“The employer may collect employees’ Internet browsing logs and email metadata only under specific conditions and safeguards. This was affirmed by the Italian Data Protection Authority (i.e. “Garante Privacy”) when imposing a €50,000 fine on the Lombardy Region” (Provision No. 243 of April 29, 2025).

As stated on the Authority’s official website, this ruling follows an inspection aimed at verifying the Region’s compliance with privacy regulations concerning the processing of employee data. The measure comes almost a year after the publication of the guidance document titled “Programs and IT services for managing e-mail in the workplace and the processing of metadata” (Provision No. 364 of June 6, 2024).

Although this case specifically involved public administration, it is worth clarifying that all findings, observations, and clarifications issued by the Authority fully apply to private-sector data controllers as well.

Metadata and Internet browsing logs

“Metadata” refers to information related to the sending, receiving, and routing of messages. This may include the sender’s and recipient’s email addresses, IP addresses of the servers or clients involved in message routing, timestamps of sending, retransmission or receipt, message size, presence and size of any attachments, and, in certain cases depending on the email management system used, even the subject of the sent or received message.

Browsing logs, on the other hand, allow tracking of activities during web navigation and contain data such as visited IP addresses, URLs of opened web pages, connection times and durations, type of device and browser used, as well as any downloads or uploads performed.

The June 6, 2024, guidance clarifies that the maximum retention period for such data is 21 days. Any retention beyond this period is permissible only under specific conditions that justify the extension, and, in any case, one of the safeguards provided by Italian law under Article 4 of Law No. 300/1970 (the Workers’ Statute) must be satisfied: (i) an agreement with trade unions or, failing that, (ii) authorization from the local Labour Inspectorate.

This is because all such information allows the employer to identify behavioral patterns, understand workers’ relationships and habits, and infer elements such as performance and productivity. In other words, it may amount to indirect remote monitoring of employees’ activities.

Violations detected and sanctions imposed

During the Authority’s inspection, it emerged that the Region retained:

• E-mail metadata for 90 days — violation resulting in a €20,000 fine for unlawful data processing,
• Internet browsing logs for 12 months — violation resulting in a €25,000 fine,
• Help desk ticket registry data for 10 years — violation resulting in a €5,000 fine.

Recommended actions to ensure compliance with current legislation?

• Provide information notices to all data subjects concerned.
• Conduct a legitimate interest assessment and a data protection impact assessment to evaluate and mitigate risks.
• Define data retention periods in line with current legislation and the Authority’s guidelines or, where specific needs arise (which must be justified and demonstrated), fulfill one of the safeguard conditions under Article 4 of the Workers’ Statute.
• Update and align internal documentation accordingly.
• Restrict access to such data exclusively to specifically authorized personnel.
• Respect the principle of data minimization and implement adequate security measures, such as encrypting metadata and logs.
• Update contracts with third-party providers to ensure compliance with Article 28 of the GDPR.
• Continuously monitor compliance levels and, where necessary, implement appropriate updates and improvements.

Other related Insights:

• Italian Data Protection Authority (‘IDPA’): guidelines on the use of company email management programs and on so-called “metadata” retention have been updated following recent public consultation by the IDPA
• Company e-mail and metadata: the Italian Data Protection Authority updates the guideline document

The Regional Administrative Court (i.e. “Tribunale Amministrativo Regionale,” or “TAR”) of Tuscany recently annulled the denial issued by the local labor inspectorate (i.e. “Ispettorato Territoriale del Lavoro” or “ITL”) concerning a company’s request to install additional surveillance cameras at the perimeter of its industrial site. The Court clarified that even outdoor areas where work activities occur only occasionally or intermittently still qualify as “workplaces” under Italian law.​

The case

The case originated from a request submitted by a company to the competent ITL — as provided by Article 4 of the Italian Worker Statute (Law 300/70) — whereby the company approached the Public Administration after failing to reach an agreement with the corporate trade union representatives. Specifically, the company’s request outlined that, despite the presence of an existing surveillance system installed along the perimeter of the corporate premises, there was still a need to install an additional nine cameras. These cameras were to be placed in a peripheral area of the industrial facility to monitor the proper disposal of waste in designated unloading areas — areas that were also used by external parties — in order to prevent risks to worker safety, fire hazards, environmental damage, and to protect the company’s assets.

The ITL’s denial was based on its classification of the areas as “workplaces” and the perceived disproportion of the measure, which was deemed inappropriate in relation to the risks involved.

The Regional Administrative Court’s decision

The Court found the company’s appeal to be valid for the following reasons:

• Evidence in the case file showed that the areas where the company wanted to install the nine new cameras and for which the company sought authorization from the ITL were mainly frequented by external contractors, with employees only occasionally present (when performing specific tasks).
• Even outdoor areas where work activities are carried out only occasionally or intermittently must be considered “workplaces.”
• However, this fact alone was not sufficient to justify the denial, as per the relevant case law, which states that workers are not directly monitored, but are only within the scope of the camera’s field of view (see Italian Supreme Court, Civil ruling no. 3045/2025). The ITL had not established that the areas in question were habitually frequented by employees. On the contrary, according to the evidence provided by the claimant, these spaces were primarily used by external contractors, with employees only occasionally present.
• There was no indication that the ITL had carefully considered the company’s legitimate needs, which ranged from enhancing safety (including environmental safety) to safeguarding the integrity and appearance of the company’s assets.
• It was also not taken into account that the privacy of employees is reduced in areas where external parties are present (see Italian Supreme Court, Civil ruling no. 3045/2025), and the ITL overlooked the fact that the data storage period for the new cameras (72 hours) was shorter than the storage period for the existing system (96 hours), which was already authorized.

Other related insights:

• Video surveillance: presence of workers and monitoring of their activities essential requirements for breach of prohibition on remote monitoring
• Nessuna sanzione al dipendente se la videosorveglianza è illecita

Managing employee surveillance is a sensitive issue, especially with the rise of new technologies. Recent rulings from Italy’s Court of Cassation have clarified the legal boundaries surrounding this practice. 

The role of Investigative Agencies 
Employers may use private investigators to check potential employee misconduct, such as unapproved absences or misuse of leave. However, these investigations must be focused, proportional, and lawful, ensuring they do not interfere with an employee’s work duties. 

Monitoring company devices 
Employers may need to access employees’ devices, such as emails or laptops, especially when there is reasonable suspicion of misconduct. The Italian Supreme Court has recently clarified that checking an employee’s email is only permitted when there is concrete suspicion, and such checks must not be arbitrary or excessive. 

Balancing business needs and employee privacy 
It is essential to strike a balance between business needs and employee privacy. Surveillance must be justified, proportionate, and never indiscriminate. Employers must ensure they follow legal guidelines to avoid misuse of the information collected. 

Best practices 

• Reasonable suspicion: Surveillance should be based on a clear and justified suspicion of misconduct. 

• Proportionality: Monitoring should be proportionate to the potential risk to the company. 

• Legal compliance: Employers must ensure surveillance practices comply with labor laws and privacy regulations. 

By following these principles, employers can protect their business interests while respecting employee privacy. 

Continue reading the full version published on Agenda Digitale.

AI in companies entails risks related to data security and the protection of know-how. Organizations need appropriate policies to ensure ethical and compliant use.

If an employee uses artificial intelligence systems – often generative – to carry out his or her work activities, he or she may, more or less consciously, share company know-how and personal information with external, and thus unauthorized, parties.

The risks of AI in the company, explained by the AI

In an attempt to answer this question, we asked one of the parties directly involved. Below, by points, are the main red flags related to the adoption of generative A.I. that were pointed out to us by herself.

According to the A.I., allowing workers to use these technologies could entail for a company

• issues related to IT governance and security management,
• violations of data protection regulations,
• commission of discriminatory behavior arising from the biases contained in the data it has been trained with,
• excessive dependence of workers on artificial intelligence which, in the most serious cases, could lead to a danger of reducing the decision-making and critical capabilities typical of human beings.

These are all interesting points to which one cannot fail to add the risk of the disclosure of corporate know-how and thus the dispersion of sensitive information for a company.

For an organization to study, define and implement policies, regulations and corporate guidelines for ethical and aware management of IA, but also to be fully compliant with regulatory dictates and to be protected from the risk of incurring one or more of the foreseen violations, it is essential.

An organization is accountable for its actions, decisions and performance not only to the legal system but also to its stakeholders – be they employees, customers, shareholders, suppliers.

A – now inevitable – implementation of artificial intelligence that is guided, responsible and aware, with careful oversight of its applications, may be the key to ensuring that the benefits and advantages outweigh what may be the risks.

Continue reading the full version published on Agenda Digitale.

The Italian Supreme Court, in its decision no. 807 of January 13, 2025, has once again addressed the legitimacy of employer monitoring of employees’ corporate email accounts. The Court reiterated that while an employer may access an employee’s company email, this action is only lawful if there is a well-founded suspicion of illegal conduct. Information gathered before such a suspicion arises cannot be used for disciplinary purposes. 

In the case at hand, the company had dismissed a manager based on information obtained from an email log check, which was conducted prior to an alert from the company’s system that triggered the suspicion of misconduct. The Court of Appeal had already ruled that the information collected prior to the “employer’s suspicion” could not be used as evidence to support the dismissal, and that only the manager’s statements should be considered as the sole source of evidence. 

This ruling raises important considerations regarding the limits of employer control, particularly in a technological context where surveillance capabilities have expanded. It is crucial to clearly define the boundaries within which monitoring activities and the data collected can be considered lawful and compliant with current regulations. Indeed, any monitoring activity must be proportionate, transparent, and clearly justified, ensuring that employees are informed about the scope and purpose of such surveillance. 

Continue reading the full version published in Norme & Tributi Plus Diritto of Il Sole 24 Ore.