Through the issuing of the guidelines “Software and services for e-mail management in the employment context and the handling of metadata” (the “Guidelines”), the Italian Data Protection Authority (the “Italian DPA”) is back to the topic of the handling of employees data, this time focusing on the storage of metadata relating to the use of e-mail accounts in use by employees.
1. Guarantees to protect employees’ correspondence
As clarified by the Italian DPA, the content of e-mail messages, their metadata and attached files are forms of correspondence protected by the Italian Constitution, specifically Articles 2 and 15. This implies that, even in the employment context, there is a legitimate expectation of confidentiality about the correspondence of employees.
The automatic collection and storage of employees' e-mails is subject, in principle, to the provisions of the remote control of employees’ activities by the employer regulated by Article 4 of the Workers' Statute, which states that the use of audiovisual equipment and other tools of remote control can be made exclusively for:
· organizational and production needs,
· work safety, and
· protection of the company’s assets.
To this end, the company shall (i) sign a collective agreement with the internal Trade Union Representatives, or in lack of agreement, (ii) require the authorisation of the territorial headquarters of the Labour Inspectors’ Office.
The above general rule does not apply to the tools used by the workers for performing their duties; in this case, there is no need to obtain a prior authorization to use the information and data collected for all purposes related to the employment relationship, provided that the worker is given adequate information on the instruments used.
2. Storage of metadata
Based on the assumption that the e-mail management tools used by employees may collect by default, in an automatic and generalised manner, metadata relating to the use of e-mail accounts in use by employees (e.g., day, time, sender, recipient, subject and size of the e-mail), the question arises as to whether such processing activity falls within the above-mentioned exceptions to the authorisation procedure.
According to the Guidelines, it depends on the retention period of such information. The exception applies if the employer stores the metadata for no longer than 7 days, extendable, in the presence of proven and documented needs justifying such extension, for an additional 48 hours. If this is not possible and the employer needs to store the data for a longer period, the authorisation procedures provided for in the first paragraph of Article 4 of the Workers' Statute are mandatory.
3. Consequences for the employer
The employer has two alternatives:
(i) storing the metadata for an extended period not exceeding a total of nine days, for which the authorization procedure would not apply;
(ii) seeking a trade union agreement or authorization from the labour inspectorate if it's necessary for the company to store the metadata for a longer period.
Beyond these limits, the employer would expose the company to the risk of unlawful processing of personal data.
Such conduct might also be considered a violation of (i) the principle of retention limitation - as the retention might not be proportionate to the purposes pursued – (ii) the principle of privacy by design and by default, as well as (iii) the principle of accountability.
4. The recommendations proposed by the Italian DPA
The Italian DPA requires that the data controller, even if it uses third party products or services, must provide the necessary instructions to the service provider to ensure compliance with the principles applicable to data processing. With this in mind, the Italian DPA recommends that employers verify that the e-mail management software made available to employees allows them to change the settings, either by preventing the collection of metadata or by limiting the retention period to a maximum of nine days.
_840x420.jpg?v=3)
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.