Categories: News

Tag: Dismissal, GDPR, Privacy

3 Jul 2025

First fine for unlawful retention of corporate e-mail metadata and internet logs by Italian Data Protection Authority

The employer may collect employees’ Internet browsing logs and email metadata only under specific conditions and safeguards. This was affirmed by the Italian Data Protection Authority (i.e. “Garante Privacy”) when imposing a €50,000 fine on the Lombardy Region” (Provision No. 243 of April 29, 2025).

As stated on the Authority’s official website, this ruling follows an inspection aimed at verifying the Region’s compliance with privacy regulations concerning the processing of employee data. The measure comes almost a year after the publication of the guidance document titled “Programs and IT services for managing e-mail in the workplace and the processing of metadata” (Provision No. 364 of June 6, 2024).

Although this case specifically involved public administration, it is worth clarifying that all findings, observations, and clarifications issued by the Authority fully apply to private-sector data controllers as well.

Metadata and Internet browsing logs

“Metadata” refers to information related to the sending, receiving, and routing of messages. This may include the sender’s and recipient’s email addresses, IP addresses of the servers or clients involved in message routing, timestamps of sending, retransmission or receipt, message size, presence and size of any attachments, and, in certain cases depending on the email management system used, even the subject of the sent or received message.

Browsing logs, on the other hand, allow tracking of activities during web navigation and contain data such as visited IP addresses, URLs of opened web pages, connection times and durations, type of device and browser used, as well as any downloads or uploads performed.

The June 6, 2024, guidance clarifies that the maximum retention period for such data is 21 days. Any retention beyond this period is permissible only under specific conditions that justify the extension, and, in any case, one of the safeguards provided by Italian law under Article 4 of Law No. 300/1970 (the Workers’ Statute) must be satisfied: (i) an agreement with trade unions or, failing that, (ii) authorization from the local Labour Inspectorate.

This is because all such information allows the employer to identify behavioral patterns, understand workers’ relationships and habits, and infer elements such as performance and productivity. In other words, it may amount to indirect remote monitoring of employees’ activities.

Violations detected and sanctions imposed

During the Authority’s inspection, it emerged that the Region retained:

  • E-mail metadata for 90 days — violation resulting in a €20,000 fine for unlawful data processing,
  • Internet browsing logs for 12 months — violation resulting in a €25,000 fine,
  • Help desk ticket registry data for 10 years — violation resulting in a €5,000 fine.

Recommended actions to ensure compliance with current legislation?

  • Provide information notices to all data subjects concerned.
  • Conduct a legitimate interest assessment and a data protection impact assessment to evaluate and mitigate risks.
  • Define data retention periods in line with current legislation and the Authority’s guidelines or, where specific needs arise (which must be justified and demonstrated), fulfill one of the safeguard conditions under Article 4 of the Workers’ Statute.
  • Update and align internal documentation accordingly.
  • Restrict access to such data exclusively to specifically authorized personnel.
  • Respect the principle of data minimization and implement adequate security measures, such as encrypting metadata and logs.
  • Update contracts with third-party providers to ensure compliance with Article 28 of the GDPR.
  • Continuously monitor compliance levels and, where necessary, implement appropriate updates and improvements.

Other related Insights:

Subscribe to our newsletter

Contact

Need information? Write to us and our team of experts will respond as soon as possible.

Fill in the form

More news and insights

8 Jun 2026

The employee’s systematic lateness may justify dismissal for just cause (Camera di Commercio Francese in Italia – Vittorio De Luca, Silvia Zulato)

With Order No. 13722 of 11 May 2026, the Labour Section of the Italian Supreme Court of Cassation (Corte di Cassazione) held that an employee’s repeated lateness, resulting…

Read more
4 Jun 2026

Webinar “Pay Transparency Has Arrived: the revolution in compensation between new obligations for companies and new rights for workers” – HR Virtual Breakfast

During our webinar “Pay Transparency Has Arrived: the Revolution in Compensation Between New Obligations for Companies and New Rights for Workers”, the speakers Claudia Cerbone, Managing Associate, and…

Read more
29 May 2026

Notification of dismissal: ordinary e-mail is sufficient if the employee has knowledge of it

With the recent order no. 13731 of May 11, 2026, the Court of Cassation ruled on the validity and effectiveness of a dismissal notification sent via e-mail. The…

Read more
29 May 2026

Did you know that… the so-called “1 May Decree” introduces new measures concerning fair pay, employment incentives, and work performed through digital platforms? 

The Official Gazette has published Decree-Law No. 62 of 30 April 2026, entitled “Urgent Provisions on Fair Pay, Employment Incentives and the Fight Against Digital Labour Exploitation”, which…

Read more
29 May 2026

Video-surveillance and data protection: the Italian Data Protection Authority reaffirms transparency obligations

With Decision No. 167/2026 of 12 March 2026, the Italian Data Protection Authority (“Garante per la protezione dei dati personali”) once again addressed the issue of video surveillance,…

Read more
20 May 2026

Webinar “May 1st Decree: Key Updates and what’s New” –  HR Coffee with De Luca & Partners

On the occasion of our webinar “An HR Coffee with De Luca Partners,” the speakers Silvia Zulato, Senior Associate, and Alessandro Riccardo Polli from the Labour Consulting Division…

Read more