With judgment no. 28365 of 27 October 2025, the Italian Supreme Court – Labor Division – addressed the balance between an employer’s monitoring powers and employees’ rights to data protection and privacy. The Italian Supreme Court confirmed the legitimacy of a dismissal for just cause imposed on an employee who had disclosed personal data, information, and company documents. The disciplinary charges were based on findings emerging from checks carried out by the employer on the company laptop assigned to the employee.

The Court of Appeal held that the employer’s activity complied with Article 4 of Italian Law no. 300/1970 (i.e. “Statuto dei lavoratori”), as the company had demonstrated that adequate prior information had been provided to the employee “through dissemination of the corporate policy governing the use of IT equipment”. According to that policy, “the employer informed […] employees of the possibility of carrying out checks and inspections in the event of detected anomalies, in compliance with the applicable legislation, reserving the right, where non-compliant conduct was identified, to apply the contractual provisions governing disciplinary measures”.

The Italian Supreme Court agreed, stating that the employer had fulfilled the requirements of Article 4 of Law no. 300/1970 by providing employees with prior and adequate information regarding the possibility of carrying out checks on company IT tools.

What are the implications for employers?

• Updating, or where absent, drafting corporate policies and regulations defining the correct use of work tools assigned to employees, and clearly informing them of the types and modalities of monitoring activities carried out by the employer, in full compliance with the Workers’ Statute and data protection law.
• Establishing clear and precise rules on the use of corporate email accounts and Internet access, as well as on prohibited activities, such as downloading audio or video files unrelated to work.
• Identifying, through specific appointments, the individuals responsible for and expressly authorised to carry out monitoring activities, ensuring they receive appropriate operational instructions and training.
• Defining information and log retention policies in accordance with applicable law, the guidelines of the Data Protection Authority, and internal corporate policies.

What are the consequences of non-compliance?

The consequences for employers are twofold. On the one hand, the company risks exposure to significant sanctions under data protection law for unlawful processing of personal data. On the other hand, any information collected in breach of the law becomes entirely unusable for all purposes connected with the employment relationship, including the possibility of grounding disciplinary action on such evidence.