Categories: News

Tag: Dismissal, GDPR, Privacy

3 Jul 2025

First fine for unlawful retention of corporate e-mail metadata and internet logs by Italian Data Protection Authority

The employer may collect employees’ Internet browsing logs and email metadata only under specific conditions and safeguards. This was affirmed by the Italian Data Protection Authority (i.e. “Garante Privacy”) when imposing a €50,000 fine on the Lombardy Region” (Provision No. 243 of April 29, 2025).

As stated on the Authority’s official website, this ruling follows an inspection aimed at verifying the Region’s compliance with privacy regulations concerning the processing of employee data. The measure comes almost a year after the publication of the guidance document titled “Programs and IT services for managing e-mail in the workplace and the processing of metadata” (Provision No. 364 of June 6, 2024).

Although this case specifically involved public administration, it is worth clarifying that all findings, observations, and clarifications issued by the Authority fully apply to private-sector data controllers as well.

Metadata and Internet browsing logs

“Metadata” refers to information related to the sending, receiving, and routing of messages. This may include the sender’s and recipient’s email addresses, IP addresses of the servers or clients involved in message routing, timestamps of sending, retransmission or receipt, message size, presence and size of any attachments, and, in certain cases depending on the email management system used, even the subject of the sent or received message.

Browsing logs, on the other hand, allow tracking of activities during web navigation and contain data such as visited IP addresses, URLs of opened web pages, connection times and durations, type of device and browser used, as well as any downloads or uploads performed.

The June 6, 2024, guidance clarifies that the maximum retention period for such data is 21 days. Any retention beyond this period is permissible only under specific conditions that justify the extension, and, in any case, one of the safeguards provided by Italian law under Article 4 of Law No. 300/1970 (the Workers’ Statute) must be satisfied: (i) an agreement with trade unions or, failing that, (ii) authorization from the local Labour Inspectorate.

This is because all such information allows the employer to identify behavioral patterns, understand workers’ relationships and habits, and infer elements such as performance and productivity. In other words, it may amount to indirect remote monitoring of employees’ activities.

Violations detected and sanctions imposed

During the Authority’s inspection, it emerged that the Region retained:

  • E-mail metadata for 90 days — violation resulting in a €20,000 fine for unlawful data processing,
  • Internet browsing logs for 12 months — violation resulting in a €25,000 fine,
  • Help desk ticket registry data for 10 years — violation resulting in a €5,000 fine.

Recommended actions to ensure compliance with current legislation?

  • Provide information notices to all data subjects concerned.
  • Conduct a legitimate interest assessment and a data protection impact assessment to evaluate and mitigate risks.
  • Define data retention periods in line with current legislation and the Authority’s guidelines or, where specific needs arise (which must be justified and demonstrated), fulfill one of the safeguard conditions under Article 4 of the Workers’ Statute.
  • Update and align internal documentation accordingly.
  • Restrict access to such data exclusively to specifically authorized personnel.
  • Respect the principle of data minimization and implement adequate security measures, such as encrypting metadata and logs.
  • Update contracts with third-party providers to ensure compliance with Article 28 of the GDPR.
  • Continuously monitor compliance levels and, where necessary, implement appropriate updates and improvements.

Other related Insights:

Subscribe to our newsletter

Contact

Need information? Write to us and our team of experts will respond as soon as possible.

Fill in the form

More news and insights

3 Mar 2026

Employee monitoring: when “bossware” becomes a legal risk (Agenda Digitale, 2 marzo 2026 – Martina De Angeli)

Monitoring workers through digital tools is a rapidly expanding practice, accelerated by the spread of remote work and the digital transformation of companies. Before adopting these systems, however,…

Read more
3 Mar 2026

Melismelis signs the campaign for the 50th anniversary of De Luca & Partners

For the historic labor law firm, the agency developed the 50th-anniversary logo and advertising campaign, managed online and offline media planning, and renewed the website’s visual identity. Milan,…

Read more
27 Feb 2026

Dismissals: the Corte costituzionale grants broader discretion to judges and greater scope for reinstatement (I Focus del Sole 24 Ore, 26 febbraio 2026 – Vittorio De Luca e Alessandra Zilla)

The regulation of dismissals continues to represent one of the central pillars of Italian labour law, an area of constant tension between freedom of economic initiative and the…

Read more
27 Feb 2026

“Food delivery” once again at the center of inspection activities (Norme & Tributi Plus Diritto de Il Sole 24 Ore, 17 febbraio 2026 – Vittorio De Luca e Alessandro Ferrari)

It was recently reported that one of the leading food delivery operators in Italy has been placed under judicial supervision, ordered by an urgent decree of the Public…

Read more
26 Feb 2026

Vittorio De Luca at the Welfare & HR Summit 2026

On February 25, 2026, Vittorio De Luca took part in the sixth edition of the Welfare & HR Summit organized by Il Sole 24 Ore. In particular, our…

Read more
26 Feb 2026

Italian Supreme Court: the risk assessment document (DVR) as a condition for the lawful use of staff leasing

The absence of a concrete and specific risk assessment, formalised in an adequate Risk Assessment Document (i.e. “Documento di Valutazione dei Rischi” - DVR) bearing a certified date,…

Read more