The new measure on email management programs and on the conservation of metadata

on by
The new measure on email management programs and on the conservation of metadata - Il nuovo provvedimento del Garante della Privacy sui programmi di gestione della posta elettronica nel contesto lavorativo e sulla conservazione dei metadati

Edited by Francesca Tironi, Luca Saglione and Geljarda Domi

With the measure no. 642 of December 21st, 2023 (named “Computer programs and services for managing email in the work context and processing of metadata”), the Italian Data Protection Authority provided some indications to public and private employers about the use of computer programs and services for email management, marketed by suppliers in cloud or as-a-service.

More in details, the measure comes from investigations carried out by the Authority where a risk emerged that such programs can collect by default, in a preventive and generalized way, the metadata related to the use of email accounts in use by employees (for example, day, time, sender, recipient, subject and size of the email), keeping the same for an extended period of time.

The Authority has identified the initiatives to be implemented by employers to prevent non-compliant personal data processing:

  • verify with due diligence that such programs allow to modify the basic settings, preventing the collection of metadata or limiting the period of their conservation to a maximum limit of seven days, extendable by further 48 hours in presence of specific conditions (or provide for their termination);
  • otherwise, the warranty procedures provided for by article 4 of the Workers’ Statute (union agreement or authorization of the Labour Authority) are necessary, as the extension of the conservation period beyond the time frame set by the Authority can lead to an indirect remote control of the employee’s activity;
  • in any case, it is necessary to ensure the transparency towards employees, providing them with specific information on the processing of personal data before starting the processing.

On the contrary, the possible liability of the employer would be determined:

  1. in the absence of carrying out the warranty procedures referred to in article 4 of the Workers’ Statute when data retention exceeds 7 days;
  2. in case of acquisition of information related to the personal life or the opinions of the interested party from the elements obtainable from the external data of the correspondence, such as the subject, the sender, the recipient and other information that accompanies the data in transit, defining their temporal profiles (such as the date and time of sending/receiving), as well as from the qualitative-quantitative aspects also in relation to the recipients and the frequency of contact;
  3. in case of defining metadata retention times that are not proportional to the legitimate purposes pursued;
  4. in case of violation of the principles of data protection by design and by default as well as that of accountability.

The measure raises significant issues from an organizational point of view for employers concerning the time required to conclude a Trade Union agreement, as the Authority highlights that pending the warranty procedures, the metadata cannot be used anyway.

The Authority does not express an opinion on the “fate” of companies in this time frame in case of “excessive” treatment: is the employer to be considered liable?

Let’s Talk

For more information

Contact Francesca Tironi – Partner, PwC TLS 

Contact Luca Saglione – Director, PwC TLS

Discover more from Tax and Legal Services | PwC Italia

Subscribe now to keep reading and get access to the full archive.

Continue reading