Italian Data Protection Authority: new guidelines on the use of company e-mail management programs and on metadata retention

With order no. 642 of 21 December 2023 entitled “Computer programs and services for the management of e-mail in the workplace and metadata processing”, the Italian Data Protection Authority (‘DPA’) has provided guidelines for public and private employers on the use of computer programs and services for corporate e-mail management.

The document was issued following investigations carried out by the Italian DPA during which it emerged that there was a risk that computer programmes and services for e-mail management, marketed by providers in cloud or as-a-service mode, could collect by default, in a pre-determined and generalised manner, metadata relating to the use of e-mail accounts in use by employees, retaining them for an extended period of time. “Metadata” means information such as, for example, the day, time, sender, recipient, subject and size of the e-mail.

To ensure compliance with data protection legislation as well as the sector regulations on remote control – as is well known, governed by Article 4 of Italian Law no. 300/1970 (the “Workers’ Charter”), employers must:

• verify that the computer programs and services for e-mail management allow the basic settings to be changed, preventing the collection of metadata or limiting the retention period to a maximum of seven days, which can be extended by a further 48 hours under specific conditions;
• alternatively, carry out the guarantee procedures provided for in Article 4 of the Workers’ Charter, i.e. sign a trade union agreement or obtain an authorisation from the National or Area Labour Inspectorate. This is because extending the retention period beyond the seven/nine day time frame may lead to indirect remote control of the worker’s activity;
• in any event, the necessary transparency must be ensured in relation to workers, providing them in advance with specific information on the processing of personal data.

In other words, if, to meet organisational and production needs, the protection of company assets and occupational safety, the retention of data cannot be limited to the periods indicated by the DPA, employers will have to sign a trade union agreement or obtain an authorisation from the Labour Inspectorate.

In the absence of this, there is considered to be remote control of worker’s activities which may also have criminal consequences, in addition to breach of the personal data protection legislation with the following consequences; (i) the unlawfulness of the processing of personal data, (ii) the breach of the principle of limitation of retention, and (iii) breach of the principles of data protection by design and by default as well as the principle of accountability.
In any event, it should be noted that, pending the completion of the guarantee procedures, the metadata must not be used. ​

Other related insights:

• Italian Court of Cassation: Defence checks on employee’s company e-mail
• Controls: company information found on former employee’s company PC can be used