Processing of employee email data and metadata in Italy

8 March 2024 | Applicable law: Italy | 2 minute read

The Data Protection Authority has consistently alerted businesses to the risks of indefinitely retaining their employees' email messages. Even though these exchanges occur within the workplace, employees rightfully expect a degree of privacy, rendering any indiscriminate employer access illegal.

On December 21, 2023, the Authority released a guideline, born from comprehensive studies, highlighting concerns around the handling of email metadata [refer to Decision 9978728]. Investigations have uncovered that employing cloud-based email services may lead to the accumulation and extended storage of data such as the date, time, sender, recipient, subject, and size of emails. This raises privacy and legal compliance issues for employees. The Authority advises that email metadata should be kept no longer than 7 days, with a possible extension of up to 48 hours in specific, justified instances. Any longer retention requires a union agreement and thorough justification. 

Following widespread queries, on February 22, 2024, the Authority initiated a public consultation to solicit feedback on metadata retention durations and practices that might necessitate extended periods. This situation underscores the need for companies to practice responsible data management, aligning with the GDPR's accountability principle. This balance between personal data protection and operational necessities is crucial. Our firm can guide your company in several key areas: 

  • Assessing the purpose behind storing and retaining employee email content and metadata. 
  • Re-evaluate the current employee email retention policies and access methods, in particular after the end of the employment relationship, trying to balance company document needs and respect for employee privacy
  • Refreshing employee privacy policies to clearly define data retention durations. 
  • Undertaking a data privacy impact assessment and balancing test, pending additional advice from the Authority. 
  • Supporting participation in the ongoing public consultation, closing on March 22, 2024. 

Adopting these measures not only ensures compliance with regulations but also boosts employee trust in the respectful treatment of their personal data.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.


Related experience

As a full-service law firm, we are able to provide advice and information about a wide range of other issues. Here are some related areas.

Join the club

We have lots more news and information that you'll find informative and useful. Let us know what you're interested in and we'll keep you up to date on the issues that matter to you.