Last Updated on June 20, 2024
With measure no. 364 of 6 June, the Italian Data Protection Authority has adopted an updated version of guideline document no. 642 of 21 December 2023 (the validity of which had been suspended) entitled ‘Computer programmes and services for email management in the workplace and metadata processing’ (see our newsflash ‘Data Protection Authority: restrictions regarding retention of employee emails” of 21.02.2024).
With this document, the Data Protection Authority states that it intends to provide companies with guidelines on how to manage the email account in use by employees and further states that the measure introduces no new obligations or responsibilities.
Firstly, in order to clarify the objective scope of the measure, it clarifies the notion of email metadata in place of the mere examples contained in the previous text. This is the information automatically recorded in the logs generated by the server systems for managing and sorting emails, which may include sender and recipient email addresses, server IP addresses, sending (retransmission or reception) times, message size, the presence and size of any attachments and, in certain cases, even the subject of the message sent or received.
The Data Protection Authority states that metadata must not be confused with the information in the body of email messages (i.e. the contents) nor with the technical information that is in any case an integral part of them and forms the so-called envelope, i.e. the set of structured technical headers that document the routing of the message, its origin and other technical parameters. This information remains available to the user/worker, in their assigned mailbox.
The measure only regards the former (metadata/logs) as, therefore, do the Data Protection Authority’s indications.
The indications, however, have changed compared to the previous measure: collection and retention of the metadata/logs required to ensure correct functioning of the email account may be carried out for a limited period of a few days and, in any case, should not exceed the guideline limit of 21 days (instead of the previously established 7 days). This data may only be retained for longer if special conditions exist, which must be proven by the data controller according to the accountability principle established by the GDPR. Any retention of metadata/logs beyond the term stated must be authorised with the procedures set out in Article 4(1) of the Workers’ Statute.
Toffoletto De Luca Tamajo is at your disposal for any clarification you may need and for drafting the necessary documents.
For further information: comunicazione@toffolettodeluca.it