The Italian Data Protection Authority issued a guidance measure last Dec. 21 regarding the storage of e-mail metadata in the employment context, highlighting the need for limited storage and the adoption of specific safeguards by employers.
The guidance measure issued by the Garante highlights the risk arising from the use of cloud-based e-mail management computer programs and services that could collect and store metadata of employee communications by default. This metadata, which includes information such as the day, time, sender, recipient, subject, and size of the e-mail, could reveal details about employees’ personal sphere or opinions.
According to the Guarantor, the employer must ensure an appropriate legal basis for the processing of metadata, subject to the procedural safeguards provided by current legislation. Various actions are then suggested to mitigate the risks arising from sine die processing and storage.
First, it should be checked whether there are option mechanisms to exclude or limit the retention of such metadata. Such options should be made available by the e-mail provider. In the absence or impossibility of limiting the retention period to the timeline specified by the Supervisor (7 days plus 48 hours in exceptional cases), the employer should take other safeguards to protect employees.
Storage in violation beyond the stipulated period is considered as a possible remote control of the worker, and therefore the Guarantor expresses the need to adopt the guarantees provided by the Workers’ Statute: (i) union agreement or (ii) authorization of the labour inspectorate. Also reiterated is the prohibition of making inquiries about the worker’s political, religious or trade union views, as well as facts not relevant to the assessment of the worker’s professional aptitude.
The document provides clear operational guidance to employers and producers of services and applications, urging them to verify that computer programs and services allow them to change default settings to prevent the collection of metadata or limit the retention period of metadata. Alternatively, it is suggested that they comply with the assurance procedures in the industry regulations or cease using such IT programs and services. The obligation to provide specific information to workers before beginning metadata processing is also emphasized, in order to ensure transparency and awareness.
The last resort, where it is not possible to limit retention or reach an agreement under the workers’ statute, according to the Garante is the divestment of the service used.
This is a decidedly restrictive measure, perhaps little considering how such metadata is critical during or after a cyber-attack to reconstruct what happened and, in general, the relevance of such information on a cybersecurity perspective.
All that is left for employers to do is to assess their mail providers and, if this is not possible, to take steps to initiate the necessary procedures under the Workers’ Statute. From a Data Protection point of view, it will certainly be necessary to update employee disclosures and to proceed with an impact assessment (DPIA) and probably a legitimate interest assessment (LIA).
DISCLAIMER: This article merely provides general information and does not constitute legal advice of any kind from Macchi di Cellere Gangemi which assumes no liability whatsoever for the content and correctness of the newsletter. The author or your contact in the firm will be happy to answer any questions you may have.