a former employee filed a complaint alleging that the company kept his corporate email account active after his employment contract ended.
The investigation revealed that Sicurnet Liguria not only kept the account active for a significant period after the employee's departure, but also set up an automatic forwarding system that redirected incoming messages to another company email address. Furthermore, the company failed to respond to the former employee's requests to deactivate the account and access messages received after his departure.
The Italian authority found that these practices violated several GDPR principles, including data minimization, purpose limitation, and storage limitation. The company also failed to provide adequate information about the processing of the former employee's personal data and to respect his rights of access and erasure.
Source: Garante per la protezione dei dati personali
This post was translated and summarized from its original version using ChatGPT version 4o, with human review.