It is unlawful to monitor the metadata of company e-mails assigned to employees that do not guarantee adequate protection of confidentiality and are carried out in breach of the rules limiting remote monitoring of workers. This was established by the Italian Data Protection Authority (Autorità Garante per la protezione dei dati personali – the Italian ‘DPA’), which, in an Injunction Order of 1 December 2022, imposed a fine of EUR 100,000 on the Lazio Region.
The preliminary investigation
The case arose from a report submitted to the Italian DPA by an independent trade union organisation that complained about the monitoring by the administration, which was the controller, of the e-mails of staff working in the offices of the regional lawyer’s office.
The monitoring, initiated as part of an internal investigation aimed at verifying a suspected disclosure of information protected by official secrecy, turned out to include information on times, recipients, subject matter of communications and size of attachments, the so-called ‘metadata’, of some employees who had been sending messages to a specific trade union. According to the investigation’s findings, it had been possible to monitor this information because, ‘as a matter of practice’ email traffic data were retained ‘for generic IT security purposes for 180 days’ before being permanently deleted.
The Italian DPA’s Order
On the basis of the investigation’s findings, the Italian DPA clarified, among other things, that:
On the basis of all of the above, the Italian DPA, in addition to ordering payment of the aforementioned administrative sanction, prohibited the employer, the controller, from any further processing operation applied to the (meta)data relating to the use of employees’ e-mails retained for a period exceeding seven days from the date of their collection, ordered the deletion of the data already collected and retained beyond the latter period and also ordered the publication of the order on its institutional website.
Other related insights:
An employer can monitor its employee’s corporate email account
Dismissal for just cause: monitoring the company chat without adequate information is unlawful