In Provision No. 288 of May 21, 2025, the Italian Data Protection Authority fined an Italian company €420,000 for unlawful processing of an employee’s personal data later used to justify her dismissal.
The case
The employee filed a complaint against the company, alleging improper use of her personal data extracted from her “Facebook” profile, the “Messenger” app, and certain chats from the “WhatsApp” platform. These data, made known to the company, were used to support two separate disciplinary notices.
In the first notice, dated February 16, 2024, the company quoted the contents of some comments made by the complainant on her Facebook profile, including quoted excerpts and descriptions of certain photos. In the second notice, dated March 21, 2024, it referred to a conversation on Messenger between the complainant and a third party (not employed by the company) who forwarded the conversation to the company via WhatsApp, including quoted excerpts. This second notice also included excerpts from a WhatsApp message the complainant sent to some colleagues on February 22, 2024.
The Authority’s position
Referring to Article 8 of Law No. 300/1970 (the Italian Workers’ Statute), which prohibits the employer from carrying out investigations – including via third parties – into an employee’s political, religious, or trade union opinions, as well as facts irrelevant to assessing the employee’s professional aptitude, the company claimed it had played no active role in collecting the data. It argued that the information had been reported to it and could therefore be used for disciplinary purposes, as this would not constitute a prohibited investigation under the Workers’ Statute.
The Italian Data Protection Authority used the occasion to recall that:
– The legal system protects the freedom and confidentiality of communications, recognized as fundamental rights, and any limitation is allowed only “by reasoned decision of the judicial authority, in accordance with the law” (Article 15 of the Constitution). This presumption of confidentiality, as clarified by the Constitutional Court, extends to all communication tools made available by technological evolution. (Lawfulness principle)
– The mere publication of data on publicly accessible platforms, such as social networks, does not imply that the data subject has given general consent for the free use of that data for any purpose. A specific legal basis is required for any processing other than the original purpose. (Purpose limitation principle)
– The need for data processing based on legitimate interest – the justification cited by the company in its defense – must also be evaluated under the principle of minimization. The data controller must verify that “the legitimate interest pursued cannot reasonably be achieved through less harmful means for the fundamental rights of data subjects, particularly their right to privacy”. In this case, the company failed to demonstrate that it had assessed the impact of the processing on the employee’s rights or considered less intrusive alternatives, even though the disciplinary measures could have been based on other elements. (Data minimization principle)
The Authority clarified that while it is not tasked with evaluating the disciplinary facts themselves, it is the employer – as the data controller – who must assess not only the lawfulness but also the adequacy, relevance, and proportionality of the data processing to be carried out. The Authority found numerous violations by the company, which, “once it became aware that the transmitted data concerned private communications and comments on a closed Facebook profile, […] should have refrained from using them.”
Other related insights: