Privacy compliance at the termination of employment in Italy

The principle of storage limitation, outlined in Article 5 of the GDPR, reveals its full importance at the end of the employment relationship. According to this principle, for data processing to be lawful, it must be determined, before processing begins, by the employer. The termination of the employment relationship, in most data processing activities, also dictates the end of the storage period.

The conclusion of the employment relationship thus marks the obligation to establish a procedure capable of guiding the employer and the organization towards the correct data management practices. As mentioned, from the beginning of the processing, the employer must have determined the retention period related to the purpose, and this term must be clearly and precisely communicated to the employee from the start of the employment relationship.

The Italian Data Protection Authority has repeatedly intervened on the matter, emphasizing that the retention period cannot and should not be indicated in a generic manner, such as simply stating it is tied to the achievement of the purpose. Instead, the retention period must be clearly defined from the outset.

In this context, the importance of the record of processing activities is highlighted, a tool that is both mandatory and necessary for the mapping phase and for defining the data retention period. Therefore, updating the record becomes the primary tool to guide the organization in managing the requirements related to the retention period of employee data.

For the purpose of adhering to the regulations concerning the retention period, it is useful for the data controller to establish a procedure that involves the entire company's organization chart. Initially, it will be necessary to inform all the individual company supervisors, who will then need to verify the retention periods and proceed with the regularization of the terms to move forward with the data deletion.

Before the conclusion of the employment relationship, the employee must receive a notice regarding the obligation to delete any personal information on their company devices and the procedures to follow for such deletion.

At this stage, it is also important to conduct a review of all digital applications and services that require an employee account consisting of a username and password in order to proceed with the service deactivation. These actions are necessary not only in terms of information security but also to ensure the operational continuity of the business.

Special attention must be given to the company email service. Due to this point, the Italian Data Protection Authority has intervened multiple times, penalizing companies that used practices of forwarding emails from the former employee to other colleagues.

This practice, although it may seem to ensure operational continuity, contrasts with the principles of transparency, necessity, and relevance and violates the privacy of the former employee. For this reason, the Authority has intervened to specify that at the end of the employment relationship, the employee's email account must be deactivated. Its retention must be limited, and the employer must proceed with its deletion.

It is important to remember that in implementing data deletion policies, the employer must take into account the right of access that can be exercised by the former employee. Therefore, it is very important that the employee is placed in a position to access their data if requested, while still respecting the established retention limit. To facilitate the exercise of such rights and to improve organizational management, it might be useful to deliver all relevant documentation to the employee at the end of their employment also documenting this process. It is worth noting that the record of processing activities must be updated, as well as the data retention policy, which throughout the described process represent useful tools for managing the conclusion of the employment relationship.