Categories: Insights, Publications · News, Publications

Tag: Corte di Cassazione, Dismissal, GDPR


8 Jan 2025

Penalties may be imposed on the manager who accesses the computer system by using a subordinate’s credentials

Violates the employer’s directives (even if implicit, but clear) the employee who, although in a hierarchically superior position to the holder of the access credentials to a company’s IT system, has them revealed in order to gain access without specific authorization: the protection of data through access credentials alone is sufficient to make such directives clear”. This has been established by the Supreme Court of Italy, Criminal Section V, no. 40295/2024. 

The case 

An employee of a hotel in Chianciano Terme (Italy) had requested from another employee, directly subordinate to him, the access keys to the company’s IT system for the storage and promotional purposes of the customer database, which included about 90,000 individual records, accessing it for purposes unrelated to the mandate received. In the first two levels of judgment, was established the commission of the crime of «Unauthorized access to an IT or telematic system», under Article 615-ter, paragraph 1, of the Italian Penal Code. 

The employee appealed to the Italian Supreme Court, claiming that it was not an abuse access, both because he had the power «in his capacity as director and superior manager of the employee» from whom he had requested for the credentials, «also for the purpose of supervising her work» and because until shortly before, he had a personal and direct access to those data. 

The position of the Supreme Court 

The Supreme Court of Italy ruled that the offence of unauthorized access to IT systems (under Article 615-ter, paragraph 1, of the Italian Penal Code) also occurs in the case of a hierarchical superior using the access credentials provided by the employee. 

The judges of the Italian Supreme Court did not find convincing the appellant’s argument that relied on his power to access any company location in order to carry out checks on those hierarchically subordinate to him. In the case of an IT system protected by credentials, the Court pointed out that «each authorized person has his/her own ‘key’ (i.e., the access credentials)». «This is because it is data which, quite simply, the owner considers should be protected, both by limiting access to those who are provided with such credentials and, at the same time, by ensuring that a digital trace is left of the individual access and of who carries them out ». 

It is therefore incorrect to hold that the defendant «solely by virtue of his duties, automatically had the power to access data that, on the other hand, according to the employer’s discretionary assessment, were to remain available only to certain employees (even if subordinate to the appellant) » 

Moreover, by doing so, the appellant made it «falsely appear that the access had been made by the employee who, imprudently, had revealed her credentials to him». ​ 

Other related insights:   

Subscribe to our newsletter

Contact

Need information? Write to us and our team of experts will respond as soon as possible.

Fill in the form

More news and insights

8 Jul 2026

Pay transparency: one month after its entry into force, two approaches are emerging in the market (The Platform, 8 July 2026 – Vittorio De Luca, Claudia Cerbone e Martina De Angeli)

Since 7 June, EU rules aimed at strengthening the principle of equal pay between men and women for the same work or for work of equal value have…

2 Jul 2026

Did you know…? As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force

As of 7 June 2026, Legislative Decree No. 96/2026 is fully in force. It also introduces into the Italian legal system a structured framework on pay transparency, with…

2 Jul 2026

Failure to serve disciplinary charges does not render the dismissal null and void: italian supreme court confirms no reinstatement remedy for employers below the statutory workforce threshold

Principle of Law In its recent judgment No. 17283 of 1 June 2026, the Italian Supreme Court (Corte di Cassazione) examined the legal consequences arising from the employer's…

2 Jul 2026

AI and the employment relationship: initial guidance from the implementing decrees and data protection implications

Following the preliminary approval by the Council of Ministers, on 10 June 2026, of the first draft legislative decrees implementing the enabling law on artificial intelligence (Law No.…

1 Jul 2026

Sustainability, Responsibility, and the Future: A Commitment That Grows with Time

As we celebrate our 50th anniversary, we have chosen to look to the future with the same care and dedication with which we preserve our roots. Those roots…

25 Jun 2026

Pay Equity and Pay Transparency: What Will Change in Italy (People are People, 25 June 2026 – Claudia Cerbone e Martina De Angeli)

With Legislative Decree No. 96 of 7 May 2026, which entered into force on 7 June 2026, Italy transposed Directive (EU) 2023/970 on pay transparency, becoming one of…