Corporate e-mail metadata and Internet browsing logs : Guarantor intervenes on retention times
The Privacy Guarantor reiterated a key principle: logs are not just technical data.
The collection and storage of employees’ computer data, even for security or technical support purposes, constitutes the processing of personal data and may constitute remote control. Therefore, the processing of such data must comply with the conditions set forth in the Workers’ Statute and the GDPR.
It becomes crucial for companies to be aware of the following implications:
✔️ processing of e-mail or browsing log data must be done in a lawful, fair and transparent manner.
✔️ under certain conditions, the retention of metadata (such as IP addresses, email subject lines, timestamps) is legitimate only if there is a union agreement or administrative authorization.
✔️ the Garante specified that even seemingly “technical” data can reveal personal information and enable remote monitoring of employees, thus requiring special precautions to be taken.
✔️ the Data Protection Impact Assessment (DPIA) must be conducted before processing begins.
✔️ the relationship with IT service providers (e.g., log hosting, ticketing systems, e-mail outsourcing) must be carefully regulated and monitored, in accordance with Article 28 of the GDPR.
What to do.
✅ Map log treatments and verify timing, access, and purpose.
✅ Depending on the retention time.
✅ Review contracts with IT vendors: clauses, responsibilities and instructions.
