AI and the employment relationship: initial guidance from the implementing decrees and data protection implications
Following the preliminary approval by the Council of Ministers, on 10 June 2026, of the first draft legislative decrees implementing the enabling law on artificial intelligence (Law No. 132 of 23 September 2025), a regulatory framework is taking shape which is set to have a significant impact on work organisation and the processing of personal data in the HR field.
The regulatory framework sits within a multi-level context, characterised by the interaction between national legislation, the AI Act and Regulation (EU) 2016/679 (“GDPR”), consolidating a model centred on an “anthropocentric” use of AI, based on transparency, accountability and the protection of fundamental rights.
Automated decision-making processes and Article 22 GDPR
The regulation of assisted or automated decision-making processes in the employment relationship is of particular importance. In line with Article 22 GDPR, the decrees introduce an express prohibition on solely automated decisions in procedures affecting the establishment, management and termination of the employment relationship, as well as in disciplinary matters.
This provision strengthens the obligation to ensure meaningful human intervention, with the final decision being entrusted to a natural person vested with genuine autonomous decision-making authority. Breach of this principle entails, among other consequences, the nullity of any dismissal adopted on the basis of a wholly automated decision, with significant implications in terms of litigation.
Transparency obligations and enhanced information notice
In line with the principles set out in Articles 5 and 13-14 GDPR, the legislation requires employers to ensure a high level of transparency in the use of AI systems. In particular, employers are required to provide employees, before the processing begins, with a specific information notice concerning the use of intelligent systems in decision-making processes (also pursuant to Article 1-bis of Legislative Decree No. 152/1997).
This is accompanied by an “enhanced” right of access, consisting in the possibility, upon request by the data subject, to obtain an intelligible explanation of the decision-making logic and of the main parameters used by the algorithm.
In practical terms, these obligations require the implementation of appropriate documentary and technical safeguards, consistent with the accountability principle under Article 5(2) GDPR.
Non-discrimination, fairness and minimization
The legislation also places emphasis on the principle of non-discrimination, requiring AI systems not to produce discriminatory effects based, inter alia, on gender, age, ethnic origin or personal circumstances.
From a data protection perspective, this entails, for the employer:
the prior assessment of algorithmic bias,
the adoption of technical and organisational measures suitable to ensure data accuracy,
compliance with the principles of data minimisation and purpose limitation (Article 5 GDPR).
Health and safety implications and data processing
The decrees also address occupational health and safety, providing that AI systems which affect work organisation or production rhythms must be included in the risk assessment pursuant to Legislative Decree No. 81/2008.
In such contexts, the processing of personal data – often on a large scale and also relating to performance and conduct – requires particular attention to the following aspects:
necessity and proportionality of the processing,
the possible carrying out of a data protection impact assessment (DPIA) pursuant to Article 35 GDPR, where systematic or large-scale automated processing is involved,
the correct identification of the applicable legal bases.
In light of the new regulatory framework, companies are required to adopt an integrated approach to AI governance, combining employment law, privacy and occupational health and safety considerations. In particular, the following measures are necessary:
providing specific training to personnel on the risks and limitations of the systems adopted.
mapping the AI systems used in HR processes,
formalising safeguards ensuring effective human oversight,
updating privacy notices, internal policies and procedures,
integrating AI systems into risk assessment processes, including a DPIA if required,
As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force. It also introduces into the Italian legal system a structured framework on pay transparency, with…
Principle of Law In its recent judgment No. 17283 of 1 June 2026, the Italian Supreme Court (Corte di Cassazione) examined the legal consequences arising from the employer's…
As we celebrate our 50th anniversary, we have chosen to look to the future with the same care and dedication with which we preserve our roots. Those roots…
With Legislative Decree No. 96 of 7 May 2026, which entered into force on 7 June 2026, Italy transposed Directive (EU) 2023/970 on pay transparency, becoming one of…
In 2026, De Luca & Partners marks an extraordinary milestone: its 50th anniversary. For half a century, the Firm has stood alongside businesses, guiding them through the evolution…
With Order No. 13722 of 11 May 2026, the Labour Section of the Italian Supreme Court of Cassation (Corte di Cassazione) held that an employee’s repeated lateness, resulting…