Introduction
A recent decision by the Italian Data Protection Authority (DPA) has reaffirmed the sensitive nature of email metadata retention and its intersection with both Italian data protection and labour laws. The ruling underscores the importance of minimizing the retention period for such data, in strict compliance with applicable rules (and as consistently reiterated by the Italian DPA) – unless the employer has entered into a collective agreement with trade unions under the conditions provided by law.
Background
Since 2007, the Italian DPA has addressed the processing of personal data linked to employees' use of network services – particularly email (including its metadata) and internet browsing logs. Most recently, on 6 June 2024, the DPA issued specific guidance on the retention of email metadata, offering clarifications to help employers take informed organizational and technical decisions. For additional context, refer to our previous post analysing these Guidelines.
Key facts of the case
The DPA launched an investigation into the Lombardy Region to assess the lawfulness of personal data processing in the workplace, particularly in relation to their ‘flexible working’ arrangements. The Region had retained email metadata, internet browsing logs, and helpdesk data for excessively long periods, without the safeguards required by law. Notably, these activities were carried out in the absence of prior collective agreements with trade unions and without compliance with the most recent, stricter measures published by the DPA.
The Region argued that its systems processed employee data solely for technical purposes essential to IT infrastructure, such as anomaly detection and support provision.
Highlights of the Italian DPA’s Decision
The DPA imposed an administrative sanction of €50k on the Lombardy Region, citing several violations of Law No. 300/1970 (Workers’ Statute) and Regulation (EU) 679/2016 (GDPR). Specifically:
- Retention of email metadata for 90 days: The Region argued that the email system was an essential work tool, and that monitoring fell within the scope of art. 4(2) Workers’ Statute. However, the DPA found that the extended retention of metadata constituted a form of remote monitoring under Article 4(1) Workers’ Statute, which requires a collective agreement with trade unions. In the absence of such an agreement, the processing was deemed unlawful.
- Collection and storage of internet browsing logs: The Region retained browsing data - including failed attempts to access blocked websites - for 1 year, citing IT security needs. Although the DPA acknowledged mitigating factors such as limited access and data separation across providers, it concluded that the system still allowed for the reconstruction of personal activity. Furthermore, no data protection impact assessment had been carried out before implementation. The processing was therefore found to breach Article 4(1) Workers’ Statute.
- Retention of personal data in a legacy helpdesk system: The DPA found that helpdesk data continued to be stored in a system which, at the time of the events in question, was already undergoing decommissioning and was not covered by the new provider’s contract. This resulted in a violation of Article 28 GDPR, which requires a valid processor agreement to govern such processing.
Conclusions
This decision confirms the DPA’s approach to monitoring and metadata retention in the workplace, even where processing is carried out for technical or security purposes. It also reinforces that the derogation under Article 4(2) Workers’ Statute must be interpreted narrowly, and that it is the employer’s responsibility – not the unions’ – to initiate negotiations when remote monitoring is envisaged.
In light of the evolving regulatory landscape, including the 2024 guidelines and this recent decision, Italian employers should promptly review their email and IT monitoring practices. Proactive compliance can reduce legal risks and help ensure alignment with both data protection and labour law requirements.
