How to use corporate email properly and why it’s so important

Compliance & Risk Management | July 2026

Improper use of corporate email can lead to cybersecurity risks, legal & compliance violations, and liability, as well as legal, financial, and reputational consequences. In this edition of the Compliance & Risk Management Newsletter, professionals from Andersen’s 231/Privacy Service Line have explored the risks associated with the use of corporate email in order to highlight the ever-increasing importance of adopting appropriate technical and organizational measures capable of mitigating these risks, thereby improving an organization’s governance and resilience.

Cases in which monitoring an employee’s emails may constitute a predicate offense under Legislative Decree 231/2001

In certain circumstances, the way in which a company monitors an employee’s email may constitute actual offences relevant to the liability of the organisation under Legislative Decree 231/2001.

The risk arises when a manager, without authorisation, accesses an employee’s email, uses login details that are known or have been obtained without consent, retains access to the account after the employment relationship has ended, monitors emails systematically or acquires the content of emails without meeting the conditions laid down by law.

Such conduct may constitute the offences of unauthorised access to a computer system or the unlawful interception of computer communications, both of which are included amongst the offences that may give rise to the organisation’s liability under Article 24-bis of Legislative Decree 231/2001.

Unclear monitoring procedures, a lack of shortcomings in IT protocols can turn an internal audit into a significant 231 risk: prevention relies on clear policies, documented authorisations and targeted training.

The necessity of a procedure for GDPR-compliant use of corporate email

Many companies forget that e-mail actually contain large amounts of personal data (including sensitive data) relating to employees, customers and suppliers. Without specific internal regulations, the risk of non-compliance with privacy regulations is very high for any business, regardless of its size.

The Data Protection Authority has repeatedly emphasised that employers must never indiscriminately monitor employees’ correspondence. Even after the employment relationship has ended, the email account cannot remain active indefinitely, nor can emails be systematically and automatically forwarded to a line manager. Such practices, in fact, do not comply with the principles of data minimisation, transparency and storage limitation set out in the European Regulation.

To prevent security incidents as well as to avoid litigation or penalties, every organisation must adopt a specific procedure for the use of email. Implementing an internal procedure reduces legal risks and turns compliance into a tangible competitive advantage in the market.

How to identify and mitigate the risks of cyber-attacks delivered via e-mail

Email remains one of the primary vectors for cyber-attacks. Phishing campaigns and malware distribution increasingly exploit the human factor, persuading users to disclose confidential information, compromise their credentials, or authorise fraudulent transactions, often through nothing more than a single “click” on an email attachment or embedded link.

Managing this risk cannot rely solely on technological safeguards. It requires a governance framework that integrates technical, organisational and procedural measures, based on prior risk assessment and a clear allocation of roles and responsibilities. Ongoing staff awareness and training, procedures for verifying unusual requests, well-defined incident response protocols, and the periodic review of implemented safeguards are all essential components of an effective and resilient security framework.