Privacy Guarantor: restrictions regarding retention of employee emails

The DPA’s Guidance Document no. 642 of 21 December 2023, published in the 6 February 2024 newsletter, introduces guidelines and restrictions for the management of employee emails that risk creating significant organisational and management issues for companies.

This measure stipulates that employers (public and private) who use computer programmes and services to manage employee email – especially if provided in cloud or as-a-service mode – may retain the metadata (date, time, sender, recipient, subject and size) of email messages for up to a maximum of 7 days, period of time which, in the case of proven necessity, may be extended by a further 48 hours. Should companies need to collect and store the metadata for a longer period, in the DPA’s opinion, they must activate the procedures set forth in Article 4 of the Workers’ Statute.

The latter provision was rewritten in 2015 and stipulates that the tools and systems from which derive the possibility of performance monitoring may be used in a work context only for certain purposes (i.e. organisation, production, safety at work and protection of company assets) and installed subject to prior agreement by the union or, failing that, with prior authorisation from the Labour Inspectorate. These requirements and procedural constraints, as per current legislation, do not apply to the tools necessary to perform the working activity, which also include emails, an undisputed work tool that, therefore, is not subject to the requirements. The exemption of necessary working tools from the limits represents the most significant and innovative part of the legislation on remote controls introduced in 2015, precisely because of the frequent work-related use made of IT devices including, primarily, the computer.

However, the DPA believes that the retention of emails’ metadata for a period exceeding 7 days is not a working tool as defined above and therefore requires agreement by the union, or failing that, authorisation from the Labour Inspectorate, to be put in place. This is an unfounded position, considering that the collection and full retention of emails and related information have significant relevance for companies in terms of evidence and business management.

Organisational solutions allowing companies to retain emails for the necessary time without incurring violations must therefore be adopted as soon as possible.

Studio Toffoletto De Luca Tamajo has a team of professionals who specialise in the regulation of business tools and systems and relative data ready to support you in the implementation of all possible systems.

For further information: