Data Protection Authority - New rules for employees' email

Employers, whether public or private, who use programs provided in cloud or as-a-service mode to manage corporate email, as of 6 February must comply with the Privacy Guarantor's guideline in order to prevent data processing that conflicts with data protection regulations and the rules protecting employees' freedom and dignity.

In fact, the Data Protection Authority on Feb. 6, 2024, issued a guideline document entitled:"IT programs and services for managing email in the work environment and metadata processing".

Determining the need to adopt the new approach about the management of corporate email were the Authority's investigations.

In fact, as stated in the introduction of the guideline document, these investigations revealed the risk that services for managing corporate email, provided in cloud, may collect by default metadata related to the use of employees' email accounts (such as: day, time, sender, recipient, subject and size of the email), storing the same for an extended period of time. In addition, such programs often limit the customer's (i.e. the employer) options to change the settings in order to disable the systematic collection of such data or reduce the retention period.

The content of email - as well as their external data and attached files - concern kinds of correspondence assisted by constitutionally protected guarantees of privacy (Articles 2 and 15 of the Constitution), which protect the person's dignity and the development of his or her personality in social contexts. It follows that, even for those messages sent in the work context there is a legitimate expectation of privacy.

The Authority's guidelines require the employer to verify that the services for email managing allow to set the metadata storage limiting it a maximum of 7 days, extendable by an additional 48 hours in the presence of proven needs that justify the extension. This time frame, according to the Authority, is sufficient to ensure the proper functioning of the email used by employees.

Employers who need to keep the metadata for a longer period of time because of organizational and production needs will have to carry out the procedures provided for in Article 4, paragraph 1, L. 300/1970, and thus reach a union agreement.

Otherwise, the employer's conduct will be considered in violation of data protection regulations and regulations on remote control, resulting in both administrative and criminal liability.