The Regional Administrative Court (i.e. “Tribunale Amministrativo Regionale,” or “TAR”) of Tuscany recently annulled the denial issued by the local labor inspectorate (i.e. “Ispettorato Territoriale del Lavoro” or “ITL”) concerning a company’s request to install additional surveillance cameras at the perimeter of its industrial site. The Court clarified that even outdoor areas where work activities occur only occasionally or intermittently still qualify as “workplaces” under Italian law.​

The case

The case originated from a request submitted by a company to the competent ITL — as provided by Article 4 of the Italian Worker Statute (Law 300/70) — whereby the company approached the Public Administration after failing to reach an agreement with the corporate trade union representatives. Specifically, the company’s request outlined that, despite the presence of an existing surveillance system installed along the perimeter of the corporate premises, there was still a need to install an additional nine cameras. These cameras were to be placed in a peripheral area of the industrial facility to monitor the proper disposal of waste in designated unloading areas — areas that were also used by external parties — in order to prevent risks to worker safety, fire hazards, environmental damage, and to protect the company’s assets.

The ITL’s denial was based on its classification of the areas as “workplaces” and the perceived disproportion of the measure, which was deemed inappropriate in relation to the risks involved.

The Regional Administrative Court’s decision

The Court found the company’s appeal to be valid for the following reasons:

• Evidence in the case file showed that the areas where the company wanted to install the nine new cameras and for which the company sought authorization from the ITL were mainly frequented by external contractors, with employees only occasionally present (when performing specific tasks).
• Even outdoor areas where work activities are carried out only occasionally or intermittently must be considered “workplaces.”
• However, this fact alone was not sufficient to justify the denial, as per the relevant case law, which states that workers are not directly monitored, but are only within the scope of the camera’s field of view (see Italian Supreme Court, Civil ruling no. 3045/2025). The ITL had not established that the areas in question were habitually frequented by employees. On the contrary, according to the evidence provided by the claimant, these spaces were primarily used by external contractors, with employees only occasionally present.
• There was no indication that the ITL had carefully considered the company’s legitimate needs, which ranged from enhancing safety (including environmental safety) to safeguarding the integrity and appearance of the company’s assets.
• It was also not taken into account that the privacy of employees is reduced in areas where external parties are present (see Italian Supreme Court, Civil ruling no. 3045/2025), and the ITL overlooked the fact that the data storage period for the new cameras (72 hours) was shorter than the storage period for the existing system (96 hours), which was already authorized.

Other related insights:

• Video surveillance: presence of workers and monitoring of their activities essential requirements for breach of prohibition on remote monitoring
• Nessuna sanzione al dipendente se la videosorveglianza è illecita

Managing employee surveillance is a sensitive issue, especially with the rise of new technologies. Recent rulings from Italy’s Court of Cassation have clarified the legal boundaries surrounding this practice. 

The role of Investigative Agencies 
Employers may use private investigators to check potential employee misconduct, such as unapproved absences or misuse of leave. However, these investigations must be focused, proportional, and lawful, ensuring they do not interfere with an employee’s work duties. 

Monitoring company devices 
Employers may need to access employees’ devices, such as emails or laptops, especially when there is reasonable suspicion of misconduct. The Italian Supreme Court has recently clarified that checking an employee’s email is only permitted when there is concrete suspicion, and such checks must not be arbitrary or excessive. 

Balancing business needs and employee privacy 
It is essential to strike a balance between business needs and employee privacy. Surveillance must be justified, proportionate, and never indiscriminate. Employers must ensure they follow legal guidelines to avoid misuse of the information collected. 

Best practices 

• Reasonable suspicion: Surveillance should be based on a clear and justified suspicion of misconduct. 

• Proportionality: Monitoring should be proportionate to the potential risk to the company. 

• Legal compliance: Employers must ensure surveillance practices comply with labor laws and privacy regulations. 

By following these principles, employers can protect their business interests while respecting employee privacy. 

Continue reading the full version published on Agenda Digitale.

In its judgment of December 19, 2024,  case C-65/23, the Court of Justice of the European Union ruled that (i) the provisions of national collective labor agreements must comply with data protection regulations and that:(ii) ”Should the national court seized of the matter conclude, following its review, that certain provisions of the collective agreement […] do not comply with the conditions and limits set forth by the GDPR, it would be required not to apply such provisions […].”

The case  

The case originates from a claim filed by a German employee, who claimed that the company he worked for was unlawfully processing his personal data. In particular, the company used a SAP software for accounting purposes and the personal data entered in it was transferred to a server located in the United States of America. The company defended itself by claiming that the processing of personal data carried out was lawful because it complied with the provisions of the collective agreements applied in the company.

The employee therefore brought the case before the territorially competent national courts, seeking: (i) access to his personal data, (ii) the deletion of data concerning him and (iii) the recognition of compensation.

The German national judges, called upon to decide the case, raised questions about the scope of the applicability of Article 88 of the GDPR. Article 88 of the GDPR provides that “Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context […]”.

Can collective agreements establish rules on data processing, even by derogating from the provisions of the GDPR, or must they fully comply with them?

In its ruling, the Court of Justice clarified that when the provisions of a national collective agreement regulate the processing of personal data in the workplace, they must comply with the fundamental principles of the GDPR. The effect must be to bind its addressees (employers and trade unions) to ensure compliance with the principles of lawfulness, fairness, and transparency of the processing, the requirements for lawful consent, and the rules regarding the processing of special categories of personal data.

This means that if a judge were to determine that the provisions of a collective agreement regulating one or more personal data processing activities in the workplace violate the conditions and limits set by the applicable sectoral legislation, the judge would be required to disapply the non-compliant provisions, without the discretion available to the parties to the agreement in determining the “necessary” nature of a personal data processing activity preventing the court from exercising full judicial review in this regard.

Other related insights:    

• Italian Data Protection Authority: no to attendance monitoring via facial recognition and no to monitoring workers’ activities
• Evolving challenges in Employment law and privacy: The challenges for Italian companies (Global Legal Chronicle Italia, 19 November 2024)

Do you know that if you receive an email from an employee of your organization requesting you to update his or her bank details and informing you of the new bank account (IBAN) on which to credit their next salaries, it could be a fraud? 

How does it work? 

Some cyber criminals, by setting up a fake employee mailbox or directly hacking into an employee’s company mailbox, are increasingly sending fake messages to HR managers informing them that they have changed their bank account (IBAN). Reporting the new bank details, which are obviously controlled by the fraudster, they request that future salaries be accredited there.  

How to protect your organization? 

• Never change an IBAN just because you are asked by email, and always check the sender’s email address. 
• It is always preferable to speak by phone or vis-à-vis the employee involved. 

But that is not all. Please consider that improper processing of personal information exposes an organization to the risk of incurring one or more of the breaches set out in the privacy regulations. 

Continue reading the full version published in Norme e Tributi Plus Lavoro del Il Sole 24 Ore.

The Italian Data Protection Authority sanctioned the company Foodinho S.r.l., a Glovo Group company, to pay a fine of EUR 5 million for unlawfully processing the personal data of more than 35,000 riders through its digital platform.   

Following a complex investigation carried out ex officio by the Authority, it revealed that the company, which had already been sanctioned in 2021 for unlawful processing and violations of the provisions of the privacy legislation, was carrying out “numerous and serious violations” of the GDPR. 

Among others, the company:  

1. when de-activating or blocking the rider’s account, it automatically sent a single standard message without informing the recipient of the possibility of contesting the decision and requesting that the account be restored, 
2. carried out automated processing of riders’ personal data without having taken the measures required by the regulations for the use of automated systems. In fact, the rider was not provided with the possibility of exercising the right to obtain human intervention, to express his or her opinion and to contest the decision taken through the system (n.b. on this point also the so-called “Transparency Decree”), 
3. sent, without prior notice, the riders’ personal data, including their geographical location, to third-party companies. The geolocation data were collected and processed even when the rider was not working and even when the app was in the background or not active.  

In addition to the numerous violations of privacy regulations pointed out by the Italian Data Protection Authority and partially reported herein, it is worth mentioning that the Authority highlighted that in this case, the company “while carrying out an activity of systematic control of the work performed by the riders, through the settings and functions of technological tools that operate remotely (digital platform, app, communication recording systems), […], did not comply with the provisions established by Article 4, paragraph 1, of Law no. 300/1970, as it did not verify that the tools used are attributable to the purposes strictly allowed by the law (organizational and production needs, work safety and protection of the environment, and protection of the environment) nor did it activate the guarantee procedure provided for in the event of the existence of one of the aforementioned purposes (collective agreement entered into with trade union representatives or, failing that, authorization by the Italian Labor Inspectorate)”. 

In other words, the company, in addition to implementing technical and organizational security measures aimed at eliminating breaches and ceasing unlawful processing of personal data, must also take appropriate measures to comply with the provisions of the Workers’ Statute on remote control of employees. 

Other related insights: 

• Company e-mail and metadata: the Italian Data Protection Authority updates the guideline document