With Decision No. 243 of April 29, 2025, the Italian Data Protection Authority (“IDPA”) imposed an administrative fine of €50,000 on the Lombardy Region (“Region”) for having retained, without the necessary procedural safeguards, metadata generated by email management systems for 90 days and Internet browsing logs for 365 days. In particular, the Region failed to comply with the obligations set out in Article 4(1) of Law No. 300/1970 (“Workers’ Statute”) and did not conduct a data protection impact assessment (DPIA) pursuant to Article 35 of the GDPR.
In this Decision, the IDPA reiterated that metadata generated by email management systems and Internet browsing logs are personal data and that their generalized collection, as it enables remote monitoring of work activity, requires the employer, under certain circumstances, to follow the procedures set out in Article 4(1) of the Workers’ Statute.
The IDPA’s Position Paper dated June 6, 2024, had already established this position, specifying that metadata generated by employee email systems may be retained only for limited periods, generally not exceeding 21 days. If retention exceeds 21 days, it is necessary—according to the IDPA—to follow the procedures under Article 4(1) of the Workers’ Statute. This is unless the data controller can concretely demonstrate specific technical or organizational reasons (e.g., related to the cybersecurity of the email service) that justify the extension of the retention period beyond 21 days.
Such reasons were not found in this case.
The Region, moreover, through three external providers, was able to combine IP addresses, MAC addresses, and employee identities, thus having full access to information that enabled potential profiling and individual monitoring of employees. The IDPA considered such processing disproportionate and excessive relative to the principles of data minimization and storage limitation. It therefore mandated, among other things, the anonymization of attempts to access blacklisted websites, the reduction of Internet browsing log retention from 365 to 90 days (with retention beyond this limit allowed only after anonymization), restricted access to data to expressly authorized personnel, and encryption of data enabling the association between device and employee.
The IDPA also clarified that, considering the fact that processing metadata from employee email systems potentially involves “high risks” to the rights and freedoms of the individuals concerned (since it entails systematic monitoring of employees—deemed vulnerable due to their subordinate employment status), conducting a DPIA is mandatory, and failure to do so constitutes a violation of Article 35 of the GDPR.
The IDPA’s stance is thus clear: metadata should not be retained for more than 21 days, and doing so without following the procedures under Article 4(1) of the Workers’ Statute is only legitimate in the presence of proven technical reasons related to the functioning and cybersecurity of the service (which cannot be based on generic IT security concerns of the employer’s networks and systems). Where such reasons are lacking, it is necessary, depending on the case, to reach an agreement with union representatives or obtain authorization from the competent Labor Inspectorate. In all cases, a DPIA and a Legitimate Interest Assessment (LIA) must be conducted and documented, relevant information notices on the processing of personal data and internal policies and procedures updated, and appropriate technical and organizational measures adopted to ensure an adequate level of personal data protection.
If you need assistance and support in complying with the obligations related to the collection and retention of metadata generated by corporate email systems, contact your trusted professionals.
