The Privacy guarantor, through directive document no. 642 of December 21, 2023, has introduced guidelines aimed at both public and private employers regarding the management of electronic mail and metadata (e.g., date, time, sender, recipient, subject, etc.) of employees.
>> READ LDP ARTICLES TO KEEP UP TO DATE WITH THE LATEST NEWS
Within the framework of investigations conducted by the Privacy guarantor on the management of personal data in the workplace, a risk related to the preventive and generalized collection of metadata concerning the use of corporate email by employees has emerged.
Measures to be Taken
In particular, by reiterating the principles expressed regarding the protection of personal data, the Co Privacy guarantor has clarified that:
- Article 4, paragraph 1, of Law no. 300/1970, establishes that tools capable of remote monitoring of workers can only be used (i) for specific purposes (organizational and productive needs, workplace safety, and protection of corporate assets) and (ii) with specific procedural guarantees (union agreement or, in the absence thereof, prior authorization from the Labor Inspectorate);
- The provisions of Article 4, paragraph 1, of Law no. 300/1970, do not apply “to tools for recording access and attendance” as well as “to tools used by the worker to perform work”, as they are functional to allow the fulfillment of obligations arising from the employment contract, namely presence at work and performance of work activities, including corporate email.
That said, the Privacy guarantor has specified that:
- The collection and retention of metadata to ensure the functioning of email should not normally exceed a few hours or a few days, in any case not beyond seven days, extendable, in the presence of proven and documented needs justifying their extension, by an additional 48 hours;
- Therefore, if the collection of metadata is carried out for longer periods and entails indirect monitoring of workers’ activities, it is necessary to comply with the procedure under Article 4, paragraph 1, of Law no. 300/1970 (union agreement or, in the absence thereof, prior authorization from the Labor Inspectorate);
- Otherwise, the long-term collection and retention of metadata relating to the use of corporate email constitute a violation of data protection regulations as it may lead to the acquisition of information irrelevant to the evaluation of the worker’s professional aptitude.
Entry into Force
To address the numerous clarification requests received, on February 27, 2024, the Privacy guarantor decided to postpone the entry into force of the directive and initiate a 30-day public consultation regarding scenarios requiring retention of metadata for a longer period than that envisaged in the guidance document.
Therefore, it is necessary to await the outcome of the consultation to understand the actual novelties introduced by the Privacy guarantor with the entry into force of the directive under review and the consequent measures to be adopted by employers.
