The Italian Data Protection Authority (‘IDPA’) recently returned to the issue of corporate email metadata retention by the employer. The order of 6 June 2024, entitled “Computer programs and services for the management of e-mail in the workplace and processing of metadata”, extends the retention period for metadata from 7 to 21 days. This new decision, no. 364 of 6 June 2024, arrives several weeks after the publication of a first version of the guidance document on metadata retention, which had given rise to confusion and discussions among professionals to the point of leading the IDPA to start a public consultation.
First of all, however, it is necessary to clarify the definition of “metadata”. This term does not mean information contained in the “body” of the email but rather the information relating to the sending, receiving and sorting the messages. This may include the email addresses of the sender and of the recipient, the IP addresses of the servers or clients involved in the routing of the message, the times of sending, retransmission or reception, the size of the message, the presence and size of any attachments and, in certain cases, depending on the email management system used, may also include the subject of the message sent or received.
As mentioned above, the IDPA’s guidelines have extended the retention period to 21 days, a time period which is, in any event, to be considered indicative.
Metadata retention beyond this time frame is only permitted if particular conditions making the extension necessary are satisfied and adequately proven.
Continue reading the full version at Economy Magazine.