The Italian Data Protection Authority limits the retention of employee email metadata

20 February 2024 2 min read

At a glance

  • The Privacy Commissioner has imposed a significant change in employee email metadata retention policies.
  • Employers are not permitted to retain email metadata relating to the date, time, sender, recipient, subject and size of employees' emails, for more than seven days. This can be extended for a further 48 hours where it can be justified with documentation.
  • The recently introduced guidelines include certain exceptions allowing for extended storage, such as for security reasons. However, meeting this condition requires a trade union agreement and a specific justification for the prolonged retention.
  • If a company wants to store data for more than seven days, it will also have to apply the rules provided for by the Workers' Statute.

The Privacy Commissioner has imposed a significant change in employee email metadata retention policies. This change has attracted great criticism and discussions.

The Italian Data Protection Authority has issued new guidelines on the management of emails in the workplace and metadata processing through computer programs and services.

Employers are not permitted to retain email metadata relating to the date, time, sender, recipient, subject and size of employees' emails, for more than seven days. This can be extended for a further 48 hours where it can be justified with documentation. These directives pose a considerable challenge, particularly for cloud and software-as-a-service providers accustomed to retaining data indefinitely, as they must now navigate the delicate balance between complying with strict data protection regulations and safeguarding the company's assets and interests.

Further, the recently introduced guidelines include certain exceptions allowing for extended storage, such as for security reasons. However, meeting this condition requires a trade union agreement and a specific justification for the prolonged retention. This prompts a crucial question for companies: Is it viable to delete metadata within a mere 7-day timeframe? The implications of such a policy are significant, particularly in the context of legal disputes that may arise years later. In such cases, the absence of metadata could raise doubts about the authenticity of email evidence, potentially hindering the company's ability to defend its interests.

The updated guidelines ultimately highlight an increasing tension between privacy regulations and the practical necessities of businesses. The potential consequences on dispute resolution, data management, and overall business operations are considerable.

To summarise, the Data Protection Authority, the decision requires companies to:

  • update the privacy policy for employees, specifically indicating the applicable data retention period;
  • carry out a fundamental rights impact assessment to continue data processing;
  • perform a balancing test as the data retention is likely to be based on a legitimate interest; and
  • update the data retention policy.

Nevertheless, there are obligations that extend beyond privacy legislation in this matter. If a company wants to store data for more than seven days, it will have to apply the rules provided for by the Workers' Statute. Therefore, it will be necessary to have an express agreement with the trade union representatives or, in the absence of this, with the Territorial Labour Inspectorate: very complex steps with an unpredictable outcome.

For any further information, please contact our Employment Team.

More to explore

Personal Data Protection Decree

Personal Data Protection Decree

The government’s Decree 13/2023/ND-CP dated 17 April 2023 on personal data protection, came into effect on 1 July 2023.

Data Protection Authority issues recruitment Code of Conduct

Data Protection Authority issues recruitment Code of Conduct

The Data Protection Authority has published a Code of Conduct that Workforce Supply Agencies must comply with during their recruitment processes.

CPPA releases draft rules for automated decision-making technology

CPPA releases draft rules for automated decision-making technology

On 27 November 2023, the California Privacy Protection Agency released its initial rulemaking draft for automated decision-making technology (ADMT). The release of these draft...

Enforcement against the use of biometrics in the workplace

Enforcement against the use of biometrics in the workplace

The ICO has issued an enforcement notice which provides valuable insights into its approach to the use of biometrics in the workplace, and the lawfulness of employeemonitoring. 

Dismissal of a company data protection officer: Requirements under current case law

Dismissal of a company data protection officer: Requirements under current case law

According to recent case law, the dismissal of a company data protection officer requires good cause for termination within the meaning of Section 626 para. 1 German Civil Code....

Key employer obligations under India’s new data protection regime

Key employer obligations under India’s new data protection regime

The Digital Personal Data Protection Act ( DPDP Act ) was enacted on 11 August 2023. It sets out the framework for consent-based processing of data and non-consent based processing.