Share This Article
In a highly discussed (and criticized) move, Italian Privacy Authority (the Garante) has mandated a dramatic shift in email metadata retention policies relating to employees emails’ metadata.
The Italian data protection authority issued new guidelines on the “E-mail management computer programs and services in the work context and metadata processing“.
Based on the position of the Garante, employers cannot keep emails’ metadata relating, among others, to the date, time, sender, recipient, subject, and size of employees’ emails, for more than 7 days, extendable, where there is a proven and documented need justifying the extension, by an additional 48 hours. These guidelines, primarily affecting cloud and software as a service providers accustomed to indefinite data retention, introduces a significant challenge: balancing stringent privacy regulations with the needs to protect the business’ properties and interests.
These guidelines permit exceptions for extended retention due for instance to security reasons, albeit with the prerequisite of trade union agreement and the need to specifically justify that retention. This raises a pertinent question for companies: Is it feasible to erase metadata after merely 7 days? The implications of such a policy are profound, especially in legal disputes that may emerge years later, where the lack of metadata could question the authenticity of email evidence and prevent the company to defend its interests.
These new guidelines underscore a growing friction between the push for privacy and the practical needs of businesses. The potential impact on dispute resolution, data management, and business operations is substantial.
Regardless of what people think of the Garante’s position, the decision requires to at least:
- update the privacy information notice for employees specifically setting out the applicable data retention period;
- run a DPIA to maintain the data processing,
- perform a LIA since the data retention is likely to be based on legitimate interest,
- update the data retention policy, and
- if a company wants to retain data for more than 7 days, reach an agreement with trade unions or, in absence of that, with the local labor office.
On a similar topic, you can read the article “Employees’ monitoring: a prior privacy notice might not suffice, especially under the GDPR!“.