Clarifications on the Italian Privacy Guarantor’s provision: Email logs are to be retained for a maximum of 7 days.

Elena Moccia

With a newsletter dated February 6, 2024, the Italian Privacy Guarantor announced that it had prepared a measure with the aim of providing “useful guidance” to both public and private employers regarding the management of email used by their employees.

Today, rather than bringing clarity, this measure has caused a lot of confusion in the legal and IT offices of companies.

Qboxmail provides cloud-based email, calendar, and contacts management services to more than 30,000 companies in Italy and Europe.
For this reason, we want to clarify how we collect and retain email logs (metadata) and the duration for which we must keep this data.

What are metadata

Metadata is an information that describes the characteristics of another object. In the case of emails, metadata is the information that “tells the story” of the journey of an email message and is necessary for the functioning of the email service itself.
Email metadata never delve into the content of the message.

Generally, metadata is generated by the mail server software, so it can vary depending on the product, but typically includes:

Essentially, email metadata, in our case, represents the logs of email traffic (access to emails, sent and received emails).

Where metadata are stored

Metadata related to an email message are found in two places:

Choosing to delete specific metadata is challenging because the email message lives and functions together with its metadata.
Even if you delete it from your system, a trace may still remain on the server of the corresponding sender/recipient.

Players involved

Italian Privacy Guarantor who has the power to inspect and penalize companies handling data of Italian users.

Data Processor: usually, it is the Cloud or SaaS email service provider or an IT company maintaining a dedicated mail server for a business.
There should be an appointment letter, typically provided by service providers along with the service supply contract.

Subject: in this case, the employee of the company, the person whom the guarantor aims to protect.

The email service could also be managed directly by the company (with its own dedicated server), and the provision still applies.

It is important to emphasize that in this specific provision, the privacy guarantor encourages “data controllers” to check the service supply methods and adopt necessary measures.

How long should organizations retain email logs?

Currently, regulatory requirements mandate that all operators providing telecommunication or telematic services (with email falling under telematic services) retain traffic data for a period ranging from 6 to 72 months, depending on the purpose of the processing.

Various regulatory references come into play, making the data retention table quite complex. However, we can simplify it by stating that logs can be retained.

Authorize only specifically designated personnel to access this data. Naturally, exclude the content of communications from retention.
Excluding the content of communications from retention is a natural requirement.

What does the Italian Privacy Guarantor request?

The provision concerns the accesses to metadata performed by the employer/data controller, who cannot access this data if it is older than 7 days. It can be extended by 48 hours for proven needs, unless a specific collective agreement exists between the company and the workers. This is because it could imply an indirect remote monitoring of the worker’s activities.

The Italian guarantor likely aims to prevent using email logs for remote monitoring of workers.

What definitely cannot be done

Requesting the deletion of email logs from the service provider, acting as the data processor, is not possible due to legal requirements mandating the retention of these logs for more than 7 days. Considering the deletion of emails older than 7 days is impractical as they are essential for employees and the company’s operations.

The provision specifically focuses on metadata, usually stored separately.

In any case, even if we were to delete email logs and emails older than 7 days, a significant portion of metadata would still remain stored on our correspondent’s server, over which we have no control.

What should be done:

Checked with your service provider if these metadata are available to the employer (essentially the customer purchasing the service from the provider). If so, avoid processing them when older than 7 days and inquire if the provider plans to adjust their systems in light of this provision.

Review the privacy policies provided by the company, acting as the data controller, to its employees, and update them accordingly.

Contact your privacy consultant or internal legal experts within the company to formulate a compliance strategy with the provision.

If accessing this data for various reasons, regulate access through a specific company procedure that outlines:

Specify the data that authorized individuals can access or cannot access. Define the purposes for which authorized individuals can or cannot process this data. Establish a time frame beyond which authorized individuals cannot access the data for the defined purposes (even if potentially still stored and available for other purposes).

If accessing this data for various reasons, regulate access through a specific company procedure that outlines:

What Qboxmail offers to its customers

We use cookies to provide you a better browsing experience, by continuing you accept their use. For more information visit the Privacy policy page.