On December 21, 2023, the Italian Data Protection Authority (Garante per la protezione dei dati personali, hereinafter the “Garante”) issued the guidelines titled “Email management computer programs and services in the work context and metadata processing” published on February 6, 2024.
On February 27, however, the Garante temporarily suspended the effectiveness of the guidelines, and launched a public consultation on the appropriateness of the retention period of employees’ metadata emails, as indicated in the Guidelines.
Previously the Garante conducted inspections regarding the processing of personal data in the workplace, and that highlighted the risk that third party cloud email management services could collect metadata (such as day, timing, sender, subject, and email size) from employee email accounts in a preemptive and generalized way. Additionally, the Garante found that these providers may retain them for a long time, possibly limiting the ability of the customer (employer) to modify the basic program settings in order to disable systematic collection of such data or shorten the retention period. The Garante provided that these metadata can be retained by the employer, as data controller, for a maximum of nine days. Otherwise, if the processing of the personal data in question is necessary and justified by specific needs, the employer must carry out the procedures described in Art. 4 of Law No. 300/1970 for remote employee monitoring.
Guidelines in brief
As frequently noted by the Garante, emails (and external communication data and attached files) are considered a form of correspondence under the Italian Constitution.[1] This means that confidentiality is required in the work environment.
The use of email management services leads to the processing of identified and identifiable personal data. Therefore, before carrying out operations using personal data via such programs, an employer must confirm that the legality requirements of the GDPR are met.[2]
As data controller, the employer must respect the general principles of personal data processing and meet all obligations contained in the GDPR and Data Protection Code. It also must provide data subjects, in a correct and transparent manner, with a clear picture of the overall processing carried out.
Furthermore, as part of implementing the principle of accountability, the employer must evaluate whether the processing may pose a high risk to the rights and freedoms of natural persons. If so, under the GDPR a data protection impact assessment (DPIA) is necessary.
Moreover, it is fundamental to comply with employee remote monitoring rules[3] and to avoid processing information not relevant to assessment of an employee’s professional aptitude or pertaining to the private sphere.[4] For this purpose, Art. 4, para. 1, Law No. 300/1970 provides that audio and video equipment and other tools that make remote surveillance of employees possible may be used solely for reasons related to organizational and production needs, occupational safety, and protection of a company’s assets and may be installed on the condition that a collective bargaining agreement has been entered into or an administrative authorization has been obtained beforehand by the appropriate labor office (ITL).
The Garante stressed that metadata necessary to ensure operation of email system infrastructure should be collected and stored for no longer than a few hours or a few days, and in any case a maximum of 7 days, which may be extended by a maximum of 48 hours when there is a proven and documented need for the extension. Generalized collection of such data for a longer time is considered remote monitoring of employee activities and thus it is subject to the requirements and procedures set forth in Art. 4, Law No. 300/1970.
Potential issues for employers
- Processing is considered unlawful if programs are used without the specific procedures mentioned above and if it is possible to collect employee personal information and opinions. The generalized collection and storage of metadata related to email use, in the absence of appropriate legal prerequisites, may result in the employer acquiring information that is not relevant to evaluation of an employee’s professional aptitude.
- Violation of data retention principles[5]. Metadata retention times must be proportionate to the purposes pursued. Specifically, purposes related to information security and the protection of information assets justify retention of metadata for a timeframe congruent with the objective of detecting and mitigating security incidents.
- Violation of data protection by design and by default. The employer must adopt a series of measures to ensure the principle of data protection from processing design onward and by default throughout the entire lifecycle of the data, incorporating “appropriate measures and safeguards in the processing to ensure that the data protection principles and the rights and freedoms of data subjects are effective” and ensuring “that only processing that is strictly necessary to achieve the set, lawful purpose is carried out by default,” including with regard to the data retention period at “all stages of design of the processing activities, including procurement, tenders, outsourcing, development, support, maintenance, testing, storage, deletion, etc.”[6]
In addition, since the data controller is responsible for making decisions about the purposes and methods of processing the personal data of the data subjects, it is generally responsible for the processing operations implemented. As recently stated by the Garante, even when using products or services made by third parties, the controller must verify compliance with GDPR principles and, when necessary, adopt appropriate technical and organizational measures and give the necessary instructions to the supplier. For example, the data controller must ensure that functions that are not compatible with the purposes of the processing or that conflict with specific sector regulations established by law, especially in the workplace, are deactivated.
Public consultation and next steps for employers
On February 27, 2024, the Garante published a press release (available here – ITA only) about the guidelines by which:
- the Garante launched a public consultation on the appropriateness of the retention period for the metadata of employees’ email. Notably, this aims at acquiring comments and proposals regarding the appropriateness of the 8/9 day retention term of the metadata; and
- deferred the effectiveness of the metadata Guidelines until the end of the aforementioned public consultation. Unless other measures are adopted by the Garante, the guidelines will be effective from the 60th day following the expiration of the deadline for the submission of contributions to the public consultation.
All interested parties can send their contributions to the Garante within 30 days of the publication of the public notice of the launch of this public consultation in the Italian Official Journal.
Should the guidelines enter in force, employers will be required to perform due diligence to verify that email management computer programs and services in use—especially products provided in the cloud or as a service—allow them to change basic settings so that they may avoid collecting metadata or limit the retention of such data to a maximum of seven days, with a maximum extension of 48 hours.[7]
On the other hand, producers of services and applications are invited to take into account the right to data protection during software development and design phases.
If personal data must be processed for the pursuit of organizational/production/safety needs, public and private employers, as data controllers, will have to carry out the procedures prescribed by Art. 4 para 1. of Law No. 300/1970 in order not to cease the use of such IT programs and services.
[1] Art. 2 and 15.
[2] Regulation (EU) 2016/679.
[3] See Art. 4, L. No 300/1970.
[4] See Art. 8, L. No 300/1970.
[5] See Art. 5, par. 1, lett. e), GDPR.
[6] Guidelines 4/2019 on Art. 25 – Data Protection by Design and by Default, adopted by the European Committee for Data Protection on October 20, 2020.
[7] These guidelines are in line with previous decisions from the Garante (Injunction order against the Lazio Region of December 1, 2022).