With Measure no. 642 of 21 December 2023 (Guideline document “IT programs and services for email management in the work context and processing of metadata“), published on 6 February 2024, the Italian Data Protection Authority expressed its opinion on the use of IT programs and services in the company for the management of email in cloud mode, causing to companies and organizations significant problems of management and organization of work.
In short, in the opinion of the Authority, company email systems (with the metadata they contain), with the related possibility of indirect control of workers’ activities, would not be considered as work tools “” for which (pursuant to article 4, second paragraph, of the Workers’ Statute) the union agreement or administrative authorization procedure is not required; or, more precisely, the aforementioned procedure would not be necessary only up to a maximum period of 7 days of retention of emails (extendable by 48 hours only in the presence of proven and documented needs that justify it).
This guideline – which offers a totally innovative interpretation compared to the reading of the legislation so far unanimously accepted by operators – would be determined by the fact that IT programs and services for e-mail management, marketed in cloud mode, can collect by default (in preventive and generalized way) and preserve for a long period of time, the metadata of the email accounts (date, time, sender, recipient, subject and size) used by the workers.
In truth, with the reform of article 4 introduced by Legislative Decree 151/2015, the category of “work tools” was introduced precisely to exempt them from the procedure envisaged for instruments of possible legitimate remote control (e.g. cameras).
It is superfluous to consider what significant impact a provision of this type has for companies, taking into account that it is, to say the least, unthinkable to cancel company correspondence after 7 days and this for multiple essential needs, ranging from the organization and management of the company activity itself, the need to document contracts and agreements, declarations, to provide proof of facts, etc. and which affect rights, including the organization of business and work, the right of defense, etc.
All employers – based on this guideline – should therefore check the methods for storing e-mail in any external cloud services they use and, if the cases considered by the Authority apply, adopt the measures necessary to comply with data protection regulations through the following initiatives:
(i) the preventive blocking of metadata collection or the provision of limits to conservation within 7 days, in the basic settings of the programs (theoretical or “school” initiative, as this is a solution that is substantially impracticable in the ordinary management of the company)
or alternatively
(ii) the union agreement or, failing that, the authorization of the Labor Inspectorate (this would be, according to the recent Guidelines of the Guarantor, a substantially obligatory step for any company).
All of this, however (a) with adequate information to workers and (b) considering the collection and storage of metadata, the “vulnerability” of the interested parties in the work context and the risk of “systematic monitoring”, with a preventive assessment of data protection impact (DPIA).
For employers, therefore, there is a need to carry out internal checks on the characteristics of their company’s email management systems and to evaluate the initiatives to be taken – also having to reconsider the choices already made in the context preceding this innovative measure – to purposes of labor law compliance and regarding the processing of personal data.
