DLP Insights

Publishing employee assessments on the company notice board is considered unlawful data processing

Categories: DLP Insights, Case Law | Tag: Data Protection Authority, GDPR

23 Jun 2022

Following a report by a group of worker-members of a cooperative, the Data Protection Authority (“Garante”) established the unlawfulness of certain processing operations carried out through the publication of information on the assessment of their work, on the company notice board.

As part of a “contest with prizes for worker-members, entitled “Guardiamoci in faccia…soci!” (Let’s look at each other…members!) to incentivise the most deserving members and […] discouraging inefficiencies”, the cooperative used to share the recipients’ assessment on a weekly basis using emoticons accompanied by summary evaluations (such as, “absenteeism”, “sickness simulation”) placed next to the image and name of each employee. This information was visible not only to the worker concerned but anyone who accessed the premises where the company notice board was placed, including external persons occasionally present on the premises, and provided a cash reward for the first three winners.

Inspections carried out by the Data Protection authority established the processing illegitimacy for violation of the fundamental principles of lawfulness, correctness, transparency and data minimisation. The Authority confirmed that the employer may lawfully process the information necessary and pertinent to the management of the employment relationship – including the data necessary to carry out an assessment of the work performance or exercise disciplinary power (in the manner and within the limits provided for by the sector’s regulations). However, the authority noted that the systematic provision of such information by posting it on the notice board allowed the processing of data to persons (such as other colleagues or third parties) who are not entitled to know information on disciplinary assessments and remarks.

In addition, the Authority confirmed that the collection of consent, in circumstances such as this case, cannot be considered a legal basis for legitimising the processing of personal data. This is because the disproportionateness between the employment relationship parties cannot presuppose consent given expressly, freely and specifically and referring to an identified processing. The consent given at the time of the approval of the members’ resolution, as claimed by the company, is “functionally different” from the consent to the processing carried out by the company for the assessment of the members’ actions.

For these reasons, the Authority confirmed that “[…] continuously submitting the assessments on the quality of the work carried out or on the performance correctness to the observation of colleagues, even if it is part of a public competition” infringes the workers’ personal dignity, freedom and privacy.


The company appealed against the Authority’s decision first to the local court and then the Court of Cassation. In ruling no. 17911/2022, published on 1 June, the Court of Cassation rejected the appeal – confirming the Data Protection Authority’s arguments – and confirmed the principle according to which “the processing legitimacy presupposes a valid consent given expressly, freely and specifically, with reference to a clearly identified processing operation; this general principle is relevant and prevails in every relationship.”

Other related insights:

More insights