Introduction
Recent guidelines issued by the Italian Data Protection Authority (Garante per la protezione dei dati personali (DPA)) regarding email metadata collection in workplace settings (Guidelines) raise crucial discussions concerning privacy safeguards and restrictions on employers’ access to employees’ emails.
Understanding the Legal Landscape
The Guidelines emphasise the intersection of the General Data Protection Regulation (GDPR) and Italian employment legislation on remote monitoring and investigations into employees' private affairs. Italian employers are navigating a complex legal framework where handling email metadata—such as date, time, sender, recipient, subject, and size—is subject to stringent restrictions outlined by the DPA.
Key Points of the Guidelines
- Restrictions on employee remote monitoring: The DPA reaffirmed the principle, established by recent decisions, that systematically storing email metadata for more than 7 days (with a possible extension of a further 48 hours under exceptional circumstances) may constitute indirect remote monitoring of employees’ activities. Consequently, according to the DPA, Italian employers would be required to enter into a union agreement or obtain authorisation from the Labour Office before collecting email metadata, in accordance with Italian employment legislation on employee remote monitoring.
- Restrictions on investigations into employees’ private affairs: Prolonged and systematic retention of email metadata may breach the Italian statutory law prohibiting investigations into matters unrelated to employees’ professional suitability. The DPA cautions that email metadata – such as subject, sender, recipient and frequency of contact – could potentially reveal information about employees’ personal life and opinions, necessitating careful consideration during data handling.
- Data Protection Impact Assessments: Employers collecting employees’ email metadata must conduct a prior data protection assessment in accordance with the GDPR. Recognising the vulnerability of employees and the potential risks associated with storing email metadata, the DPA emphasises the importance and necessity of this assessment.
- Other GDPR Compliance Obligations: Italian employers are also reminded of their broader obligations under the GDPR to ensure the lawfulness, transparency, and fairness of data processing activities. These also include the implementation of appropriate technical and organisational measures to ensure compliance with data protection legislation, including when using third-party email management products or services.
Failure to comply with these requirements could potentially result in severe penalties, including the employer being prohibited from using the collected email data and fines imposed by the DPA under the GDPR. These fines can be substantial, reaching up to €20m or 4 per cent of the annual global turnover of the preceding financial year, whichever is higher, in the most extreme cases.
Implications for Employers
Italian employers are urged to exercise due diligence in reviewing their email management systems, particularly cloud-based services provided by third parties, and adopting the appropriate steps to ensure compliance with regulatory requirements.
While these guidelines focus specifically on the storage of email metadata, they do not provide explicit instructions on handling email messages. However, it is reasonable to infer that the DPA's position on email metadata management extends to email messages and their associated content and attachments. Italian employers should therefore consider applying a similar rationale to ensure compliance with data protection and employment legislation across all aspects of email communications within the workplace.
Conclusion
The stance taken by the DPA underscores a strict approach that Italian employers should consider when handling employees' emails. This position carries significant implications both for daily operations and in sensitive areas, like internal investigations and audits, which largely rely on email reviewing. The Guidelines may prompt a wake-up call for Italian employers to reassess their email management processes as well as their internal investigation practices particularly considering the evolving data protection legal framework and the DPA’s increasingly rigorous enforcement stance.
