The new guidelines of the Italian Data Protection Authority on the conservation of metadata

On December 21, 2023, with Order No. 9978728, the Italian Data Protection Authority issued “Computer Programs and Services for the Management of Electronic Mail in the Workplace and the Processing of Metadata“‘ (so-called Guidelines). The Guidelines have raised interest with reference to their possible impact on Italian employers.

Specifically, the Guidelines provide that whoever keeps the so-called ‘metadata’ (date, time, sender, addressee, subject and size) of employees for more than 7 days, commits an unlawful processing of personal data and hence may be subject to both civil and criminal sanctions.

The Guidelines further state that employers may extend the above mentioned period for a maximum of 48 hours. Specifically, the  storage  period of such data ‘shall not normally exceed a few hours or a few days, in any case not exceeding 7 days, extendable, in the presence of proven and documented needs that justify the extension, by a further 48 hours’.

Employers requiring to keep metadata in the cloud for a period of time exceeding 9 days, must mandatorily sign an agreement with the trade unions according to the mechanism peremptorily provided for by Article 4, par 2 of Law no. 300/1970 (the so-called ‘Workers’ Statute’) relating to indirect remote control of workers. If such agreement is not reached, it is possible to request an authorization to the National Labour Inspectorate.

The impact of the above measures will entail, inter alia, substantial revisions of the employees’ privacy notices and of the data retention policy and a data protection impact assessment (DPIA).