DATA PROTECTION
Italian Data Protection Authority: published the final guideline on the processing and storage of e-mail metadata of public and private workers.
Following the public consultation launched by the Italian Data Protection Authority on the guideline document 'Computer programmes and services for the management of e-mail in the work context and the processing of metadata', on 6 June the same Authority issued the final document with the amended indications for public and private employers, recalling however that 'given the guideline document's indicative nature, no new obligations or responsibilities derive from it'.
The Italian Data Protection Authority further clarifies what is meant by 'metadata' for the purposes of the Guideline Document: technically, this corresponds to the information recorded in the logs generated by the server systems for managing and sorting electronic mail (MTA = Mail Transport Agent) and by the workstations in the interaction that takes place between the various interacting servers and, where applicable, between these and the clients (the terminal workstations that send the messages and allow consultation of incoming correspondence by accessing the electronic mailboxes, defined in the technical standards as MUA - Mail User Agent). This information relating to the operations of sending and receiving and sorting messages may include the email addresses of the sender and the recipient, the IP addresses of the servers or clients involved in routing the message, the times of sending, retransmission or receipt, the size of the message, the presence and size of any attachments and, in certain cases, depending on the management system of the email service used, even the subject of the message sent or received. The metadata referred to in the document (both those of purely technical origin and those, such as the 'Subject' field, determined by users) then have the characteristic of being automatically recorded by the e-mail systems, regardless of the perception and will of the user. Finally, the provision clarifies that metadata are not to be confused with the information contained in the body of the e-mail message, even when they are technical information embedded in it or represent the set of structured technical headers documenting the routing of the message, its origin and other technical parameters. The information contained in the envelope, even if it corresponds to metadata automatically recorded in the logs of mail services, is inseparable from the message of which it is an integral part, which remains under the exclusive control of the user (whether the sender or the recipient of the messages).
Turning to the useful indications for data controllers for proper accountability, the Italian Data Protection Authority clarifies that the activity of collecting and storing only the metadata/logs necessary to ensure the operation of the e-mail system infrastructure falls under Article 4(2) of the Workers' Statute (thus not requiring trade union agreement or authorisation) if the storage period does not exceed 21 days. Any retention for an even longer period may be made, only in the presence of particular conditions that make it necessary to extend it, adequately demonstrating, in application of the accountability principle laid down in Article 5(2) of the GDPR, the specificities of the technical and organisational reality of the holder. On the contrary, the generalised collection and storage of e-mail logs, for a longer period of time, as it may entail an indirect remote control of workers' activities, requires the exercise of the guarantees provided for in Article 4(1) of Law No. 300/1970.
The Italian Data Protection Authority further clarifies what is meant by 'metadata' for the purposes of the Guideline Document: technically, this corresponds to the information recorded in the logs generated by the server systems for managing and sorting electronic mail (MTA = Mail Transport Agent) and by the workstations in the interaction that takes place between the various interacting servers and, where applicable, between these and the clients (the terminal workstations that send the messages and allow consultation of incoming correspondence by accessing the electronic mailboxes, defined in the technical standards as MUA - Mail User Agent). This information relating to the operations of sending and receiving and sorting messages may include the email addresses of the sender and the recipient, the IP addresses of the servers or clients involved in routing the message, the times of sending, retransmission or receipt, the size of the message, the presence and size of any attachments and, in certain cases, depending on the management system of the email service used, even the subject of the message sent or received. The metadata referred to in the document (both those of purely technical origin and those, such as the 'Subject' field, determined by users) then have the characteristic of being automatically recorded by the e-mail systems, regardless of the perception and will of the user. Finally, the provision clarifies that metadata are not to be confused with the information contained in the body of the e-mail message, even when they are technical information embedded in it or represent the set of structured technical headers documenting the routing of the message, its origin and other technical parameters. The information contained in the envelope, even if it corresponds to metadata automatically recorded in the logs of mail services, is inseparable from the message of which it is an integral part, which remains under the exclusive control of the user (whether the sender or the recipient of the messages).
Turning to the useful indications for data controllers for proper accountability, the Italian Data Protection Authority clarifies that the activity of collecting and storing only the metadata/logs necessary to ensure the operation of the e-mail system infrastructure falls under Article 4(2) of the Workers' Statute (thus not requiring trade union agreement or authorisation) if the storage period does not exceed 21 days. Any retention for an even longer period may be made, only in the presence of particular conditions that make it necessary to extend it, adequately demonstrating, in application of the accountability principle laid down in Article 5(2) of the GDPR, the specificities of the technical and organisational reality of the holder. On the contrary, the generalised collection and storage of e-mail logs, for a longer period of time, as it may entail an indirect remote control of workers' activities, requires the exercise of the guarantees provided for in Article 4(1) of Law No. 300/1970.
