“The employer may collect employees’ Internet browsing logs and email metadata only under specific conditions and safeguards. This was affirmed by the Italian Data Protection Authority (i.e. “Garante Privacy”) when imposing a €50,000 fine on the Lombardy Region” (Provision No. 243 of April 29, 2025).
As stated on the Authority’s official website, this ruling follows an inspection aimed at verifying the Region’s compliance with privacy regulations concerning the processing of employee data. The measure comes almost a year after the publication of the guidance document titled “Programs and IT services for managing e-mail in the workplace and the processing of metadata” (Provision No. 364 of June 6, 2024).
Although this case specifically involved public administration, it is worth clarifying that all findings, observations, and clarifications issued by the Authority fully apply to private-sector data controllers as well.
Metadata and Internet browsing logs
“Metadata” refers to information related to the sending, receiving, and routing of messages. This may include the sender’s and recipient’s email addresses, IP addresses of the servers or clients involved in message routing, timestamps of sending, retransmission or receipt, message size, presence and size of any attachments, and, in certain cases depending on the email management system used, even the subject of the sent or received message.
Browsing logs, on the other hand, allow tracking of activities during web navigation and contain data such as visited IP addresses, URLs of opened web pages, connection times and durations, type of device and browser used, as well as any downloads or uploads performed.
The June 6, 2024, guidance clarifies that the maximum retention period for such data is 21 days. Any retention beyond this period is permissible only under specific conditions that justify the extension, and, in any case, one of the safeguards provided by Italian law under Article 4 of Law No. 300/1970 (the Workers’ Statute) must be satisfied: (i) an agreement with trade unions or, failing that, (ii) authorization from the local Labour Inspectorate.
This is because all such information allows the employer to identify behavioral patterns, understand workers’ relationships and habits, and infer elements such as performance and productivity. In other words, it may amount to indirect remote monitoring of employees’ activities.
Violations detected and sanctions imposed
During the Authority’s inspection, it emerged that the Region retained:
- E-mail metadata for 90 days — violation resulting in a €20,000 fine for unlawful data processing,
- Internet browsing logs for 12 months — violation resulting in a €25,000 fine,
- Help desk ticket registry data for 10 years — violation resulting in a €5,000 fine.
Recommended actions to ensure compliance with current legislation?
- Provide information notices to all data subjects concerned.
- Conduct a legitimate interest assessment and a data protection impact assessment to evaluate and mitigate risks.
- Define data retention periods in line with current legislation and the Authority’s guidelines or, where specific needs arise (which must be justified and demonstrated), fulfill one of the safeguard conditions under Article 4 of the Workers’ Statute.
- Update and align internal documentation accordingly.
- Restrict access to such data exclusively to specifically authorized personnel.
- Respect the principle of data minimization and implement adequate security measures, such as encrypting metadata and logs.
- Update contracts with third-party providers to ensure compliance with Article 28 of the GDPR.
- Continuously monitor compliance levels and, where necessary, implement appropriate updates and improvements.
Other related Insights:
- Italian Data Protection Authority (‘IDPA’): guidelines on the use of company email management programs and on so-called “metadata” retention have been updated following recent public consultation by the IDPA
- Company e-mail and metadata: the Italian Data Protection Authority updates the guideline document