Industrial Relations and Labour Law

Newsletter | August 2024

Co-funded by the European Union

Italy: Outcome of the Consultation on metadata in work e-mails

  • The Italian Data Protection Authority has recently issued an updated version of its guidelines on managing workplace email and metadata processing.
  • This update, formalised in Measure No. 364 on 6 June 2024, revises the previous guidelines (document no. 642 of 21 December 2023) and provides crucial clarifications for employers.
  • It follows the 30-day public consultation launched by the Supervisory Authority after the publication of the first guidelines.

As we previously reported, Document no. 642, initially published on 21 December 2023, introduced new guidelines limiting the retention of email metadata to a maximum of seven days. This posed significant challenges for companies in terms of compliance and operational flexibility. Employers were restricted to retaining email metadata for only seven days, with a possible 48-hour extension under proven necessity unless they sought union agreement or authorization from the Labour Inspectorate as outlined in Article 4 of the Workers' Statute. This necessitated a careful balance between maintaining operational efficiency and complying with stringent data protection regulations, which were introduced in the recently published update.

Key points of the updated Guidelines are the following:

Clarification of e-mail metadata definition: One of the significant updates in the guideline is the detailed definition of email metadata. Unlike the previous guideline, which provided only examples, the new document outlines metadata as information automatically recorded in the server logs. This includes sender and recipient email addresses, IP addresses, timestamps, message size, attachment details, and sometimes the email subject line. Importantly, metadata should be distinct from the email content or the technical headers (envelope) that document the message's routing and origin.

Retention period adjustments: The updated guidelines extend the permissible retention period of email metadata from the previously established seven days to a maximum of 21 days. This change acknowledges the practical need to ensure the correct functioning of email systems while balancing privacy concerns. Metadata may be retained beyond 21 days only under special conditions, which must be justified by the data controller by the GDPR's accountability principle. For any extension, authorisation procedures in Article 4(1) of the Workers' Statute must be followed.

The updated guidelines are part of a broader effort by the Italian Data Protection Authority to provide clear and practical guidance for employers on email data retention.

Date:
Sources: https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/10026277https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/10026277#allegatohttps://industrialrelationsnews.ioe-emp.org/industrial-relations-and-labour-law-march-2024/news/article/italy-the-data-protection-authority-provides-important-guidance-on-the-retention-of-company-e-mail-data
Tags: Italy, privacy, data protection, national, national developments, employers' obligations, workplace

ArchiveTags