Italy: Announced guideline on e-mail management and metadata processing including data protection regulation

On 21 December 2023, the Italian data protection authority (Garante) adopted a policy document entitled "Computer programs and services for e-mail management in the work context and metadata processing". The document was developed following investigations that determined that some e-mail management software and services, including those provided in the cloud, are configured to collect and store metadata related to the use of employees' e-mail accounts. The document provides guidance for employers to consider whether the e-mail management software and services they use allow them to change the default settings to prevent the collection of metadata or to limit the retention period. In particular, e-mail messages, as well as external communication data and attached files, are forms of correspondence that are supported by guarantees of secrecy, which are also protected by the Constitution (Articles 2 and 15 of the Constitution). In addition, the use of e-mail management programmes and services without the implementation of prescribed safeguards for the systematic collection and long-term storage of metadata violates data protection laws. This includes the unlawful collection of information that is not directly relevant to the assessment of job suitability and could provide unauthorised insight into the personal aspects of employees.