“The use of biometric data in the workplace is permitted only if explicitly provided by specific legal provisions that protect employees’ rights. Such processing must serve a public interest and meet the criteria of necessity and proportionality with respect to the pursued objective”. This was reaffirmed by the Italian Data Protection Authority (i.e. “Garante Privacy”) in its provision No. 167 of March 27, 2025, published in the official newsletter on June 25, 2025.

First, it is important to recall that biometric data are defined by Regulation (EU) 2016/679 (the “GDPR”) as “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person which allow or confirm the unique identification of that person, such as facial images or dactyloscopic data” (Art. 4, point 14). When used to uniquely identify individuals, they fall within the “special categories” of personal data under Article 9 due to their sensitivity, stemming from their close and stable connection with a person’s identity.

The general rule is that the processing of biometric data is prohibited, with exceptions listed under Article 9, paragraph 2, of the GDPR. In the employment context, such processing is lawful only when it is “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law”, provided it is authorized by Union or member State law or a collective agreement under member State law, with appropriate safeguards in place to protect the fundamental rights and interests of the data subject.

In other words, processing biometric data in the workplace is lawful only when based on a valid legal provision that serves as an appropriate legal basis. Currently, there are no specific Italian laws authorizing the use of biometric data for the purpose of tracking employee attendance, nor do such provisions define the necessary safeguards.

This lack of a legal basis cannot be overcome by obtaining employee consent. In the words of the Authority: “Given the power imbalance inherent in the employment relationship and the resulting need to verify, in each case, the employee’s genuine freedom of consent, such consent does not, as a rule, constitute a valid lawful basis for the processing of personal data in the workplace, regardless of whether the employer is a public or private entity”.

Other related insights:

The use of devices to record conversations in the workplace raises legal and privacy issues, with implications for security and workplace relations.

The spread of technologies capable of recording conversations has forced companies to address a new and sensitive reality: how to manage and regulate the recording of workplace conversations, in compliance with legal requirements and while preserving internal trust.

Technological evolution and new challenges for companies

It’s a well-known fact: technology evolves at a pace that often outstrips both regulation and collective awareness. An increasingly common phenomenon is the use, by employees, of magnetic devices or smartphone apps that enable the recording of phone calls, meetings on platforms such as Teams or Zoom, or in-person conversations.

Alongside these tools, there are also real-time transcription software solutions and artificial intelligence systems (such as ChatGPT), capable of summarising large amounts of audio data.

The latest recording devices are small, discreet, and easily connected to smartphones — and, most importantly, accessible to everyone in terms of both availability and cost.

One of the most striking aspects is that this often happens without the knowledge of those involved. When such recordings are made in a workplace setting, the issue becomes highly complex. How can — and should — an employer deal with these situations?

Today, these topics represent a new frontier in the management of issues such as know-how, personal data protection, transparency, and corporate security.

Lawful and unlawful recordings under Italian law

Italian legislation on recordings is complex. Leaving aside, for the purposes of this discussion, all provisions regarding interceptions ordered by the Judicial Authority, it is worth examining the rules on the recording of conversations (telephone or in-person) made by private citizens who directly participate in the dialogue and make recordings without the knowledge of the other parties. On this point, case law—particularly that of the Court of Cassation—has developed a consolidated stance.

According to the prevailing and consistent position of criminal case law, an audio recording of an in-person conversation, carried out on one’s own initiative by one of the participants, does not fall within the legal concept of an “interception” in the technical sense. The reasoning is that anyone engaging in a conversation accepts, to some extent, the risk that it might be documented by means of a recording.

In light of this position, the lawfulness of the recording is therefore strictly linked to the recorder’s participation in the conversation.

However, such lawfulness has limits. These limits are determined by the spatial context and the use of the recordings.

As far as spatial context is concerned, a recording remains lawful if it is made inside the recorder’s own home, in a location pertaining to them (such as their workplace), or in a public place or one open to the public.

Conversely, a recording made inside the private home of the recorded party, or in another private location belonging to them, is considered unlawful, as it may constitute the criminal offence of unlawful interference with another person’s private life (Article 615-bis of the Italian Criminal Code).

Recordings and data processing under the GDPR

In this context, it should be noted that processing a recording of conversations constitutes the processing of personal data within the meaning of Article 4 of EU Regulation 2016/679 – the “GDPR”.

In such cases, if the purpose of the recording is to establish or defend a right in legal proceedings, the processing of personal data (and therefore the recording itself) can be carried out without the data subject’s consent and without prior information, provided the data are processed solely for those purposes and for only as long as strictly necessary. This principle, although expressed in relation to pre-GDPR law, is consistent with the legal bases for processing under the GDPR: for example, Article 6(1)(f), which recognises legitimate interest, includes legal defence.

Evidentiary value and disciplinary limits of recordings

In general, recordings of conversations (telephone or in-person) made in this way are admissible in civil proceedings. Their evidentiary value is, of course, subject to verification of authenticity, but the Court of Cassation has clarified that the audio recording of an in-person conversation made by an employee and concerning a discussion with the employer does not constitute a disciplinary offence and does not undermine the relationship of trust, as it is justified by the exercise of the right of defence.

Read the full version published on Agenda Digitale.

The employer may collect employees’ Internet browsing logs and email metadata only under specific conditions and safeguards. This was affirmed by the Italian Data Protection Authority (i.e. “Garante Privacy”) when imposing a €50,000 fine on the Lombardy Region” (Provision No. 243 of April 29, 2025).

As stated on the Authority’s official website, this ruling follows an inspection aimed at verifying the Region’s compliance with privacy regulations concerning the processing of employee data. The measure comes almost a year after the publication of the guidance document titled “Programs and IT services for managing e-mail in the workplace and the processing of metadata” (Provision No. 364 of June 6, 2024).

Although this case specifically involved public administration, it is worth clarifying that all findings, observations, and clarifications issued by the Authority fully apply to private-sector data controllers as well.

Metadata and Internet browsing logs

“Metadata” refers to information related to the sending, receiving, and routing of messages. This may include the sender’s and recipient’s email addresses, IP addresses of the servers or clients involved in message routing, timestamps of sending, retransmission or receipt, message size, presence and size of any attachments, and, in certain cases depending on the email management system used, even the subject of the sent or received message.

Browsing logs, on the other hand, allow tracking of activities during web navigation and contain data such as visited IP addresses, URLs of opened web pages, connection times and durations, type of device and browser used, as well as any downloads or uploads performed.

The June 6, 2024, guidance clarifies that the maximum retention period for such data is 21 days. Any retention beyond this period is permissible only under specific conditions that justify the extension, and, in any case, one of the safeguards provided by Italian law under Article 4 of Law No. 300/1970 (the Workers’ Statute) must be satisfied: (i) an agreement with trade unions or, failing that, (ii) authorization from the local Labour Inspectorate.

This is because all such information allows the employer to identify behavioral patterns, understand workers’ relationships and habits, and infer elements such as performance and productivity. In other words, it may amount to indirect remote monitoring of employees’ activities.

Violations detected and sanctions imposed

During the Authority’s inspection, it emerged that the Region retained:

  • E-mail metadata for 90 days — violation resulting in a €20,000 fine for unlawful data processing,
  • Internet browsing logs for 12 months — violation resulting in a €25,000 fine,
  • Help desk ticket registry data for 10 years — violation resulting in a €5,000 fine.

Recommended actions to ensure compliance with current legislation?

  • Provide information notices to all data subjects concerned.
  • Conduct a legitimate interest assessment and a data protection impact assessment to evaluate and mitigate risks.
  • Define data retention periods in line with current legislation and the Authority’s guidelines or, where specific needs arise (which must be justified and demonstrated), fulfill one of the safeguard conditions under Article 4 of the Workers’ Statute.
  • Update and align internal documentation accordingly.
  • Restrict access to such data exclusively to specifically authorized personnel.
  • Respect the principle of data minimization and implement adequate security measures, such as encrypting metadata and logs.
  • Update contracts with third-party providers to ensure compliance with Article 28 of the GDPR.
  • Continuously monitor compliance levels and, where necessary, implement appropriate updates and improvements.

Other related Insights:

The Regional Administrative Court (i.e. “Tribunale Amministrativo Regionale,” or “TAR”) of Tuscany recently annulled the denial issued by the local labor inspectorate (i.e. “Ispettorato Territoriale del Lavoro” or “ITL”) concerning a company’s request to install additional surveillance cameras at the perimeter of its industrial site. The Court clarified that even outdoor areas where work activities occur only occasionally or intermittently still qualify as “workplaces” under Italian law.​

The case

The case originated from a request submitted by a company to the competent ITL — as provided by Article 4 of the Italian Worker Statute (Law 300/70) — whereby the company approached the Public Administration after failing to reach an agreement with the corporate trade union representatives. Specifically, the company’s request outlined that, despite the presence of an existing surveillance system installed along the perimeter of the corporate premises, there was still a need to install an additional nine cameras. These cameras were to be placed in a peripheral area of the industrial facility to monitor the proper disposal of waste in designated unloading areas — areas that were also used by external parties — in order to prevent risks to worker safety, fire hazards, environmental damage, and to protect the company’s assets.

The ITL’s denial was based on its classification of the areas as “workplaces” and the perceived disproportion of the measure, which was deemed inappropriate in relation to the risks involved.

The Regional Administrative Court’s decision

The Court found the company’s appeal to be valid for the following reasons:

  • Evidence in the case file showed that the areas where the company wanted to install the nine new cameras and for which the company sought authorization from the ITL were mainly frequented by external contractors, with employees only occasionally present (when performing specific tasks).
  • Even outdoor areas where work activities are carried out only occasionally or intermittently must be considered “workplaces.”
  • However, this fact alone was not sufficient to justify the denial, as per the relevant case law, which states that workers are not directly monitored, but are only within the scope of the camera’s field of view (see Italian Supreme Court, Civil ruling no. 3045/2025). The ITL had not established that the areas in question were habitually frequented by employees. On the contrary, according to the evidence provided by the claimant, these spaces were primarily used by external contractors, with employees only occasionally present.
  • There was no indication that the ITL had carefully considered the company’s legitimate needs, which ranged from enhancing safety (including environmental safety) to safeguarding the integrity and appearance of the company’s assets.
  • It was also not taken into account that the privacy of employees is reduced in areas where external parties are present (see Italian Supreme Court, Civil ruling no. 3045/2025), and the ITL overlooked the fact that the data storage period for the new cameras (72 hours) was shorter than the storage period for the existing system (96 hours), which was already authorized.

Other related insights:

Managing employee surveillance is a sensitive issue, especially with the rise of new technologies. Recent rulings from Italy’s Court of Cassation have clarified the legal boundaries surrounding this practice. 

The role of Investigative Agencies 
Employers may use private investigators to check potential employee misconduct, such as unapproved absences or misuse of leave. However, these investigations must be focused, proportional, and lawful, ensuring they do not interfere with an employee’s work duties. 

Monitoring company devices 
Employers may need to access employees’ devices, such as emails or laptops, especially when there is reasonable suspicion of misconduct. The Italian Supreme Court has recently clarified that checking an employee’s email is only permitted when there is concrete suspicion, and such checks must not be arbitrary or excessive. 

Balancing business needs and employee privacy 
It is essential to strike a balance between business needs and employee privacy. Surveillance must be justified, proportionate, and never indiscriminate. Employers must ensure they follow legal guidelines to avoid misuse of the information collected. 

Best practices 

  • Reasonable suspicion: Surveillance should be based on a clear and justified suspicion of misconduct. 
  • Proportionality: Monitoring should be proportionate to the potential risk to the company. 
  • Legal compliance: Employers must ensure surveillance practices comply with labor laws and privacy regulations. 

By following these principles, employers can protect their business interests while respecting employee privacy. 

Continue reading the full version published on Agenda Digitale.