Hello, thank you for your quick reply.

I'have asked this question because the Italian data protection Authority asked all the companies to delete all the gmail's metadata older than one week if it's possible.

If it's not possible we have to create a document that explains this and we will solve the problem.

Bye!

Hello, this is a big issue for Italian customers. Italian Data Protection Authority ("Garante della Privacy") requested that all companies workers email metadata retention will be limited to 7 days for privacy concerns (+2 days under certain circumstances).

This is the document: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9978728

Are you working on it? Otherwise, it will be very hard to manage (companies will need to obtain specific trade union approvals...)

Hello,
Same problem here. I am italian as well as the OP.

Hoping for a change in the law enforcement, we might have serious problems for the future 🙂

Hello, I'm italian customer and we have the same problem.

This is the document where the italian "Garante della Privacy" asks companies to remove email metadata within 7 days:

(Site Link Removed by Staff)

+1

Hello @KevinApodaca please check the replies above, in order to help us and in general italian customers (this kind of request will surely grow) to solve this issue asap

Hallo, we are an italian municipality, we need to remove email metadata in 7/9 days too.

Hello, we are an italian Agency for Environmental Protection, we need to remove email metadata in 7 days too.

its a very urgent problem: in the meantime, some of our customers have arranged syndicates agreements to correct this specific issue, but for the majority of customers this is not applicable.
It's important to have metadata control on email logs to avoid legal and penal consequences.

All italian Customers are affected. Please consider this issue.

+1

we have the same here

any news on this topic?

Google appreciates the Garante's incorporation of observations and suggestions received during the public consultation into its guidelines adopted on 6 June 2024. We welcome the fact that the Garante has recognised the vital importance of the security of the IT environment and the need to mitigate security incidents as reasons justifying the retention of email metadata. 

This means that the Garante has moved away from its proposed fixed 7-day retention period (in its original guidelines) towards a more balanced approach. Indeed, whilst the Garante suggests a 21-day retention period as a “guideline”, it nonetheless permits employers to retain email metadata for longer periods - without an express limit - in the interests of security, provided this longer period is proportionate. For instance, it states that “purposes related to IT security and the protection of IT assets justify the conservation of metadata for a period of time appropriate to the objective of detecting and mitigating any security incidents”.

The Garante further clarifies that “no new obligations or responsibilities” arise from its current guidelines, meaning that employers and their service providers can remain fully focused on compliance with their existing obligations under GDPR (whilst taking the guidelines into account).

Major cybersecurity incidents experienced by another email and collaboration provider have reinforced that email logs are indispensable in reconstructing the sequence of events during those kinds of incidents. Indeed, in its assessment of these incidents, the U.S. Cyber Safety Review Board specifically recommends that cloud providers should retain logs for at least six months to ensure this reconstruction is possible. We believe this kind of retention period is fully aligned with the security-related objectives outlined by the Garante: reducing the retention period to a matter of days would be very likely to significantly impair an organisation’s ability to conduct thorough forensic investigations, identify the root cause of incidents, and implement effective remediation measures. Administrators often do not become aware of incidents occurring within their own organisation until well after many days from the incident date and, therefore, access to historical email metadata can be pivotal in minimizing the impact of security breaches and safeguarding sensitive information. For that reason, we believe it is crucial for customers - at their choice - to be able to access Gmail log events extending back 6 months.

Buongiorno a tutti, 
ci sono delle novità in merito a questo problema?
Grazie

This topic should be re-opened.
Do we have any news?