Last Updated on June 11, 2025
In its newsletter of 30 May 2025, the Italian Data Protection Authority issued measure 243 of 29 April 2025, after completion of the inspection carried out of the Lombardy Regional Authorities to check compliance with the rules on the protection of personal data in relation to processing in the workplace, also with reference to the modalities of remote working.
The Authority’s inspection focused in particular on the management:
- of email metadata (i.e. sender and recipient’s email addresses, date and time the message was sent or received, email subject and size of messages), in this case stored for 90 days (a timeframe that was, moreover, determined by the service provider) for IT security and technical support;
- Internet navigation logs (i.e. information regarding the websites visited by employees, including those relating to unsuccessful attempts to access sites included on a special black list) identified by cross-referencing information relating to the user and the machine’s IP address (stored separately at different suppliers) and stored in this case for 12 months, to be made available to the judicial authorities or in the event of particular traffic anomalies;
- information relating to employee requests for technical assistance (in the offices or in remote mode), in this case stored for 78 months.
Data protection in the workplace
In general terms, the Italian Data Protection Authority reiterates that employers, in their capacity as data controller of the processing of their employees’ personal data, are required to verify compliance with the conditions for lawfulness of such processing and, at the same time, compliance with the limitations of the Workers’ Statute, in particular with Article 4 on remote checks.
As is common knowledge, this provision, without prejudice to the prohibition of systems with the exclusive aim of monitoring work activity, makes a distinction between audiovisual equipment and other instruments that enable remote monitoring of employees, on the one hand, and “instruments used by the worker to perform work” and to record access and attendance, on the other.
The former may only be installed if they are specifically required for the purposes of organisation and production, occupational safety or the protection of company assets and provided that the employer has previously signed an agreement with the company union representatives or, failing that, has obtained authorisation from the competent Labour Inspectorate (Art. 4(1)). Paragraph 1 does not apply to those instruments that are strictly necessary for employees to perform their work, and consequently the above procedural guarantees (i.e. prior union agreement or authorisation by the Territorial Labour Inspectorate are not required for these instruments.
Referring to Guidance Document 364/2024 (see our newsflash ‘Italian Data Protection Authority: new guidelines for retention of employee emails’ of 20 June 2024), the Italian Data Protection Authority reiterates that in the workplace, email metadata, containing personal information of the persons concerned, are covered—like any form of correspondence—by secrecy guarantees to ensure the protection of workers’ dignity. Where their processing is intended to ensure the correct functioning of the email system infrastructure and is carried out for a limited period of time, in any case no longer than 21 days (except when particular conditions exist), these are deemed to be “working tools”, and as such are governed by the rules of Article 4(2), Italian Workers’ Statute. Conversely, if the metadata are collected and stored in a generalised manner and for an extended period of time (as in the present case), the procedural guarantees set out in Article 4(1) of the Workers’ Statute apply.
Internet browsing
The Italian Data Protection Authority considers that the systematic collection and subsequent storage of all the log files generated as workers use the Internet might, in the presence of a unique connection with the employee and their specific workstation, enable reconstruction and, therefore, control of the work activity, with the result that, even in such cases, employers are required to ensure compliance with Article 4(1), of Italian Law 300/70. In this respect, the Authority clarifies that it is irrelevant that the employer is not actually able to independently trace the identity of the employee by availing himself, for this purpose, of separate suppliers assigned to storing the information in question. Indeed, this organisational separation does not preclude the data controller (the employer, in fact) from being able to however trace the identity of the employee doing the browsing, by linking the information that each provider keeps.
Violations
The Italian Data Protection Authority’s measure in question also highlights several serious violations of the GDPR provisions, namely:
- violation of the principle of lawfulness, fairness and transparency of personal data processing insofar as it was found to lack a valid legal basis for a significant period of time, adequate information to employees and specific consent, where applicable;
- violation of the principle of storage limitation, since the time frame of 90 days for metadata, 12 months for navigation logs and 78 months for support tickets, was found to be disproportionate to the purposes stated by the employer, increasing the risk of infringing the rights and freedoms of the those concerned;
- the absence of adequate technical and organisational measures, given that the data collection and storage systems did not include any automatic access restrictions or effective mechanisms for data anonymisation;
- failure to carry out a Data Protection Impact Assessment (DPIA) prior to the start of the processing operations;
- total or partial failure to appoint external providers as data controllers.
Corrective measures
The Italian Data Protection Authority therefore declared the unlawfulness of the data processing operations carried out by the Lombardy Regional Authorities and ordered:
- compliance with the same within 90 days, with specific corrective measures (shortening of storage times, data anonymisation, encryption and organisational measures);
- the obligation to notify the Italian Data Protection Authority of the steps taken within 30 days;
- payment of a €50,000 fine.
The measure draws the attention of companies to their obligation to process employee personal data in a transparent manner, limited to strictly necessary purposes and for a proportionate period of time, but above all requires employers to review and possibly redefine, in light of the Italian Data Protection Authority’s decision, company procedures for managing the collection, storage and processing of email metadata and Internet browsing histories, taking into account the need, according to the Italian Data protection Authority, to complete the above-mentioned union agreement/authorisation procedure with the Labour Inspectorate.
Toffoletto De Luca Tamajo has a team of professionals who specialise in the regulation of business tools and systems and relative data ready to support you in the implementation of all possible systems.
For further information: comunicazione@toffolettodeluca.it
