In a previous circular, we spoke about the decision of the Privacy Authority according to which the metadata contained within corporate email communications, namely all information concerning, for example, the date and time of sending, sender, and recipient, etc. (also referred to as “logs”), could allow the Employer to remotely monitor their employees.
Such a stance would have forced all data controllers to implement corporate software that prevented the retention of such data for a period longer than seven days or, alternatively, to adopt the safeguards identified by Art. 4 of Law 300/1970, providing for either a collective agreement stipulated by the unitary union representation or the corporate union representations, or the authorization of the territorial office of the National Labor Inspectorate.
We also informed you in a subsequent circular that, following numerous criticisms and reports, the Guarantor was forced to initiate a public consultation regarding the appropriateness of the retention period for metadata generated and automatically collected by the email transmission and sorting protocols, suspending the effectiveness of the aforementioned guideline document.
The new provision of June 6, 2024, confirms our previously expressed concerns regarding its correctness. The Authority states that the retention of email logs can be considered legitimate even in the absence of the aforementioned safeguards, as it falls under the definition of a “work tool” pursuant to Art. 4, paragraph 2 of the Workers’ Statute, when their retention, based on technical evaluations and in compliance with the principle of accountability, is necessary to ensure the functioning of the email system infrastructure and, in any case, for a period that should generally not exceed 21 days.
The Guarantor further asserts that “Retention for an even longer period may be carried out only in the presence of particular conditions that necessitate the extension, adequately demonstrating […] the specificity of the technical and organizational reality of the controller.”
In all other cases, the provisions are confirmed that the retention of metadata, potentially enabling indirect remote monitoring of employees’ activities, requires the implementation of the safeguards provided by Art. 4, paragraph 1, of Law 300/1970.
In essence, therefore, metadata, which are technical information automatically collected by the application used in the company, cannot be retained for more than twenty-one days and should be deleted afterward.
In our opinion, the view provided by the Guarantor regarding the scope of Art. 4, paragraph 2 of the Workers’ Statute starts from an erroneous assumption, namely that, through the collection of said information, one could acquire knowledge of opinions, orientations, or, in any case, so-called sensitive data of their employees. However, in reality, the corporate email address, owned by the employer, should only be used for corporate needs; any different use would constitute a disciplinary offense subject to sanctions.
Currently, however, it is advisable to verify with your IT consultant to ensure that the metadata are not retained by the application or system for more than twenty-one days.
We will keep you informed of any developments.
(Avv. Luca Testa) (Avv. Giampiero Pino)
