The Italian Data Protection Authority has adopted an updated version of a guideline document on email retention that it originally issued in December 2023, but which had been suspended.
The document is entitled 'Computer programmes and services for email management in the workplace and metadata processing'. With this document, the Data Protection Authority states that it intends to provide employers with guidelines on how to manage employee email accounts, and further states that the measure introduces no new obligations or responsibilities.
Firstly, in order to clarify the scope of the measure, it defines the concept of email metadata (in place of the mere examples contained in the previous text). Metadata is the information automatically recorded in the logs generated by the server systems for managing and sorting emails, which may include sender and recipient email addresses, server IP addresses, sending (retransmission or reception) times, message size, the presence and size of any attachments and, in certain cases, even the subject of the message sent or received.
The Data Protection Authority states that metadata must not be confused with the information in the body of email messages (i.e. the contents) nor with the technical information that is an integral part of the messages and forms the so-called 'envelope' (i.e. the set of structured technical headers that document the routing of the message, its origin and other technical parameters). This information remains available to the user/worker, in their assigned mailbox.
The measure only regards metadata/logs as, therefore, do the Data Protection Authority's guidelines.
The guidelines, however, have changed compared to the previous measure: collection and retention of the metadata/logs required to ensure correct functioning of the email account may be carried out for a limited period of a few days, which should not exceed the guideline limit of 21 days (instead of the seven days in the previous version).
The metadata/logs may only be retained for longer if special conditions exist, which must be proven by the data controller according to the accountability principle established by the GDPR. Moreover, the guidelines state that any retention of metadata/logs beyond the stated 21 days must be done in compliance with the procedures set out in the Workers' Statute for certain tools and systems used for workplace monitoring. Those procedures involve prior agreement by the union or, failing that, prior authorisation from the Labour Inspectorate.
Takeaway for employers
In light of these new guidelines, organisational solutions to retain email metadata only for the necessary time and without incurring violations must be adopted as soon as possible.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.