As part of its responsibilities for personal data protection, on June 6th, the Italian Information Commissioner issued a new provision regarding email management programs and services in the workplace. The document aims to draw employers’ attention to certain points of intersection between data protection regulations and the rules that establish conditions for the use of technological tools in the workplace. The goal is to help employers develop their own guidelines to ensure compliance with data protection and labor law regulations.
Main Risks
The provision highlights that email management programs and services can automatically collect metadata such as:
- sender and recipient email addresses;
- IP addresses of servers and clients;
- Times of sending, receiving, and forwarding messages;
- Message sizes and presence of attachments;
- Message subjects (depending on the email management system).
Such data can be stored for long periods, creating the risk of systematic monitoring of employee activity and violation of their privacy.
Data Protection Measures
The Information Commissioner recommends employers adopt the following principles to protect employees’ data:
- Storage Limitation: Metadata storage times must be proportionate to the purposes of the processing. In most cases, metadata should not be stored for more than 21 days (this is given as a purely indicative measure), except when particular conditions justify a longer period, related to the need to ensure IT system security or other legitimate purposes.
- Data Protection by Design and by Default Principles: Employers must implement data protection measures at all stages of processing, from design to data deletion. This includes choosing appropriate technical and organizational measures to minimize risk and ensure compliance with privacy regulations.
- Lawfulness of Data Processing: Employers must verify the existence of legal bases for processing employee’s data. This includes complying with the conditions set out in Articles 4 and 8 of the Italian Law of May 20, 1970, No. 300 (so called Workers’ Statute), which prohibit the collection and processing of information not relevant to the worker’s professional activity.
- Data Minimisation: Employers must limit the collection and retention of data only to the time necessary to achieve the legitimate purposes of the processing. This includes regularly reviewing and deleting data that is no longer needed.
- Transparency and Information: Employers must provide employees with complete information on the characteristics of their data processing, storage times, and protection measures. This would allow the creation of company policies in compliance with Articles 12, 13, and 14 of Regulation (EU) 2016/679.
- Limitation to Access and Control: Access to metadata must be limited to authorized persons only, and all data operations must be tracked and monitored to prevent unauthorized access and misuse of personal data.
- Data Anonymization: In cases where prolonged data retention is not necessary, it is recommended to use metadata anonymization to reduce the risk of data breaches and misuse of information.
Employer’s Responsibilities
Violating the requirements of Regulation (EU) 2016/679 can lead to administrative sanctions under Article 83, para. 5, point d) of said Regulation. Additionally, criminal liability may arise for violating national data protection laws, such as Article 171 of Legislative Decree 196/2003 (Italian Personal Data Protection Code). Employers are therefore highly advised to adopt appropriate technical and organizational measures (and, if already present, ensure they are adequately demonstrable, for example, by creating written policies) to ensure data security and conduct risk and impact assessments on data protection.
***
This document from the Information Commissioner allows to verify whether the corporate email account management system complies with privacy regulations. Additionally, it allows for the correction of existing internal policies or the adoption of new ones.
Our Firm is naturally available to assist you in managing internal compliance.