Following the preliminary approval by the Council of Ministers, on 10 June 2026, of the first draft legislative decrees implementing the enabling law on artificial intelligence (Law No. 132 of 23 September 2025), a regulatory framework is taking shape which is set to have a significant impact on work organisation and the processing of personal data in the HR field.
The regulatory framework sits within a multi-level context, characterised by the interaction between national legislation, the AI Act and Regulation (EU) 2016/679 (“GDPR”), consolidating a model centred on an “anthropocentric” use of AI, based on transparency, accountability and the protection of fundamental rights.
Automated decision-making processes and Article 22 GDPR
The regulation of assisted or automated decision-making processes in the employment relationship is of particular importance. In line with Article 22 GDPR, the decrees introduce an express prohibition on solely automated decisions in procedures affecting the establishment, management and termination of the employment relationship, as well as in disciplinary matters.
This provision strengthens the obligation to ensure meaningful human intervention, with the final decision being entrusted to a natural person vested with genuine autonomous decision-making authority. Breach of this principle entails, among other consequences, the nullity of any dismissal adopted on the basis of a wholly automated decision, with significant implications in terms of litigation.
Transparency obligations and enhanced information notice
In line with the principles set out in Articles 5 and 13-14 GDPR, the legislation requires employers to ensure a high level of transparency in the use of AI systems. In particular, employers are required to provide employees, before the processing begins, with a specific information notice concerning the use of intelligent systems in decision-making processes (also pursuant to Article 1-bis of Legislative Decree No. 152/1997).
This is accompanied by an “enhanced” right of access, consisting in the possibility, upon request by the data subject, to obtain an intelligible explanation of the decision-making logic and of the main parameters used by the algorithm.
In practical terms, these obligations require the implementation of appropriate documentary and technical safeguards, consistent with the accountability principle under Article 5(2) GDPR.
Non-discrimination, fairness and minimization
The legislation also places emphasis on the principle of non-discrimination, requiring AI systems not to produce discriminatory effects based, inter alia, on gender, age, ethnic origin or personal circumstances.
From a data protection perspective, this entails, for the employer:
- the prior assessment of algorithmic bias,
- the adoption of technical and organisational measures suitable to ensure data accuracy,
- compliance with the principles of data minimisation and purpose limitation (Article 5 GDPR).
Health and safety implications and data processing
The decrees also address occupational health and safety, providing that AI systems which affect work organisation or production rhythms must be included in the risk assessment pursuant to Legislative Decree No. 81/2008.
In such contexts, the processing of personal data – often on a large scale and also relating to performance and conduct – requires particular attention to the following aspects:
- necessity and proportionality of the processing,
- the possible carrying out of a data protection impact assessment (DPIA) pursuant to Article 35 GDPR, where systematic or large-scale automated processing is involved,
- the correct identification of the applicable legal bases.
In light of the new regulatory framework, companies are required to adopt an integrated approach to AI governance, combining employment law, privacy and occupational health and safety considerations. In particular, the following measures are necessary:
- providing specific training to personnel on the risks and limitations of the systems adopted.
- mapping the AI systems used in HR processes,
- formalising safeguards ensuring effective human oversight,
- updating privacy notices, internal policies and procedures,
- integrating AI systems into risk assessment processes, including a DPIA if required,
