The Italian Data Protection Authority has issued its first GDPR fine for, among other breaches, unlawful retention of metadata from employees’ emails and web browsing activities. The decision applies, for the first time, the Garante’s highly discussed guidelines of 2024 on the use of metadata in workplace email systems. Metadata generated through corporate email and internet usage includes information such as sender and recipient addresses, subject lines, date and time of transmission, the presence and size of attachments, and IP addresses. Although the data does not include the actual content of messages, it can reveal patterns of behavior, relationships, and indirectly infer performance or productivity levels.
