In a precedent-setting decision, on 29 April 2025 the Italian Data Protection Authority (“Garante della privacy”) issued its first sanction under the General Data Protection Regulation (GDPR) for the unlawful storage of so-called “metadata” of employees’ e-mails and web surfing activities, applying for the first time the Guidelines published in June 2024.
As part of the inspections carried out in order to assess the compliance of the processing operations carried out at work by the Regione Lombardia (the regional government of Lombardy) with the rules on the protection of personal data, the Garante had found that the latter had kept metadata and navigation logs for 90 and 365 days respectively, a period of time far longer than that provided for by the Guidelines. Moreover, the Regione Lombardia had kept non-anonymous logs relating to each employee’s access attempts to websites listed on a blacklist. As a result, the Garante started proceedings against the Regione Lombardia given that that the processing of the data concerned was contrary: to i) the sector regulations on remote control with regard to the storage of metadata generated by the activities of employees in relation to both the use of the e-mail service and internet browsing; ii) the conditions laid down by the sector regulations with regard to the use of the metadata collected for other purposes connected with the management of the employment relationship; and iii) the storage periods of the logs relating to internet browsing as well as the data relating to requests for technical assistance.
The Garante has preliminarily recalled that e-mails’ metadata are backed by confidentiality guarantees, which are also constitutionally protected, and are intended to ensure protection of the essential core of a person’s dignity and the full development of his/her personality in social settings, so that, even at work, there is a legitimate expectation of confidentiality with regard to correspondence and, similarly, to the elements that can be inferred from the external data thereof, which define its temporal profiles as well as its qualitative and quantitative aspects also with regard to the addressees and the frequency of contact (which, in turn, are susceptible to aggregation, processing and control). The Workers’ Statute, moreover, strictly identifies the purposes for which instruments may be used at work, establishing precise procedural guarantees.
Although the Regione Lombardia claimed that electronic e-mails were used by the employee to work, such notion within the meaning of the Workers’ Statute can only include services, software or applications that are strictly functional to the latter. This, however, is not the case where e-mail’s metadata are collected and stored, in a preventive and generalised manner, over an extended period by computer programmes and services for managing e-mails. Such processing operations, in fact, are carried out, for the employer’s own needs, automatically and independently of the employee’s perception and will. The metadata concerned, moreover, remain at the exclusive disposal of the employer and, on his/her behalf, of the service provider, documenting the traffic even after the possible deletion of the message by the worker who, instead, retains the availability of the messages that, as sender or recipient, he/she exchanges within the mailbox assigned to him/her by the employer, with the subsequent risk of an indirect remote control of the workers’ activity.
In such a context, therefore, in order for Article 4(2) of the Workers’ Statute to be deemed applicable, the collection and storage of only those metadata necessary to ensure the operation of the e-mail system infrastructure and the fulfilment of the most essential computer security guarantees, on the basis of technical assessments and in compliance with the principle of accountability, may be carried out for a period limited to a few days, in any case not exceeding 21, unless the data controller adequately shows that particular conditions that make such an extension necessary on account of the specificities of his/her technical and organisational reality are actually present. Conversely, the generalised collection and storage of e-mail’s metadata, for a longer period, in the presence of requirements in any case attributable to the security and protection of the employer’s assets, makes it necessary to exercise the guarantees provided for by Article 4(1) of the Statute, since it may entail an indirect remote control of the workers’ activities.
The systematic collection and storage of all log files generated by employees’ use of the Internet in the context of the employment relationship gives rise to a generalized processing of data. This includes data on unsuccessful attempts to access websites already listed on a blacklist, which are in any case blocked by the system.
Since employees remain identifiable, and there is a clear link between the activity, the employee, and their specific workstation, such processing makes it possible to reconstruct their actions through technological systems.
In these cases, the employer must comply with the procedural safeguards set out in Article 4(1) of the Workers’ Statute. These safeguards are a legal requirement for the lawful processing of the data in question.
Given that the Regione Lombardia had collected and processed all the employee’s internet surfing logs in the absence of the prior conclusion of a collective agreement with the competent trade unions, the processing at stake therefore took place, within the limits of that timeframe, in breach of the GDPR.
All of that considered, the Garante decided, on the one hand, to sanction the Regione Lombardia with a EUR 50,000 fine and, on the other hand, to order it, among other things, to limit the storage of navigation logs to 90 days and then proceed to anonymisation, to minimise and encrypt e-mail’s metadata, to limit access to metadata to authorised personnel only, and to update internal policies and privacy documentation.
In light of the Garante’s findings, companies are called upon to review their metadata and network log management practices very carefully. Even before the decision, a high level of caution was needed in the handling of e-mails, requiring, for example, transparency on the checks carried out and the timely deletion of the boxes of terminated employees. The recent sanction introduces a further level of caution, extending the compliance obligation also to so-called “external” data, such as metadata and log files, which can lead to indirect monitoring of work activity. In this regard, e-mail’s metadata should normally be retained for no longer than 21 days, while browsing logs should be limited to 90 days, followed by anonymisation. It is also crucial to update privacy notices, limit data access, encrypt data and adopt consistent internal policies. Only a structured and compliant approach can guarantee the protection of workers’ rights and corporate compliance and avoid significant consequences for the organisation, including with regard to sanctions by the competent authorities, as demonstrated by this case.