New Italian DPA guidance document on workers’ e-mail and metadata processing

The Italian Data Protection Authority (the “Garante” or the “Authority”) has recently announced, in its newsletter, a guideline document (available only in Italian), adopted on December 21st, regarding the retention of employee e-mail data, titled “Information Technology programs and services for e-mail management in the work context and metadata processing” (the “Document”) and addressed to public and private employers.

The Document was drafted as a result of investigations carried out by the Authority regarding the processing of personal data in the work context from which it emerged that some software programs and computer services for e-mail management, marketed by providers also in cloud or as-a-service (SaaS) mode, are often set up by default in such a way that they collect and store – by default, in a preventive and generalized manner – metadata related to the use of employees’ e-mail accounts (e.g, day, time, sender, recipient, subject, and size of the email), storing those data for an excessively large time frame.

Sometimes, this also puts limitations on the employer with regard to the opportunity to change the default settings of the software program used in order to disable the automatic collection or to reduce the storage period of such data.

With the Document, therefore, the Authority, taking into account the high risks for the rights and freedoms of the data subjects, aimed to provide further guidance – in addition to that already provided in previous provisions (e.g., “Guidelines of the Italian Data Protection Authority for e-mail and Internet” of 2007, provv. of 4.12.2019, no. 216 and the previous ones recalled therein) – to prevent any initiatives and processing that violate data protection regulations (i.e. the Regulation (EU)2016/679, known as the “GDPR”, and the Italian Legislative Decree No. 196/2003, as amended by the Italian Legislative Decree No. 101/2018, briefly, the “Privacy Code”), and the laws protecting employees’ freedom and dignity (i.e. the Italian Law No. 300/1970, as amended - the “Workers’ Statute”).

The Document is essentially based on four fundamental principles:

  • The principle of confidentiality

The content of e-mail messages – as well as the external data of communications and attached files – is supported by guarantees of confidentiality that are also protected at a Constitutional level (Articles 2 and 15 of the Italian Constitution), which protect the essential core of human dignity and the full development of the human personality in social groups.

  • The principle of lawfulness

The employer, as data controller, must verify the existence of an appropriate condition of lawfulness before processing employees’ personal data through e-mail management computer programs and services.

In the work context, this condition of lawfulness can be found in the Article 4 of the Workers’ Statute, as referred to in the Articles 113 and 114 of the Privacy Code in execution of the Article 88 of the GDPR, whose violation entails not only the application of administrative fines but also possible risks of criminal liability.

  • The principle of transparency

The employer, besides complying with the general principles of processing (lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability), shall implement all the legal transparency requirements under the GDPR (such as, for example, information obligations provided by the Article 13 of the GDPR and the provision of processing record, to be kept updated, in accordance to the Article 30 of the GDPR).

This is, in particular, in order to provide employees with a fair, clear and comprehensive representation of the overall processing of personal data carried out within the work context, enabling them to have all the essential information required by the regulations and to be fully aware, before the processing begins, of its characteristics and their rights.

  • The principle of accountability and the principle of storage limitation

The principle of accountability, as set forth in the Articles 5(2) and 24 of the GDPR, expressly provides the data controller to assess whether the processing activities to be carried out are likely to present a high risk to the rights and freedoms of individuals, thus making it necessary to carry out a prior personal data protection impact assessment (“DPIA”).

This is particularly necessary in case of the collection and storage of metadata concerning the use of electronic mail, given the particular “vulnerability” of data subjects in the work context, as well as the risk of “systematic monitoring”, meaning processing carried out to observe, monitor or control data subjects, concerning (inter alia) data collected through networks (Working Party Art. 29, “Guidelines concerning data protection impact assessment” (WP 248), 4.10.2017).

Considering the aforementioned provisions, the Authority specifies that the activity of collecting and storing the so-called metadata necessary to ensure the proper performance of the infrastructure of the e-mail system, cannot normally exceed a few hours or a few days, in any case not more than 7 days, which may be extended, if there are proven and documented needs that justify its extension, by an additional 48 hours.

Otherwise, the generalized collection and storage of such metadata, for a more extended period of time (even where it is based on an organizational, production, work safety or company asset protection purpose), since it may involve an indirect remote control of workers’ activities, requires the occurrence of the guarantees provided by the Article 4 of the Workers’ Statute, namely the signing of a union agreement or the obtaining of an authorization from the Italian Labor Inspectorate.

The Authority, therefore, urges employers, as data controllers, to choose solutions that allow them to change the default settings, avoiding the collection of unnecessary data and for excessive periods of time.