Privacy

Security

Clarifications on the Italian Privacy Guarantor’s provision: Email logs are to be retained for a maximum of 7 days.

Elena Moccia

19/02/2024

With a newsletter dated February 6, 2024, the Italian Privacy Guarantor announced that it had prepared a measure with the aim of providing “useful guidance” to both public and private employers regarding the management of email used by their employees.

Today, rather than bringing clarity, this measure has caused a lot of confusion in the legal and IT offices of companies.

Qboxmail provides cloud-based email, calendar, and contacts management services to more than 30,000 companies in Italy and Europe.
For this reason, we want to clarify how we collect and retain email logs (metadata) and the duration for which we must keep this data.

What are metadata

Metadata is an information that describes the characteristics of another object. In the case of emails, metadata is the information that “tells the story” of the journey of an email message and is necessary for the functioning of the email service itself.
Email metadata never delve into the content of the message.

Generally, metadata is generated by the mail server software, so it can vary depending on the product, but typically includes:

Date sent
Date received
Sender’s email
Recipient’s email
Sender’s IP address (user sending and/or their server)
Recipient’s IP address (their server and/or the connection from which the user reads emails)
Subject of the email message
Email size

Essentially, email metadata, in our case, represents the logs of email traffic (access to emails, sent and received emails).

Where metadata are stored

Metadata related to an email message are found in two places:

Within the emails themselves (in the Email Headers, visible in the message source).
In the logs of the sending and receiving mail servers.

Choosing to delete specific metadata is challenging because the email message lives and functions together with its metadata.
Even if you delete it from your system, a trace may still remain on the server of the corresponding sender/recipient.

Players involved

Italian Privacy Guarantor who has the power to inspect and penalize companies handling data of Italian users.

Data Controller: in this case, the employer acts as the data controller for the data of its employees.

Data Processor: usually, it is the Cloud or SaaS email service provider or an IT company maintaining a dedicated mail server for a business.
There should be an appointment letter, typically provided by service providers along with the service supply contract.

Subject: in this case, the employee of the company, the person whom the guarantor aims to protect.

The email service could also be managed directly by the company (with its own dedicated server), and the provision still applies.

It is important to emphasize that in this specific provision, the privacy guarantor encourages “data controllers” to check the service supply methods and adopt necessary measures.

How long should organizations retain email logs?

Currently, regulatory requirements mandate that all operators providing telecommunication or telematic services (with email falling under telematic services) retain traffic data for a period ranging from 6 to 72 months, depending on the purpose of the processing.

Various regulatory references come into play, making the data retention table quite complex. However, we can simplify it by stating that logs can be retained.

Up to 6 months: for technical support and billing purposes
Up to 12 months: for investigation and prosecution of crimes
Up to 72 months: for counter-terrorism and organized crime prevention purposes

Authorize only specifically designated personnel to access this data. Naturally, exclude the content of communications from retention.
Excluding the content of communications from retention is a natural requirement.

What does the Italian Privacy Guarantor request?

The provision concerns the accesses to metadata performed by the employer/data controller, who cannot access this data if it is older than 7 days. It can be extended by 48 hours for proven needs, unless a specific collective agreement exists between the company and the workers. This is because it could imply an indirect remote monitoring of the worker’s activities.

The Italian guarantor likely aims to prevent using email logs for remote monitoring of workers.

What definitely cannot be done

Requesting the deletion of email logs from the service provider, acting as the data processor, is not possible due to legal requirements mandating the retention of these logs for more than 7 days. Considering the deletion of emails older than 7 days is impractical as they are essential for employees and the company’s operations.

The provision specifically focuses on metadata, usually stored separately.

In any case, even if we were to delete email logs and emails older than 7 days, a significant portion of metadata would still remain stored on our correspondent’s server, over which we have no control.

What should be done:

Checked with your service provider if these metadata are available to the employer (essentially the customer purchasing the service from the provider). If so, avoid processing them when older than 7 days and inquire if the provider plans to adjust their systems in light of this provision.

Review the privacy policies provided by the company, acting as the data controller, to its employees, and update them accordingly.

Contact your privacy consultant or internal legal experts within the company to formulate a compliance strategy with the provision.

If accessing this data for various reasons, regulate access through a specific company procedure that outlines:

Specify the data that authorized individuals can access or cannot access. Define the purposes for which authorized individuals can or cannot process this data. Establish a time frame beyond which authorized individuals cannot access the data for the defined purposes (even if potentially still stored and available for other purposes).

If accessing this data for various reasons, regulate access through a specific company procedure that outlines:

Designate individuals within the company authorized to access this data.
Clearly state which data authorized individuals can or cannot access.
Define the purposes for which this data can and cannot be processed.
Set a time frame beyond which the data cannot be accessed for the defined puUp to 6 months: for technical support and billing purposes.

What Qboxmail offers to its customers

Qboxmail, a Cloud service provider for corporate email management, provides its customers with the Tracemail tool to facilitate technical support operations related to email issues. Tracemail shows an email mailbox’s activities for the last 30 days (with the message subject and user’s IP address already hidden) and serves for processing data related to technical support. Furthermore, our Control Panel‘s Audit Log tool tracks each access and consultation on Tracemail.Therefore, the employer, i.e., the data controller, should not access data older than 7 days, even if potentially available, unless there is a company-specific collective agreement or other regulation governing the use of this information.We will consider reducing the visible data in Tracemail to 7 days for Italian customers only.

Qboxmail surpasses the threshold of 30,000 companies.

Highilight from our first live event

Gaia-X and Data Sovereignty, why they matter for Europe

We use cookies to provide you a better browsing experience, by continuing you accept their use. For more information visit the Privacy policy page.