Skip to content Skip to sidebar Skip to footer
Menu
Menu
Data Protection & Cybersecurity

The Garante Issues First GDPR Fine Over Employees Email Metadata Privacy Breach in Italy

3 days ago
10 minRead time
metadata employees garante
Share This Article
Share Post

The Italian Data Protection Authority (the Garante) issued its first GDPR fine on, among others, the unlawful retention of metadata from employeesโ€™ emails and web browsing activities applying in Italy for the first time its highly discussed guidelines of 2024 on the use of metadata in workplace email systems.

The Processing of Metadata in the Employment Relations

Metadata generated through corporate email and internet usage includes information such as sender and recipient addresses, subject lines, date and time of transmission, the presence and size of attachments, and IP addresses. Although this data does not include the actual content of messages, it can reveal patterns of behavior, relationships, and indirectly infer performance or productivity levels.

In the employment context, this type of metadata becomes highly sensitive. Its processing must comply not only with GDPR principles but also with Italian labor laws, especially Article 4 of Law No. 300/1970 (the Italian Workers’ Statute), which regulates the monitoring of employees. Notably, Article 114 of the Italian Privacy Code explicitly refers to the Workers’ Statute, anchoring labor law protections firmly within the data protection regime. As such, the breach of Article 4 of the Italian Workers’ Statute can generate an automatic breach of Italian data protection laws.

First Enforcement of the Garante’s Metadata Guidelines on Employee Emails

In June 2024, the Garante released specific Guidelines titled: “Programs and Services for Managing Emails in the Workplace and Metadata Processing.” These Guidelines represent a major clarification for employers and IT service providers by stating:

  • Employee email metadata constitutes personal data and may be used to indirectly monitor employee conduct.
  • Maximum retention without further safeguards is 21 days.
  • Retention beyond 21 days requires one of two conditions:
    • An agreement with trade union representatives, or
    • Authorization from the Territorial Labor Inspectorate.

Additionally, under a data protection law, it is necessary to implement

  • A detailed privacy information notice specifying the type of metadata that are processed, the legal basis, the purpose of the processing and the retention period;
  • A legitimate interest assessment since legitimate interest is likely to be the legal basis; and
  • A data protection impact assessment given the relevant amount of processed personal data.

The Guidelines aim to prevent disproportionate or opaque data processing practices that could undermine the rights of employees under the GDPR and labor laws. Despite the Guidelines are not by definition binding, they represent the official position of the Garante on the matter, as showed in the decision outlined below, and therefore companies shall comply with them.

The Garante Case on the Processing of Metadata of Employees in Italy

During an ex officio inspection, the Garante discovered that Regione Lombardia, one the largest Italian regions, had been retaining:

  • Email metadata for up to 90 days;
  • Web browsing logs for 12 months;
  • Helpdesk log data (containing employee identifiers and ticket histories) for nearly 10 years.

These retention periods far exceeded what the Guidelines deem proportionate, particularly given the absence of any trade union agreement or labor authority authorization.

Moreover, the employer had only entered into a trade union agreement after the inspection had commenced. The Garante clarified that such an agreement cannot retroactively justify past data processing.

Legal Breaches Identified

The Authority found that Regione Lombardia violated multiple GDPR provisions:

  1. Article 5(1)(c) (Data Minimization): Data was collected and stored beyond what was necessary.
  2. Article 5(1)(e) (Storage Limitation): Metadata was retained for periods unjustified by any demonstrated necessity.
  3. Article 6(1) (Lawfulness of Processing): There was no valid lawful basis for the retention of metadata for extended periods.
  4. Article 35 (DPIA Requirement): Regione Lombardia failed to conduct a Data Protection Impact Assessment, despite the high-risk nature of systematic employee data processing.
  5. Article 88 GDPR & Article 114 Privacy Code: The processing failed to comply with national provisions that integrate labor law protections.
  6. Article 28 GDPR: Contracts with IT service providers had not been updated in accordance with current requirements.

Crucially, the Italian Data Protection Authority emphasized that the potential to use metadata to monitor employees triggers the application of Article 4 of the Workers’ Statute, even if such monitoring is not routinely conducted.

Sanctions and Corrective Measures

In the light of the above, the Garante issued a โ‚ฌ50,000 fine which was broken down as follows:

  • โ‚ฌ20,000 for unlawful processing of email metadata;
  • โ‚ฌ25,000 for excessive web browsing log retention;
  • โ‚ฌ5,000 for storing helpdesk ticket metadata for an excessive period.

It should be considered that historically GDPR fines issued against public authorities are lower that those imposed against private companies. Therefore, if the same proceeding was initiated against a company, the potential fine would have been considerably higher.

In addition to the monetary penalty, the Garante ordered Regione Lombardia to:

  • Limit browsing log retention to 90 days and implement anonymization thereafter;
  • Minimize and encrypt email metadata;
  • Restrict access to metadata to authorized personnel only;
  • Update internal policies and privacy documentation;
  • Revise contracts with third-party IT providers to reflect Article 28 GDPR obligations;
  • Conduct a DPIA to assess and mitigate privacy risks;
  • Ensure future compliance with labor law obligations for any processing that can result in employee monitoring.

Why this Decision Matters

This decision of the Garante on the processing of metadata relating to emails of employees is a watershed moment in the evolution of privacy enforcement in the workplace in Italy. It sets an authoritative precedent that:

  • Email metadata is subject to full GDPR protection;
  • Employers must treat metadata with the same seriousness as content;
  • Labor law protections extend to digital traces, not just direct monitoring tools like video surveillance.

It also affirms the legally binding nature of the Garanteโ€™s Guidelines. While often seen as soft law instruments, this decision shows they can serve as a benchmark for assessing compliance and imposing sanctions.

Practical Implications for Employers

Organizations operating in Italyโ€”both public and privateโ€”must now:

  1. Map and Re-evaluate all metadata retention practices related to employee communications and the purpose of their data processing.
  2. Align retention periods with the 21-day threshold or secure proper trade union authorizations.
  3. Assess vendor systems: Email and IT platforms must allow for granular configuration of metadata retention settings.
  4. Update trade union agreements where necessary to cover new types of data processing.
  5. Conduct DPIAs whenever there is a risk of profiling or monitoring and LIAs when the data processing is based on legitimate interest.
  6. Adopt detailed privacy information notices and internal policies on the usage of metadata.
  7. Strengthen internal governance by assigning responsibility for ongoing monitoring and compliance.

Looking Forward: A New Compliance Baseline

This first enforcement action under the metadata Guidelines raises the bar for privacy compliance in the employment context. It illustrates that metadata, often regarded as low-risk, can in fact be highly sensitive when linked to employee identities and behaviors. Employers must no longer treat metadata as a technical byproduct. Instead, it must be classified, risk-assessed, and protected under a privacy-by-design framework.ย Failure to do so can now trigger not just reputational harm, but financial penalties and legal scrutiny from both privacy regulators and labor authorities.

Conclusion

The Regione Lombardia decision sends a clear message: metadata retention is monitoring, and monitoring is regulated. It now requires a deep understanding of how even invisible data can impact fundamental rights in the workplace.

Organizations that proactively adapt to this new paradigmโ€”by revising retention policies, investing in data governance, and fostering transparency with employeesโ€”will be better positioned to avoid regulatory action and build trust in a digitized work environment.

Further details on the Guidelines of the Garante on the usage of metadata relating to emails of employees can be found in the article available HERE.

(Visited 290 times, 31 visits today)
Tags:
0LikesShare Post