With its decision of 6 June 2024, the Italian data protection authority (GPDP) intervened on the guideline document published last 6 February 2024, in which it had imposed a maximum retention period of seven days for metadata relating to the use of company e-mails by employees.

The guideline document had generated criticism from employers and privacy experts and, for this reason, the Italian data protection authority opened a public consultation – lasting several months – to receive proposals and comments on the fairness of this deadline.

In its decision of 6 June 2024, the GPDP did not entirely succeed in shedding light on the subject, not least because of the imprecise use of IT terminology, since it equated ‘metadata’ with ‘logs’ – two quite different notions.

‘E-mail metadata’ (or ‘e-mail logs’) are the information ‘automatically recorded by e-mail systems’ – such as the IP addresses or e-mail addresses of the sender and recipient, or the time at which the e-mail was sent – and must not be ‘confused in any way with the information contained in the messages themselves, in the body of the e-mails, nor with the information embedded in the messages that form the so-called envelope, i.e. the set of structured technical headers documenting the routing of the message, its origin and other technical parameters’.

The activity of collecting and storing only the metadata/logs necessary to ensure the operation of the e-mail system infrastructure, following technical evaluations and in compliance with the principle of accountability, must normally be carried out for a period limited to a few days; as a guideline, such storage should in any case not exceed 21 days. Any storage for a longer period may only be permitted in case there are special conditions that make it necessary to have it extended, in compliance with the principle of accountability.

The general and unjustified collection and storage of email logs, as it could lead to indirect remote control of employees’ activities, requires the exercise of the guarantees provided for in Article 4(1) of Law No. 300/1970. This is without prejudice to the fact that employees must be adequately informed of the processing of personal data relating to electronic communications concerning them (Article 13 GDPR).

This approach of the Italian data protection authority – which, moreover, contradicts established case law – is likely to be difficult to apply not only in the IT sector, but also in HR and, in particular, in the management of disputes with employees.

We remain available for any further clarification.