Italian Privacy Guarantor clarifies the 7-day retention rule for email logs

Elena Moccia

19/02/2024

This image addresses the retention period for employee email logs, suggesting 7 days as the duration (indicated by "Giorno 7" on the calendar).

On February 6, 2024, the Italian Privacy Guarantor issued a provision aimed at offering guidance to public and private employers on how to manage employees’ email accounts.
Instead of clarifying the issue, the measure created widespread confusion among IT and legal departments.
At Qboxmail, we provide cloud-based email, calendar, and contact management services to thousands of organizations across Europe. This is why we want to clarify how email logs (metadata) are collected, stored, and retained, and what this provision actually implies for companies using professional email services.

What Metadata Are

Metadata is an information that describes the characteristics of another object. In the case of emails, metadata is the information that “tells the story” of the journey of an email messagMetadata are pieces of information that describe another object. In email communication, they tell the technical story of a message: when it was sent, who sent it, and which servers handled it. Metadata never include the content of the message.

They are automatically generated by mail servers and typically include details such as:

sender and recipient addresses, IPs, and timestamps;
subject line and message size.

These elements are essential for the operation, delivery, and troubleshooting of email services.

Where Metadata Are Stored

Metadata related to an email message are found Email metadata exist in two main places:

inside the message itself, within the email headers;
in the logs of the sending and receiving mail servers.

Removing metadata selectively is not possible because the message and its related information are part of the same structure. Even when deleted from one system, traces may remain on the correspondent’s mail server.

Who Is Involved

The regulation concerns several actors:

The Italian Privacy Guarantor, responsible for supervising compliance and imposing sanctions;
The data subject, namely the employee whose personal data may be processed;
The data controller, typically the employer managing the email accounts;
The service provider, which may be an external company or an internal IT structure.

The Guarantor recommends that data controllers verify how their service providers manage email metadata and ensure compliance through clear contractual and technical measures.

How Long Can Email Logs be Retained

Currently, regulatory requirements mandUnder current regulations, telecommunication and telematic service providers must retain traffic data for periods that vary depending on the purpose of processing:

Up to 6 months for technical support and billing;
Up to 12 months for investigation and prosecution of crimes;
Up to 72 months for counter-terrorism and organized crime prevention.

Retention must always exclude the content of communications and be accessible only to specifically authorized personnel.

What the GDPR Requires

The provision concerns the accesses to metadata performed by the employer/data controller, who cannot access this data if it is older than 7 days. It can be extended by 48 hours for proven needs, unless a specific collective agreement exists between the company and the workers. This is because it could imply an indirect remote monitoring of the worker’s activities.

The Italian guarantor likely aims to prevent using email logs for remote monitoring of workers.

What definitely cannot be done

The new provision focuses on employers’ access to email metadata, not on providers’ technical retention obligations.
Employers cannot access metadata older than seven days unless there is a proven and documented need, in which case access may be extended by up to 48 hours.
Longer access is allowed only if a collective agreement or specific regulation covers it.
The Guarantor’s goal is to prevent indirect monitoring of employees’ activity through email traffic analysis.

What Organizations Should Not Do

Requesting the deletion of email logs from a service provider is not possible, as providers are legally required to retain them for technical and legal reasons.
Likewise, deleting emails older than seven days would be unrealistic and detrimental to normal business operations.

Even if logs were deleted, corresponding metadata would still exist on the recipient’s or sender’s server, beyond the control of the company.

How Organizations Should Act

Companies should:

verify whether email metadata are accessible to the employer and ensure that no data older than seven days are consulted;
update their internal privacy policies to reflect this rule;
involve legal or privacy consultants to define a compliant internal procedure regulating who can access metadata, for what purposes, and for how long.

Qboxmail’s Approach

Qboxmail offers its customers Tracemail, a tool that supports technical troubleshooting related to email delivery.
Tracemail displays mailbox activity for the last 30 days, with sensitive data such as subjects and user IPs already masked. The data processed through Tracemail are used exclusively for technical support.
Every access and consultation within Tracemail is recorded in the Audit Log of the Qboxmail Control Panel.
To align with the Guarantor’s recommendation, Qboxmail plans to limit visible data within Tracemail to the last seven days for Italian customers.