Add a bookmark to get started

14 February 20242 minute read

Italian Privacy Authority restricts retention of employees’ email metadata

In a highly discussed – and criticized – move, the Italian Privacy Authority (the Garante) has made a dramatic shift in policies relating to employees’ email metadata.

The Italian data protection authority issued new guidelines on the E-mail management computer programs and services in the work context and metadata processing.

Based on the Garante’s position, employers cannot keep email metadata relating to the date, time, sender, recipient, subject, and size of employees’ emails, for more than seven days. This is extendable, where there is a proven and documented need justifying the extension, by an additional 48 hours. These guidelines, primarily affecting cloud and software-as-a-service providers accustomed to indefinite data retention, introduces a significant challenge: balancing stringent privacy regulations with the need to protect the business’s property and interests.

The guidelines permit exceptions for extended retention for instance for security reasons, but with the prerequisite of trade union agreement and the need to specifically justify retention. This raises a pertinent question for companies: is it feasible to erase metadata after just seven days? The implications of the policy are profound, especially in legal disputes that may emerge years later, where the lack of metadata could question the authenticity of email evidence and prevent the company from defending its interests.

These new guidelines highlight a growing friction between the push for privacy and the practical needs of businesses. The potential impact on dispute resolution, data management, and business operations is substantial.

Regardless of what people think of the Garante’s position, the decision requires companies to at least:

  • update the privacy information notice for employees, specifically setting out the applicable data retention period;
  • run a DPIA to maintain the data processing;
  • perform an LIA as the data retention is likely to be based on legitimate interest; and
  • update the data retention policy.

But there are not only fulfilment requirements related to privacy regulations: if a company wants to retain data for more than seven days, it will have to apply the rules laid down in the Law no. 300/1970 (Statuto dei lavoratori). Therefore, express agreement with the trade union representatives or, failing that, with the local labor office will be necessary – very complex steps with no obvious outcome.