Italian Privacy Guarantor's policy document on the e-mail metadata storage

This measure provided clarification on the definition of ‘metadata’, i.e. information automatically recorded by e-mail systems in logs (MTA - Mail Transport Agent) and clients that may include sender and recipient e-mail addresses, IP addresses, sending times, message size, presence and size of any attachments, and the subject of the message sent or received.

With this provision, the Italian Data Protection Authority clarified that metadata may be tracked for a period of 21 days, if their processing is aimed at the proper functioning of the mail system. In this case, it will be sufficient to prepare a privacy notice pursuant to Article 13 GDPR and 4, c. 3 L. 300/70 (Statue for Workers), company tools regulation, update the record of processing and carry out impact and legitimate interest assessments.

These are, in fact, those fulfilments typically prescribed to all data controllers when processing employee data to ensure the performance of work tasks and thus the proper execution of the employment contract, within the limits of labour law that sanctions the general prohibition of remote monitoring of employees. The employer may therefore grant employees company tools, more or less sophisticated (from company e-mail to intelligent tools for managing certain obligations), provided that their supervision does not result an indiscriminate and vexatious tracking of the individual.

Usually, to assess the owner's privacy-labour compliance, a mapping of the company's systems is carried out, in order to identify their functionalities and related processing, and thus to summarise the typical elements and possible risks in the documents mentioned (the information notice pursuant to Article 13 GDPR and 4, c. 3 Stat. Lav., the company tools regulation), as well as to assess the risk of the processing carried out, the mitigation measures identified and the impacts on the subjects concerned.

If, on the other hand, the metadata were to be traced (albeit on systems other than mail) even after the 21-day period for purposes other than the proper functioning of the e-mail management system (e.g. compliance with cybersecurity rules, anti-fraud, audits, defensive purposes), it would be necessary not only to prepare the privacy notice pursuant to Article 13 GDPR and 4, c. 3 of the L. 300/70, the company tools regulation, the record of processing and the impact and legitimate interest assessment, but also, given the potential for indirect control over the work activity, to reach a prior agreement pursuant to Article 4, c. 3 of the L. 300/70 and to obtain a trade union agreement/administrative authorisation from the competent Inspectorate.

The Italian Data Protection Authority therefore considered that a long-term retention of this category of data could result in a potential indirect control over work activities, with the consequence that companies that have so far adopted metadata retention of more than 21 days for purposes other than the mere management of company e-mails must take steps to obtain, in accordance with the usual procedure, a special trade union agreement or authorization from the Inspectorate.

So, what are the next steps for Italian companies in order to avoid sanctions?