This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Freshfields TQ

Technology quotient - the ability of an individual, team or organization to harness the power of technology

| 4 minute read

When Private Becomes Professional: Italian DPA Sets Limits on Use of Employee Messages

Introduction 

In a decision dated 21 May 2025, the Italian Data Protection Authority (the Garante) addressed a critical and increasingly frequent issue: the extent to which employers may rely on digital content shared by employees – whether on social networks or messaging platforms – as grounds for disciplinary action. The case stands out for its position on the limits of legitimate interest as a legal basis and the level of protection afforded to personal communications, even when shared in publicly accessible or semi-private digital spaces.

While not yet a uniform trend across the EU, this decision reflects a growing emphasis – seen in certain jurisdictions and EU-level guidance – on aligning HR practices with data protection principles. Once again, the Garante was called to assess the complex interplay between privacy, dignity in the workplace, and the need for lawful, proportionate internal investigations.

Background 

Italian and European legal frameworks offer robust protection for the confidentiality of communications – a right enshrined in the Italian Constitution and in Article 8 of the European Convention on Human Rights (ECHR). These safeguards extend to modern communication formats, including emails, instant messages, and social media interactions.

The Garante has previously clarified, including in employment-related cases, that the availability of personal data on publicly accessible websites or platforms does not in itself justify its further use for unrelated purposes. For instance, the “Code of Conduct for Employment Agencies” reflects this principle, requiring that any reuse of personal data be lawful, proportionate, and consistent with the original context.

The regulatory framework applicable to employee data processing includes key provisions of the GDPR – particularly Articles 5(1)(a) to (c) and 6(1)(f) – which require processing to be lawful, purpose-bound, and necessary. Additional constraints derive from national labour law, such as Article 113 of the Italian Privacy Code, which integrates safeguards from Article 8 of the Workers’ Statute and Article 10 of Legislative Decree No. 276/2003, restricting the use of data obtained outside the employment relationship.

Key facts of the case 

The proceedings stemmed from a complaint filed by a former employee alleging the improper use of personal data by the company in disciplinary proceedings. Specifically, the employer had acquired screenshots of the complainant’s social media posts and private messages via other employees (not by direct monitoring). This information was then used in disciplinary proceedings against the complainant.

The employer claimed that it did not actively seek out the content but simply received it, and that the processing was justified by its legitimate interest in protecting its rights and managing workplace dynamics. 

Following its investigation, the Garante found that the complainant’s social media content was visible only to ”friends“ and that that the private messages in question were inherently confidential in nature. It also noted that the messages were exchanged outside of working hours, through private channels, and were unrelated to job performance. Therefore, the Garante held that the employer’s use of this content required a proper balancing of interests under the GDPR - demonstrating that its legitimate interest did not disproportionately infringe on the employee’s privacy rights. In the Garante’s view, the employer failed to carry out this balancing test adequately. 

As such, the Garante concluded that employers cannot freely use employees’ personal content or opinions shared outside the scope of the employment relationship – even if accessible by others or provided by third parties – as doing so, in the Garante’s view, breaches the GDPR principles of lawfulness, purpose limitation, and minimisation under the GDPR.

The Garante’s decision also established that, under the Italian Privacy Code and Workers’ Statute, personal data obtained from private social networks or messaging apps that is unrelated to professional conduct or performance cannot be used for disciplinary purposes.
An administrative fine of €420,000 was imposed on the employer.

A broader regulatory direction

This decision contributes to an emerging pattern – though not yet consistent across all EU member states – of regulatory caution regarding the use of digital content in HR and disciplinary processes. Certain supervisory authorities, alongside EU–level bodies such as the EDPB, are taking a more structured approach to scenarios where data originally shared in a personal or informal context is later used to support employment-related decisions.

In particular, employers are expected to carry out thorough assessments before relying on such information – including a clear balancing of interests under the GDPR and an evaluation of the relevance and proportionality of the data in light of its potential impacts on the employment relationship. Authorities have held that perceived accessibility or informality of content does not remove the need for compliance with core GDPR principles.

Potential considerations for employers

Organisations operating in or across the EU may potentially consider the following when assessing the permissibility of using employee data in employment-related contexts:

  • Evaluate whether the data is relevant, necessary, and obtained through lawful means, particularly when it comes from private or third-party sources;
  • Avoid relying on informal evidence – such as forwarded messages or screenshots – without assessing its origin and legal implications;
  • Where legitimate interest is relied upon, document a balancing test that considers risks to privacy, freedom of expression, and procedural fairness;
  • Engage the Data Protection Officer (DPO) or legal function early in the process when personal communications may be material to disciplinary or internal review proceedings;
  • Ensure that internal policies, codes of conduct, and investigation procedures reflect a privacy-by-design approach to employee data handling.

These steps may help mitigate regulatory risk and demonstrate good faith compliance with both data protection and employment law obligations.

Looking ahead

The decision highlights that data protection compliance must be embedded into HR governance, especially when private digital content is used in internal investigations or disputes. It also signals that supervisory authorities will continue to test the boundaries of legitimate interest where employee rights are concerned.

As digital communication continues to blur the lines between personal and professional domains, employers are encouraged to regularly revisit their policies and training programmes to ensure they reflect current enforcement expectations.
 

Tags

gdpr, employment, data, data protection, cyber security, eu digital strategy, investigations, social media