When an employee leaves the company, their email account isn't a detail to handle "when you have time." It's a ticking bomb — legal, operational, and reputational. Yet most Italian SMEs ignore it, leave it active for months, or worse: monitor it secretly.
Let's see what Italy's Privacy Authority says and how a serious IT consultant handles it, step by step.
The problem: why you can't ignore it
The company email contains personal data of the employee and third parties. Keeping it active after the employment relationship ends violates GDPR and the Italian Privacy Authority's guidelines. The penalties aren't theoretical: we're talking thousands of euros and, in the worst cases, lawsuits from former employees themselves.
But there's an aspect many overlook: joint and several liability. If an IT consultant takes over management of company systems, they become co-responsible for violations. It's not a hypothetical risk — it's a legal fact.
The operational protocol: timelines and actions
Here's the correct procedure, the one the Privacy Authority expects:
Day 1 — Immediate deactivation
On the same day as the employment termination, the account is deactivated. Not the next day, not "as soon as possible." The same day.
Day 1 — Auto-reply
Simultaneously with deactivation, an auto-reply is activated informing senders that the address is no longer active and providing an alternative contact. This is the famous notice to third parties — a step many IT consultants skip entirely, but which is fundamental for compliance.
Within 2-3 months — Final deletion
The account is permanently deleted. Not archived, not moved to a forgotten backup: deleted.
Data retention: zero indiscriminate archiving
This is where the real game is played. The temptation for many business owners is "let's keep everything, just in case." Wrong.
Don't retain the email archive. If litigation is ongoing or reasonably foreseeable, extract only the relevant documents through a structured document management system — never reading the account after termination. Everything else gets deleted.
This principle is called data minimization: you keep only what you need, for as long as you need it, with a legal basis that justifies it.
How to discuss this with your client
If you're an IT consultant, you know that how you present the problem makes the difference between a client who cooperates and one who shuts down, thinking you're just trying to sell something.
The key is avoiding legalese. GDPR citations or abstract regulatory references won't help. What matters is explaining concretely:
- That if you take management on, you become jointly liable
- That the Privacy Authority's penalties are real and documented
- That a former employee can sue if their account stays active
- That the correct procedure is simple and costs nothing extra
It's not a sales pitch. It's a professional boundary.
DIY is the biggest risk
The truth few say out loud: in certain areas, DIY can do more damage than a dishonest employee.
A business owner who independently manages email account termination — without protocol, without clear timelines, maybe snooping through the archive "for safety" — exposes themselves to risks that a structured consultant would eliminate in an hour of work.
Managing former employees' email isn't an IT issue. It's a corporate governance issue. And as such, it should be handled methodically, not with improvisation.
Operational checklist
| Action | When | Responsible |
|---|---|---|
| Account deactivation | Day of termination | IT Consultant / IT Department |
| Auto-reply activation | Day of termination | IT Consultant / IT Department |
| Notice to third parties (alternative contact) | Day of termination | Business Owner + IT Consultant |
| Document extraction (if litigation) | Before deletion | IT Consultant + Legal |
| Final account deletion | Within 2-3 months | IT Consultant / IT Department |