On 14 June 2024, the Italian Data Protection Authority published “Provvedimento del 6 giugno 2024 - Documento di indirizzo. Programmi e servizi informatici di gestione della posta elettronica nel contesto lavorativo e trattamento dei metadati”, i.e. the updated version of the provision published in February 2024 on the retention of data relating to corporate email.
In particular, in February the Authority held that some computer programmes and services for e-mail management, especially when in cloud mode, are configured to collect and store metadata related to the use of employees' e-mail accounts and, therefore, this may result indirect remote monitoring of employees by their employers, if such information is retained for a period of time longer than seven days (which may be extended by 48 hours). According to the Authority, therefore, in order to be able to store metadata for a longer period of time, it was necessary to obtain an authorisation from the labour inspectorate or a special trade union agreement.
The updated measure clarifies, first of all, that “metadata” are technically “information recorded in the logs generated by the server systems for managing and sorting e-mail (MTA = Mail Transport Agent) and by the client workstations (MUA = Mail User Agent)”, i.e.: sender and recipient e-mail addresses, IP addresses of the servers or clients involved, times of sending, retransmission or reception, message size, presence and size of any attachments and, sometimes, the subject of the message.
Moreover, with this new provision, the Authority has been established that the storage of e-mail metadata may take place for a maximum period of 21 days (instead of the 7 days stipulated in the previous provision). It should be noted that it is not known what led the Authority to decide on this length. If the employer retains the metadata for a longer time - in the presence of particular conditions that make it necessary to extend it, proving the specificities of the technical and organisational situation of the data controller - the Authority considers that this would constitute an indirect remote control of workers' activities, which would therefore require recourse to the guarantee procedures provided for in Article 4(1) of the Workers' Statute (trade union agreement or authorisation of the Labour Inspectorate).
With reference to the profiles of unlawfulness, the collection and storage of metadata relating to the use of electronic mail by employees, for an extended period of time and in the absence of suitable prerequisites, may result in the acquisition by the employer of information relating to the personal sphere or opinions of the person concerned, and therefore not relevant for assessing the employee's professional aptitude, in breach of Article 8 of the Workers' Statute (under which it is forbidden to "carry out enquiries, including by means of third parties, into the employee's political, religious or trade union opinions, as well as into facts not relevant to the assessment of the employee's professional aptitude").
The scope of the measure is of considerable impact for companies, since public and private employers will have to take the necessary measures to comply their personal data processing to prevent possible liability on both administrative and criminal level. In particular, the data controller (provider) must verify that the e-mail management computer programs and services in use by employees - especially in the case of market products provided in cloud or as-a-service mode - allow the employer to comply with data protection regulations, also with reference to the metadata retention period indicated in the provision.
Authored by Massimiliano Masnada, Giulia Maccioni, and Alessandro Bacchilega.
