Andrea Antognini - Of Counsel
Introduction
On June 6, 2024, the Garante per la Protezione dei Dati Personali (Garante for the Protection of Personal Data) issued an important measure regarding the use of computer programs and services to manage employee email and the processing of related metadata. This policy document aims to provide guidelines for Italian and foreign companies to ensure compliance with personal data protection regulations.
So the Guarantor's document at first glance would seem non-binding, but that is not really the case, as will be seen below.
Regulatory Context
The measure is based on a number of key normative references, including:
The Regulation (EU) 2016/679 (GDPR)
The Legislative Decree 196/2003 (Privacy Code)
Law No. 300 of May 20, 1970 (Workers' Statute)
In particular, the GDPR and the Privacy Code establish the conditions for the lawful processing of personal data, while the Workers' Statute regulates the use of remote control tools in the work context.
Objectives of the Measure
The policy document aims to:
Draw attention to the risks associated with the prior and widespread collection of e-mail metadata by computer programs.
Provide guidance to employers on the management of metadata to ensure proper operation of the e-mail system and computer security, without violating workers' rights.
Promote awareness of employers' technical and organizational choices in accordance with data protection regulations.
Risks and Critical Issues
The Garante found that many email programs and services, especially those offered in cloud mode, collect metadata by default, storing it for extended periods of time. Such metadata may include information such as e-mail addresses, IP addresses, sending and receiving times, message size, and in some cases even the subject line of messages. This preemptive and blanket processing of metadata poses significant privacy risks to employees, as it can lead to indirect monitoring of their activity.
Guidance for Employers
The Guarantor has provided specific recommendations for employers, including:
Limit the collection and retention of metadata to only the data necessary for the proper operation and security of the e-mail system.
Adopt short retention periods, preferably not exceeding 21 days, except in exceptional cases that are adequately justified.
Clearly inform workers about the manner and purpose of processing their personal data.
Ensure that e-mail service providers adopt data protection measures by design and by default.
Profiles of Interest for Foreign and Multinational Enterprises
For foreign companies and multinational groups that operate in Italy or process data of Italian citizens, this measure is particularly relevant. Indeed, such companies, whether based in or targeting Italian citizens, must ensure that their data management practices comply not only with the GDPR but also with Italian regulations and practices.
Supplier Management
Another crucial aspect concerns the management of cloud and software service providers. Enterprises must verify that their suppliers comply with Italian and European data protection regulations. This includes the need to select suppliers that implement adequate security measures and are willing to comply with the specific data retention requirements of the Garante's order.
Impact on Employment Contracts
Companies may need to review privacy policies and related company policies to ensure that employees are adequately informed about the processing of their personal data and their data processed lawfully. This is essential not only for regulatory compliance, but also to maintain a climate of trust and transparency within the company.
Conclusions
The Garante's measure is a significant step toward greater protection of workers' privacy in the digital environment. Companies, both Italian and multinational, must comply with the new guidance to avoid penalties and ensure that employee rights are respected. Proper management of metadata not only protects privacy but also helps create a more transparent and secure work environment.
Although the Privacy Guarantor's document is non-binding, discoursing from the guidance it contains, without a coherent rationale, could be interpreted by the Guarantor himself (for example, during an audit) as a lack of accountability for companies and public administrations.
For further details, please consult the full document available on the official website of the Data Protection Authority.