Introduction

On December 21, 2023, the Italian Data Protection Authority issued a provision with significant implications for employers using email applications to manage internal communications. This provision focuses on the collection and retention of metadata relating to employees’ email accounts. In this article, we will examine the impact of this provision and the compliance requirements imposed on employers to adhere to said provisions.

What are metadata?

Metadata are data that provide information about the characteristics of other information. In other words, they are descriptions or additional information that provide context or structure to the main data. Here are some examples of metadata in different contexts:

• Email Metadata: In emails, metadata includes information such as the sender, recipient, subject, date and time sent, transmission path, and other technical information that helps manage and organize emails.
• Photo Metadata: For digital photos, metadata can include the date and time of capture, camera settings, GPS coordinates of where the photo was taken, and other information about the camera and shooting conditions.
• Document Metadata: In digital documents, metadata can include information such as the document author, creation date, last modification date, document title, and other formatting and structure-related information.
• Audio/Video File Metadata: In digital audio and video files, metadata can include information such as the song title, artist, album, year of release, duration, file format, and other recording-related information.

Metadata can be useful because it allows for the organization, search, retrieval, and better understanding of the main data. It can be used for various purposes such as digital content management, information retrieval, cybersecurity, regulatory compliance, and more. However, it is also important to consider privacy and security implications when managing metadata, as it can contain sensitive or confidential information.

Impact of the Authority’s guidance on metadata collection by employers

The Authority’s provision highlighted the risk associated with the preventive and generalized collection of metadata from email applications used by employees. Such metadata includes information such as sender, recipient, subject, date, and email size. The primary concern is that some computer programs and services may collect this metadata by default, without the employer’s ability to disable this functionality or limit the period of information retention.

Required Compliance

In response to this risk, the Data Protection Authority has mandated employers to adopt certain compliance measures to ensure compliance with privacy regulations and the protection of employees’ personal data. The following are the main compliance requirements:

• Verification of Metadata Collection: Employers must diligently verify whether the computer programs and services used for email management collect metadata from employees’ accounts. This verification must be thoroughly documented to demonstrate compliance with the provisions of the provision.
• Modification of Basic Settings: In case metadata collection is confirmed, employers must be able to modify the basic settings of computer programs and services to prevent the collection of metadata or limit the retention period to a maximum of 7 days, save the possibility of extending this period by an additional 48 hours in exceptional cases.
• Labor safegards: If limiting metadata is not possible due to proven organizational or productive needs, employers must follow some safeguard procedures provided by sector regulations. This may include entering into a labour agreement with unions or obtaining authorization from the labor inspectorate. The aim is to ensure that extending the metadata retention period does not result in remote monitoring of employees’ activities.
• Employee Information: It remains essential to provide employees with correct information regarding the processing of their personal data, including the collection and retention of metadata related to email.

Practical advice for metadata collection by employers

The Data Protection Authority’s provision represents a significant step forward in protecting employees’ privacy and regulating the use of metadata by employers. It is crucial for employers to take appropriate measures to comply with the established provisions while ensuring transparency and respecting employees’ rights.

Check of metadata collection, modification of email program settings, and adherence to labor safeguard procedures are essential steps to ensure compliance and mitigate risks associated with the management of employees’ personal data.

 

 

 

In the digital age we live in, cybersecurity management, GDPR compliance and web ethics are important elements for any website, but when it comes to offering products and services, they become milestones.

In our law firm we have been assisting companies and professionals who approach e-commerce for years, accompanying them on a virtuous path towards maximum data security, compliance with data protection legislation and the offer of an ethically correct user experience, avoiding the use of dark patterns.

Cybersecurity: The Priority

Cybersecurity is a key pillar to protect your website, personal data, and business reputation. The design of the website for the e-commerce business must necessarily deal with an armoring of the IT system underlying the platform, including the front-end, through some fundamental steps:

• Context study: examination of the sales project, study of the market and known relevant risks in the target market.
• Selection of assets and suppliers with proven reliability.
• Functional analysis of the supply cycle and vulnerabilities: In-depth assessment to identify possible security flaws and weaknesses in the site.
• Security planning: creating customized strategies to protect the site from online threats, human error, supply chain risk.
• Incident response: Prepare for and assist in the event of a data breach or cyberattack.
• Recovery: design of a system for the rapid and effective recovery of the site and its contents in the event of an incident.
• Staff training: Security education and culture to ensure that all team members are aware of cybersecurity best practices and remain sensitive to any signs of anomaly.

GDPR compliance: protecting data and complying with the regulation is a duty but it can be also a nice business card!

The GDPR is a legal obligation that affects any website that collects, processes or stores personal data of European citizens. Non-compliance, in addition to exposing you to heavy penalties by the supervisory authorities, denotes an attitude of neglect and lack of respect for users’ rights.

The right approach to compliance goes through:

• Specific risk analysis and possible impact assessment: whatever the method used, ISO standards, ENISA method or other, the risk associated with the processing carried out by the website is the basis for the adoption of appropriate technical and organizational measures.
• A compliance assessment: identification of areas where the site may not be in line with the provisions of the GDPR and planning of the activities to be carried out, also based on the evolutionary developments of the site.
• Legal documentation: drafting of privacy notices, privacy policies and agreements with data processors.
• The management of cookies: identification and categorization of cookies, drafting of the policy in compliance with the guidelines of the Supervisory Authority.
• Management of consents: correct collection of consents from data subjects for marketing and profiling activities and management of their valid archiving or revocation.
• Breach management: Inclusion of the site in the perimeter of the incident response report.

Web ethics: no Dark Patterns

The online sales activity, however, does not “only” require compliance with the law, it assumes that, in the opinion of our law firm, ethical design as an essential requirement to build a relationship of trust with users. Dark patterns, deceptive practices that negatively affect the user experience, damage the reputation of the site.

The support provided by our firm to operators promotes web ethics in an attempt to have a correct, transparent and respectful approach towards users who are the engine and the most valuable asset of online business.

We have already had the opportunity to deal with dark patterns previously, but it is worth remembering that the direction outlined by the European legislator with the REGULATION (EU) 2022/2065 is a clear fight to dark patterns and their use does not go unnoticed either by users, consumer associations or the various authorities of control, from the Data Protection Authority to the AGCM (Italian Competition Authority).

In conclusion, cybersecurity, GDPR compliance, and web ethics are critical pillars for the success of your website. Users’ trust is your most valuable asset online, and following best practices in security and ethics is the best way to build it.

Generally speaking, most foreign citizens are allowed to set up a business in Italy. We will limit this paper to the case of foreign companies willing to start operating in Italy.

Basically, there are three ways by which such aim can be reached: either (a) opening a branch office or (b) incorporating a subsidiary company or (c) purchasing an existing company.

(a)     Branch office

In order to start operating in Italy, a company based abroad could simply open a branch office. Once the premises have been found, the company is required to appear, through its legal representatives or an attorney, before a notary in Italy in order to sign a deed of incorporation of the branch.

Several pieces of information must be included in the deed: name of the company, registered office, name and address of the branch office, person in charge of the branch office, etc.

A copy of the company’s articles of association must be attached to the deed (the copy must be stamped with the apostille, translated in Italian and sworn in court). Satisfactory evidence of the powers of the representatives/attorneys must be provided to the notary.

Then the notary will file the deed to the relevant company register office (called in Italy “Registro delle Imprese”, a register held by the Camera di Commercio). Company register fees and taxes are to be paid.

(b)     Subsidiary company

The first step is defining the kind of company that suits most the needs of the parent: a public company or a limited company are the most commonly used kinds.

Then the articles of association must be drawn up in the form that, in accordance with the law, suits the needs of the business. Share capital amount, registered office, directors and, in some circumstances, auditors have to be defined at this stage.

Once again, in order to incorporate the company, a notary is needed: he or she will witness the memorandum of association that will be signed as a deed by the parent’s company representatives or by their attorneys. Satisfactory evidence of the powers of the representatives/attorneys must be provided to the notary. Then the notary will file the memorandum of association and the articles of association to the company register.

(c)      Purchasing a company

Finally, purchasing the share capital of an existing company can be an option. In this case, after a due diligence process, aimed at evaluating the target company as well as at highlighting any critical aspect/risk of the acquisition, lawyers draft a sale and purchase agreement that has to be negotiated by the purchaser and the seller and their lawyers. This step can take time, depending on the value of the transaction and its complexity.

After the contract has been negotiated in its final text, normally, the parties sign it before a notary as a deed. Once again, satisfactory evidence of the powers of the representatives/attorneys of the parties must be provided to the notary.

Is the independent bank guarantee issued under the URDG 758 valid in Italy?

Business clients dealing with international trade frequently asked us whether an independent bank guarantee issued under the URDG 758 (the ICC Uniform Rules for Demand Guarantees 2010) is valid, binding and enforceable under the Italian law or not and, if not, whether and how it can be amended in order to ensure it is valid, binding and enforceable as an independent bank guarantee under the Italian law.

Any major transaction nowadays does not take place without this kind of guaranty support. The principal feature of this kind of guarantee is its autonomy from the principal contract of the transaction.

The guarantee is a contract between a guarantor/bank and the beneficiary and underneath there is always a contractual relationship (the “principal” or “underlying” contract) between a creditor and a debtor which includes the obligation of providing a guarantee in favor of the creditor in case of debtor’s default in performing its obligations.

Its purpose is to indemnify the beneficiary from the possible default of the debtor in the underlying relationship: the beneficiary’s right to claim the payment is to be determined only with reference to the guarantee and the bank has to pay with no right to remedies arising out from the underlying contract.

First demand guarantee

The most used is the “first demand” guarantee which entitles the beneficiary to receive the payment from the bank when the conditions of the guarantee are met, without any proof of the debtor’s default.

Independent guarantee issued under the URDG 758

In general terms, according to the Italian statutory law and Italian Courts’ rulings, an independent guarantee issued under the URDG 758 will be considered a valid, binding and enforceable independent guarantee, provided that it includes a clause binding the guarantor to pay any amount demanded under the guaranty notwithstanding any contestation concerning the underlying contract and by which it waives the right to require exhaustion of remedies against the debtor, any right to withhold performance, any right of retention, any right of avoidance, any right to offset, and the right to assert any other claims which the debtor or any third party may have under the principal contract or in connection with it or on any other grounds (such clause being known as “senza eccezioni”).

Anyway, a deep analysis of the text guarantee is always recommended.

 

DISCLAIMER: This summary is intended for general information purposes only. It is not to be considered accurate, updates, complete or a legal opinion. It is neither an offer nor a binding lawyer / client contract or relationship.

Legal On Demand: the best flexibility in legal advice services

In the business world, legal advice is often a material issue in ensuring success and compliance with laws. However, hiring in-house counsels can be costly and difficult, especially for small and medium-sized businesses.

The solution is “Legal On Demand”, the innovative service by Princivalle Apruzzi Danielli that offers specialized legal advice only when the customer needs it, ensuring maximum flexibility and control on the budget of costs. Legal On Demand is the new formula to grant the best expertise with the maximum flexibility

What is Legal On Demand?

Legal On Demand is a service offered by Princivalle Apruzzi Danielli Law Firm that revolutionizes the way companies access legal advice. With Legal On Demand, you can tap into the vast experience and expertise of our legal professionals only when you need to, so you don’t need to maintain an expensive internal legal team.

Legal On Demand ensures the best expertise with the maximum flexibility

One of the distinctive features of Legal On Demand is its flexibility. With this service, customers can suspend and reactivate legal advice whenever they want. This means that they only pays for what they need, without long-term contractual constraints.

When you encounter situations like regulatory reforms, complex business operations, or worries in your internal structure, you can rely on the legal advice whenever you need it. Legal On Demand ensures the best expertise with the maximum flexibility

Best expertise

The Law Firm Princivalle Apruzzi Danielli is known for its expertise and specialization in a range of legal areas all focused on supporting the client enterprise. With this service, the customer has the full availability of a team of highly qualified and specialized professionals who can address any legal issue by acting as an internal consultant to the company.

Costs’ control

Basically, with Legal On Demand, the customer has complete control over legal costs. You don’t have to worry about salaries, benefits or ancillary expenses associated with an internal legal team; you only pay for the hours you actually use and the legal benefits you receive.

Therefore, this allows you to allocate your budget more efficiently and focus on business development, knowing that you have high-quality legal advice available when you need it.

The new era of the legal advice

Customers show us that the Legal On Demand  represents the new era of legal advice. Its flexibility, expertise and cost control make it an ideal option for businesses of all sizes, from start-ups to large businesses, Legal On Demand can adapt to specific needs.

Legal On Demand can improve the legal strategy of your enterprise.

Cosa sono gli istituti di pagamento?

Gli istituti di pagamento costituiscono una categoria di soggetti vigilati dalla Banca d’Italia talvolta poco conosciuta ai più. Si tratta di entità autorizzate alla prestazione di uno o più servizi di pagamento, i quali, semplificando un po’, si può dire abbiano ricevuto la loro prima organica regolamentazione nella direttiva PSD1, poi sostituita dalla direttiva PSD2.

 

La regolamentazione

La regolamentazione degli istituti di pagamento in Italia è ora principalmente recepita nel Testo Unico Bancario (TUB), cui si affiancano un certo numero di regolamenti attuativi e le Istruzioni di vigilanza e altri provvedimenti emanati dalla Banca d’Italia.

Sebbene i testi sopra citati costituiscano un’ottima base per comprendere le norme alla base di queste entità, siamo di fronte senza dubbio a un complesso normativo molto corposo e suddivisa in tanti provvedimenti che può spesso apparire difficile da padroneggiare.

 

Il processo autorizzativo

Il processo autorizzativo di un istituto di pagamento, in sé lineare, è reso complesso dalla necessità di fornire alla Vigilanza informazioni dettagliate e accurate da raccogliersi in un articolato programma di attività.
Requisiti specifici sono richiesti in capo ai soci dell’istituto e in capo a coloro che svolgono funzioni di amministrazione, direzione e controllo.
Qualche semplificazione organizzativa e autorizzativa è prevista solo per gli istituti che intendano prestare i servizi di disposizione di ordini di pagamento (PIS, payment initiation services) o di informazione sui conti (AIS, account information services).