With Order No. 364 of 6 June 2024, the Garante per la protezione dei dati personali adopted the new policy document on 'Computer programmes and services for e-mail management in the work environment and metadata processing'.which amends and replaces the previous Provision No. 642 of 21 December 2023, which prescribed the deletion of the so-called 'metadata' of workers' e-mail service accounts after a retention period of no more than 7/9 days (unless the procedures provided for in Article 4(1) of the Workers' Statute are activated).

In the new provision, adopted following a public consultation, in which Confindustria participated together with the other main employers' associations (ABI, ANIA and Confcommercio), the Garante has revised metadata storage guidelinesclarifying its scope, nature and rationale. In particular, the Authority:

• provided a definition of metadataIt specifies that the indications contained in the Order do not concern the management of e-mails given to workers, but rather the management of the so-called 'transport logs', i.e. those pieces of information automatically collected by e-mail systems and used to guarantee the sending and delivery of e-mails;
• specified the address nature of the Measureemphasising that this does not imply any prescriptions, new obligations or responsibilities for the employer and conforming the management of metadata with a view to accountability, indicating, in this regard, an indicative retention period - of 21 days - which can be exceeded, without activating the guarantees under Article 4(1) of the Workers' Statute, in the presence of proven technical and organisational needs;
• pointed out that the aim of the Measure is to raising awareness and 'empowering' employers on the processing of metadata and, in particular, on the related retention times by providers.

Furthermore, in recalling that the 'general responsibility' for the processing of metadata lies with employers, as data controllersthe Garante called on e-mail service providers to take the right to data protection into account in accordance with the state of the art and to help ensure that employers can fulfil their data protection obligations.

In order to support companies in the management of metadata in a way that complies with the Garante's guidelines, in the attached document, Confindustria illustrates the indications provided by the Authority and provides some operational guidelines and indications.

In particular, attention is drawn to the need to verify the metadata retention times practised by providers, the functional/technical reasons provided by them to justify retention for a certain period, as well as the possibility of independently establishing different retention times and deactivating functions that are incompatible with their own processing purposes.

In addition, it is suggested that:

1. provide workers with clear information on the processing of personal data relating to electronic communications concerning them;
2. carrying out or, if necessary, updating the personal data protection impact assessment, the so-called DPIA. DPIA, also documenting the technical and organisational requirements that justify the identification of a retention period for metadata longer than 21 days, and updating the register of processing activities;
3. take all technical and organisational measures to ensure compliance with data protection and industry regulations.