The Italian Data Protection Authority limits the retention of employee email metadata

At a glance

• The Privacy Commissioner has imposed a significant change in employee email metadata retention policies.
• Employers are not permitted to retain email metadata relating to the date, time, sender, recipient, subject and size of employees' emails, for more than seven days. This can be extended for a further 48 hours where it can be justified with documentation.
• The recently introduced guidelines include certain exceptions allowing for extended storage, such as for security reasons. However, meeting this condition requires a trade union agreement and a specific justification for the prolonged retention.
• If a company wants to store data for more than seven days, it will also have to apply the rules provided for by the Workers' Statute.

---

The Privacy Commissioner has imposed a significant change in employee email metadata retention policies. This change has attracted great criticism and discussions.

The Italian Data Protection Authority has issued new guidelines on the management of emails in the workplace and metadata processing through computer programs and services.

Employers are not permitted to retain email metadata relating to the date, time, sender, recipient, subject and size of employees' emails, for more than seven days. This can be extended for a further 48 hours where it can be justified with documentation. These directives pose a considerable challenge, particularly for cloud and software-as-a-service providers accustomed to retaining data indefinitely, as they must now navigate the delicate balance between complying with strict data protection regulations and safeguarding the company's assets and interests.

Further, the recently introduced guidelines include certain exceptions allowing for extended storage, such as for security reasons. However, meeting this condition requires a trade union agreement and a specific justification for the prolonged retention. This prompts a crucial question for companies: Is it viable to delete metadata within a mere 7-day timeframe? The implications of such a policy are significant, particularly in the context of legal disputes that may arise years later. In such cases, the absence of metadata could raise doubts about the authenticity of email evidence, potentially hindering the company's ability to defend its interests.

The updated guidelines ultimately highlight an increasing tension between privacy regulations and the practical necessities of businesses. The potential consequences on dispute resolution, data management, and overall business operations are considerable.

To summarise, the Data Protection Authority, the decision requires companies to:

• update the privacy policy for employees, specifically indicating the applicable data retention period;
• carry out a fundamental rights impact assessment to continue data processing;
• perform a balancing test as the data retention is likely to be based on a legitimate interest; and
• update the data retention policy.

Nevertheless, there are obligations that extend beyond privacy legislation in this matter. If a company wants to store data for more than seven days, it will have to apply the rules provided for by the Workers' Statute. Therefore, it will be necessary to have an express agreement with the trade union representatives or, in the absence of this, with the Territorial Labour Inspectorate: very complex steps with an unpredictable outcome.

For any further information, please contact our Employment Team.