With order no. 364 of 6 June 2024 called “Computer programs and services for the management of e-mail in the workplace and metadata processing”, the IDPA has returned to the topic of company e-mail metadata retention.
“Metadata” does not mean information contained in the “body” of the email but rather the information relating to the sending, receiving and sorting the messages. This may include the email addresses of the sender and of the recipient, the IP addresses of the servers or clients involved in the routing of the message, the times of sending, retransmission or reception, the size of the message, the presence and size of any attachments and, in certain cases, depending on the email management system used, may also include the subject of the message sent or received.
With respect to the IDPA’s guidelines before the public consultation, the guidelines of 6 June 2019 extended the retention period to 21 days.
This retention period is merely “indicative”.
Retention for longer is only permitted if specific conditions that make the extension necessary are satisfied and are adequately proven.
Applying the principle of accountability, it is therefore up to each employer to adopt all technical and organisational measures to ensure compliance with the principle of purpose limitation, selective accessibility by only authorised and adequately trained individuals and the tracking of access carried out.
These requirements must be met while keeping in mind that generalised metadata collection and retention can lead to indirect remote control of workers’ activities and, in this case, the safeguards provided for by Article 4 of the Workers’ Charter apply i.e., it is necessary to enter into a union agreement or, failing that, obtain authorisation from the National or Local Labour Inspectorate.
Please contact our Privacy Focus Team for further information.