Italy: Processing Of Employee Email Data And Metadata In Italy

The Data Protection Authority has consistently alerted businesses to the risks of indefinitely retaining their employees' email messages. Even though these exchanges occur within the workplace, employees rightfully expect a degree of privacy, rendering any indiscriminate employer access illegal.

On December 21, 2023, the Authority released a guideline, born from comprehensive studies, highlighting concerns around the handling of email metadata [refer to Decision 9978728]. Investigations have uncovered that employing cloud-based email services may lead to the accumulation and extended storage of data such as the date, time, sender, recipient, subject, and size of emails. This raises privacy and legal compliance issues for employees. The Authority advises that email metadata should be kept no longer than 7 days, with a possible extension of up to 48 hours in specific, justified instances. Any longer retention requires a union agreement and thorough justification.

Following widespread queries, on February 22, 2024, the Authority initiated a public consultation to solicit feedback on metadata retention durations and practices that might necessitate extended periods. This situation underscores the need for companies to practice responsible data management, aligning with the GDPR's accountability principle. This balance between personal data protection and operational necessities is crucial. Our firm can guide your company in several key areas:

• Assessing the purpose behind storing and retaining employee email content and metadata.
• Re-evaluate the current employee email retention policies and access methods, in particular after the end of the employment relationship, trying to balance company document needs and respect for employee privacy
• Refreshing employee privacy policies to clearly define data retention durations.
• Undertaking a data privacy impact assessment and balancing test, pending additional advice from the Authority.
• Supporting participation in the ongoing public consultation, closing on March 22, 2024.

Adopting these measures not only ensures compliance with regulations but also boosts employee trust in the respectful treatment of their personal data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.