Metadata processing: new guidelines from the Italian Data Protection Authority

The Italian Data Protection Authority, with Order No. 364 of 6 June 2024, issued updated guidelines on computer programs and services for managing e-mail in the work context and on the processing of metadata in employees’ e-mails.

The document specifies that it does not introduce new prescriptions, but offers a reconstruction of the applicable provisions, drawing attention to certain points of intersection between data protection regulations and the rules on the use of technological tools in the workplace.

Definition of Metadata

The Authority defines metadata as the information recorded in the logs generated by the mail management and sorting server systems (MTAs) and client workstations (MUAs). These metadata include:

Sender and recipient e-mail addresses

  • IP addresses of the servers or clients involved in routing the message
  • Sending, retransmission or receiving times
  • Message size
  • Presence and size of any attachments
  • Subject of the message
  • The metadata automatically recorded by e-mail systems are independent of the user’s perception and will.

The document precisely clarifies the object it refers to: ‘metadata, as intended here, shall in no way be confused with the information contained in electronic mail messages in their ‘body-part’ (message body) or integrated in them – although sometimes not immediately visible to users of electronic mail ‘client’ software (the so-called MUA – Mail User Agent) – to form the so-called envelope, i.e. the set of structured technical headers documenting the routing of the message, its origin and other technical parameters’.

Lawfulness of Processing

The Authority extended the guideline retention period for metadata from 7-9 days to 21 days.

Compared to the version prior to the public consultation, the Authority now specifies that this period is ‘approximate’ and that storage may be extended without the guarantees provided for in Article 4(1) of the Workers’ Statute, provided that:

(i) the storage always takes place within the scope of the purpose of ensuring the operation of the e-mail system infrastructure, as provided for in paragraph 2 of Article 4 of Law no. 300/1970;

(ii) the extension is necessary and adequately demonstrated, in application of the principle of accountability laid down in Article 5(2) of the Regulation.

Otherwise, the data controller or employer must comply with the guarantee procedures provided for in the sectoral regulations (Art. 4(1), L. 300/1970).

Data Protection Principles

The data controller must take measures to ensure compliance with the purpose limitation principle, selective data accessibility, and access tracking. Service providers must help ensure product compliance with the principles of the GDPR by helping data controllers comply with their data protection obligations. Employees must be made aware of all the features of the processing.

Finally, the document is particularly relevant in the application of Article 25 of the GDPR, especially in the context of cloud solutions. In the final part, in fact, the Authority emphasises that email service providers cannot always be considered mere data controllers, implying precise responsibilities in terms of ‘privacy by design’.

In particular, the Authority states that providers must help data controllers fulfil their data protection obligations by balancing market needs with compliance with the applicable rules. In addition, it is incumbent on data controllers to verify that email programmes and services, especially cloud or as-a-service, enable compliance with data protection regulations, including the retention period for metadata.

Employers, both public and private, will have to take the necessary measures to bring their processing in line with data protection rules and regulations in order to avoid incurring administrative and criminal sanctions. In particular, it will be the responsibility of the provider, as data controller, to verify that the email management software and services used by employees – especially if provided as cloud or as-a-service market products – enable the customer (employer) to comply with data protection regulations, including metadata retention periods.