Warning: this is a topic with strong legal implications.
Contact qualified consultants to verify the regulations and their application.

The work email is a business work tool
which contains an impressive amount of business-related information.

The companies can do whatever they want with the email,
which is a business work tool, but is it written and read by employees?
Can they read it? Can they backup it? Can they archive it?


generic work email addresses, no constraints

The work mailbox has an ambivalent nature,
it is a tool owned by the employer, but is used by the employee.

We must distinguish between two different types of business email addresses:

The generic company mailboxes are not problematic at all,
the company checks them, reads all the messages, has no constraints.

personal company mailbox, such as company cars

The personal mailboxes, such as,
may contain personal data of the employee that the employer must protect.

If we choose to use this kind of mailbox,
as an employer we need to know which technical standards to adopt
and which tools to use to be able to process the data adequately.

The mailbox can be compared to the company car,
it is made available to the employee for use within the business tasks.

The employer for example can check the mileage, to verify that the employee
has not abused this work tool, using it for personal purposes.

The employer can not, however, monitor systematically and without specific reasons
what the employee does inside the company car.

The mailbox is the equivalent of the company car, a work tool that is owned by the company,
given to the employee to use it use it for work, just to carry out its tasks.

What the employee sends and receives, even during working hours, is like what happens
inside the cockpit of the company car and is equated to private correspondence.

back to top

read only under certain conditions

The company cannot read what is written in the email messages,
it cannot be done systematically and without a specific reason.
Even if there is a specific motivation, it can be done only under certain conditions.

Three different interests are at stake, which must be balanced:

inform the employee

The employee must be informed, with adequate written communication, that the email messages
can only be used for all purposes related to the employment relationship, for example by prohibiting personal use.

The document must contain how to use the company tools,
including the email box, and inform that, in compliance with the privacy regulations:

massive checks are prohibited

The so-called “massive controls” are prohibited,
such as the systematic reading of the contents of an employee’s mailbox.

Limits in employer control are based on three cardinal principles:

back to top

obligation to archive email messages

The rules require that the employer must prove
to have adopted adequate and effective security measures
to protect company data, such as corporate email archiving.

obligation to inform the employee

Access to data by the employer
if carried out in the absence of detailed company information:

obligation to delete email messages

Business correspondence should generally be kept for a maximum of ten years.
To preserve the company’s assets and to be able to defend itself in any litigation situations.

The storage and processing of personal data is permitted only for a specific purpose.
If this purpose ceases to exist after a certain period of time, for example after ten years, this data must be deleted.

obligation to deactivate the mailboxes

In the event of employee dismissal or resignation,
the name.surname mailbox must be deactivated within a short period of time.

The company can activate an automatic reply informing the sender that the account has been deactivated,
inviting him to write to another internal email address.

The historical archive of company messages of terminated employees
can be kept only if the employee had been informed that his messages were stored.

back to top