Italy: Adopted DPA guidelines on e-mail management and metadata processing including worker monitoring regulation

On 6 June 2024, the Italian Data Protection Authority (DPA) adopted the guideline on IT programs and services for managing electronic mail in the work context and processing of metadata. The guideline was developed following investigations that determined that some e-mail management software and services, including those provided in the cloud, are configured to collect and store metadata related to the use of employees' e-mail accounts. The document provides guidance for employers to consider whether the e-mail management software and services they use allow them to change the default settings to prevent the collection of metadata or to limit the retention period. In particular, the sector regulations on remote controls stipulate that tools for monitoring employee activities may only be used for specific purposes such as organisation, production, occupational safety, and protection of company assets, with the necessary procedural guarantees. An exception is made for access and attendance recording tools and work performance tools, which are not subject to strict restrictions. The collection and storage of metadata on e-mail usage is closely regulated, with clear restrictions on storage duration to avoid indirect, remote monitoring.