The Italian Data Protection Authority has issued an updated version of its guidelines on email retention, originally released in December 2023. This document, titled “Computer programs and services for email management in the workplace and metadata processing,” provides employers with clear instructions on how to handle employee email accounts, while clarifying that no new obligations or responsibilities are introduced.
The guideline introduces a clearer definition of email metadata, which includes sender and recipient addresses, server IPs, message times, and sizes, among other details. It distinguishes metadata from the content of the email body and technical headers, which remain accessible to users in their mailboxes. The focus of the measure is solely on metadata and email logs.
A key change in the updated guidelines is the extension of the retention period for metadata and logs. Employers may retain this data for up to 21 days, compared to the previous limit of seven days. This retention is necessary to ensure proper email account functioning.
If employers need to retain metadata beyond 21 days, special conditions must be met, and the data controller must prove the necessity under GDPR rules. Any extended retention must follow procedures from the Workers’ Statute, requiring union agreement or approval from the Labour Inspectorate.
Reference: