On December 21, 2023, the Italian Data Protection Authority issued a provision with significant implications for employers using email applications to manage internal communications. This provision focuses on the collection and retention of metadata relating to employees’ email accounts. In this article, we will examine the impact of this provision and the compliance requirements imposed on employers to adhere to said provisions.
Metadata are data that provide information about the characteristics of other information. In other words, they are descriptions or additional information that provide context or structure to the main data. Here are some examples of metadata in different contexts:
Metadata can be useful because it allows for the organization, search, retrieval, and better understanding of the main data. It can be used for various purposes such as digital content management, information retrieval, cybersecurity, regulatory compliance, and more. However, it is also important to consider privacy and security implications when managing metadata, as it can contain sensitive or confidential information.
The Authority’s provision highlighted the risk associated with the preventive and generalized collection of metadata from email applications used by employees. Such metadata includes information such as sender, recipient, subject, date, and email size. The primary concern is that some computer programs and services may collect this metadata by default, without the employer’s ability to disable this functionality or limit the period of information retention.
In response to this risk, the Data Protection Authority has mandated employers to adopt certain compliance measures to ensure compliance with privacy regulations and the protection of employees’ personal data. The following are the main compliance requirements:
The Data Protection Authority’s provision represents a significant step forward in protecting employees’ privacy and regulating the use of metadata by employers. It is crucial for employers to take appropriate measures to comply with the established provisions while ensuring transparency and respecting employees’ rights.
Check of metadata collection, modification of email program settings, and adherence to labor safeguard procedures are essential steps to ensure compliance and mitigate risks associated with the management of employees’ personal data.