* The Authority in a subsequent decision suspended the legal effects of the guidance document and initiated a public consultation to be concluded within 30 days.
There has been an uproar over the Italian Data Protection Authority’s guidance document disclosed in the Feb. 6, 2024, newsletter regarding the collection and storage of metadata from corporate staff e-mail services.
Some of the criticisms raised about the document, however, seem unfounded.
The considerations that follow are intended to distinguish those aspects of the measure that are a direct consequence of existing regulations, from those that are subject to interpretation or evaluation by the authority, which are susceptible to free judgement.
It is announced from authoritative sources that – in order to answer some of the main questions raised by the aforementioned guidance document – the authority is planning to issue a supplementary clarification document.
Guidance document
The recalled measure is an authority guidance document called “Computer programs and services for managing electronic mail in the work environment and processing metadata“, attached to the measure dated Dec. 21, 2023, (web doc. no. 9978728).
The GDPR recognizes the power of member states to provide by law the attribution of powers to their national supervisory authority, additional to those already indicated by the Regulation as long as they are compatible with them (Art. 58(6) GDPR).
As part of this flexibility, the Italian legislature has included in the Privacy Code the new Article 154-bis, which gives the Italian supervisory Authority the power to “adopt guidelines regarding organizational and technical measures for implementing the principles of the Regulation, also for individual sectors and in application of the principles set out in Article 25 of the Regulation” (Art. 154-bis, para. 1(a), Privacy Code).
The guidance document, unlike individual measures, is binding on everyone.