Series
Blogs
Series
Blogs
Author: Eleonora Curreri
The Italian Data Protection Authority (the Garante) issued a decision (No. 165 - doc. web n. 10233328) against ITAS Mutua, an insurance company, upholding a complaint brought by a former employee under Article 15 GDPR in connection with access to his corporate email account.
The decision imposes a fine of €50,000. More importantly, it requires that the ex-employee is given full, unredacted disclosure of all correspondence in his work mailbox. Whilst broadly consistent with the Garante's established approach, the decision raises concerns that deserve careful analysis.
Following termination of his employment, the complainant requested access to all of the emails in his work mailbox. The company responded giving access only to emails of a strictly personal nature, withholding work-related communications on the basis that these were company property.
When the full mailbox was eventually delivered, it had been partially redacted, with the company having removed content it considered to contain third-party personal data and trade secrets. The company also retained email backups for five years and internet browsing logs for 12 months.
The Garante found this approach unlawful on three grounds:
Trade secrets and a structural imbalance
The most difficult issue concerns trade secrets. The company had sought to rely on Recital 63 GDPR — which explicitly acknowledges that the right of access should not adversely affect trade secrets or intellectual property — to justify partial redaction of the correspondence.
The Garante rejected this, applying EDPB guidance on a data subject’s rights (No 1/2022) to the effect that a generic concern about potential harm is insufficient as the controller must demonstrate specific, actual prejudice. On the facts, the Garante noted that the redacted content was contained in communications the complainant had himself sent or received, rendering the restriction difficult to justify.
It is possible this is justified based on the specific emails. However, the decision offers no guidance on more commercially sensitive scenarios where the controller faces an invidious choice: grant full access and risk genuine harm to commercially sensitive information or restrict access and face a regulatory complaint.
As much as anything, there is a fundamental difference between an employee holding confidential or commercially sensitive emails as an employee and as a private citizen. In the former situation, the employee is subject to a clear duty of confidentiality, and the information is likely held securely on the employer’s IT systems. In the latter situations, none of these protections apply.
More generally, this creates a structural imbalance the Garante does not acknowledge: the right of access is construed broadly, with a high evidentiary bar for any restriction, whilst the protection of trade secrets requires the controller to demonstrate concrete, specific prejudice before it can be invoked. In the context of post-employment disputes — where access requests are frequently deployed as tactical instruments — this asymmetry strongly favours the data subject.
Retention of logs and emails — A genuinely complex problem
The Garante reiterated that email systems are not appropriate document management tools and that legitimate business continuity needs should be met through dedicated document management infrastructure.
This is sound in principle but overlooks a practical reality: email remains the dominant form of business communication, and transitioning to bespoke document management systems is a significant undertaking, particularly for organisations operating in heavily regulated sectors with long statutory retention obligations.
The tension between those obligations and the Garante's data minimisation expectations is acute and is not resolved by the decision. As much as anything, the responsibility for filing those emails in the relevant document management system falls on the very employee making such a request.
A similar complexity arises with browsing logs: retention for information security purposes must be proportionate to that specific objective, whilst retention for defensive litigation purposes triggers the Workers' Statute procedural requirements. Controllers must navigate all of these constraints simultaneously, with no clear hierarchy between them.
Weaponising subject access request
Underlying the decision is the assumption that the principal risk in employment-related access disputes is to the data subject. That assumption does not sit easily with the reality that post-employment access requests cost the employee nothing and are frequently made in the context of actual or threatened litigation or active competition from a former employee.
In those circumstances, the employer's grounds for restriction are narrow, the evidentiary burden is high, and the cost of full disclosure — also in terms of trade secret exposure — may be significant.
The proposed EU "Digital Omnibus" package contemplates giving controllers the right to refuse or charge for access requests that are manifestly unfounded or excessive, including where the data subject pursues purposes other than the protection of their own data. This could, in theory, provide a partial legislative response to the tactical use of access rights in post-employment disputes.
However, the burden of demonstrating that a request meets that threshold would remain with the controller. Given the Garante's demanding approach to restrictions on data subject rights, it is far from clear that this reform would alter the practical position meaningfully. For the time being, any choice a controller makes carries risk: granting full access risks trade secret exposure; restricting access risks an infringement finding.
In light of this decision, controllers (in Italy) should consider the following:
12 May 2026
Up next