The termination of an employment relationship raises the issue of how to manage company IT tools assigned to the employee and, in particular, access by the former employee to the data contained therein.

Pursuant to Article 15 of the GDPR (General Data Protection Regulation), every data subject has the right to know whether personal data concerning them is being processed and to obtain a copy of such data.

This right continues to exist even after the termination of the employment relationship and applies to all data relating to the employee.

Consequently, information contained in the corporate email account and in the IT devices assigned falls within the scope of access, insofar as it includes personal data.

A named corporate email account, although a work tool, constitutes an environment through which information attributable to the employee passes.

A priori distinctions between personal and professional content, used to limit access, do not appear to comply with the regulatory framework.

The data controller may not carry out a discretionary selection of communications to be provided where these contain personal data relating to the former employee.

The right of access is subject to limitations concerning the protection of third-party rights and the safeguarding of the company’s information assets.

Any restrictions must be properly justified and comply with the principles of necessity and proportionality.

Generic limitations are not admissible, and the employer must demonstrate the legitimacy of any exclusions.

Proper management of this matter requires the adoption of appropriate organizational measures, including clear information notices, policies on the use of IT tools, and the definition of data retention periods consistent with the purposes of processing.

The Law Firm remains available for any further clarification.