They are reduced metadata to be deleted in company emails to protect the privacy of employees.
The new measure of the Privacy Guarantor reviews them guidelines published last February and which had caused alarm among businesses.
The updated and more precise definition of metadata frames i data recorded automatically from email systems.
They are, therefore, excluded all the information contained in body of the email and in the so-called “envelope”, i.e. the set of technical headings structured documents that document the routing of the message, its origin and other technical parameters.
Corporate email privacy: the new rules for metadata management
The chapter on the issue related to is moving towards its conclusion protection from the employee privacy within the scope of management of company emails.
The measure approved by Privacy Guarantor June 6th brings substantial changes to the guidelines published last February and which sparked agitation and panic within the businesses.
The new text, which replaces the old rules, seems to reach the point of equilibrium with respect to the issues raised: we review the metadata management now understood as the information that the email system record automatically and which therefore should not be confused with the data contained in body of messages or which form the so-called “envelope”that is, the set of technical headings structured documents that document the routing of the message, its origin and other technical parameters.
But let’s take a step back. In February, in fact, the Guarantor has published the new ones guidelines for the processing of employee personal data by employers who use programs also provided in cloud mode for email management.
Specifically, it was limited to a maximum of 7 days (extendable by 48 hours) the automatic metadata collection related to the use of employee email accounts, such as, day, time, sender, recipient, subject and size of the email, and the storage for extended periods.
For longer storage periods it was necessary tounion agreement or the authorization oflabor Inspectorate.
News that have generated quite a bit chaos in companies which they immediately demonstrated difficulty of application of the new rules, so much so that the Guarantor has decided to suspend the effectiveness of the guidelines and to launch a new one public consultation.
Well, the new one provision of 6 June seems to arrive at a square, thanks to novelty which should resolve the concerns of companies.
Corporate email privacy: what’s new in the Guarantor’s provision
The first novelty concerns the precision definition of metadatawhich circumscribes the information recorded automatically from email systems, regardless of the user’s perception and will.
As underlined by the Guarantor, therefore, these should in no way be confused with the information contained in email messages or in the “envelope”.
“The information contained in the envelope, although corresponding to metadata automatically recorded in the mail service logs, is inseparable from the message of which it is an integral part and which remains under the exclusive control of the user (be it the sender or recipient of the messages).”
Therefore, the indications contained in the guidelines and relating to metadata retention times, understood according to the new definition, do not concern i message contents of e-mail (nor the technical information which is an integral part of it) which remains available to the user/worker, within the e-mail inbox.
Understand i metadata in this way, therefore, it seems to avoid the concerns that arose in recent months in companies.
L’collection and conservation activities of the metadata/logs necessary to ensure the functioning of the electronic mail system infrastructures, underlines the Guarantor, can normally be carried out for a period limited to a few days. However, conservation should not exceed 21 days.
The possible storage for an even longer term it will only be possible in the presence of particular conditions which make its extension necessary, which must be adequately proven according to the principle of accountability.
- Guarantor for the protection of personal data – Provision of 6 June 2024
- Email management in the work context and metadata processing
