Guidance document on metadata of employees’ emails: final version of the Italian DPA

The February 22, 2024 bulletin had reviewed the Italian Data Protection Authority’s guidance document disclosed in the February 6, 2024 newsletter regarding the collection and storage of metadata of e-mail services of business personnel. 

 Subsequently, the Authority, retracing its steps, had submitted the document for public consultation and, subsequently, then issued the final provision of June 6, 2024 (web doc. 10026277), which contains important additions and corrections to the previous version.  Consequently, we deemed it appropriate to intervene with this new bulletin by amending and updating the previous installment, according to the changes made in the meantime. 

Guidance document and its nature

The referenced provision is a guidance document of the authority called “Computer programs and services for managing electronic mail in the work environment and processing metadata” attached to the June 6, 2024, provision (web doc. no. 10026277).

The GDPR recognizes the power of member states to provide by law the attribution of powers to their national supervisory authority, in addition to those already indicated by the Regulation, provided that they are compatible with them (Art. 58(6) GDPR). 

As part of this flexibility, the Italian legislature included in the Privacy Code the new Article 154-bis, which gives the Guarantor the power to “adopt guidelines regarding organizational and technical measures for implementing the principles of the Regulation, also for individual sectors and in application of the principles set out in Article 25 of the Regulation” (Art. 154-bis, para. 1(a), Privacy Code). 

The guidance document is of a guiding nature and “no new obligations or responsibilities flow from it.” Thus, its content serves to properly guide the behavior of data controllers with respect to data protection requirements and related regulations of the Workers’ Statute.


Post Recenti

Telemarketing in the energy industry -1


Deadlines for retention, erasure and anonymisation