Italian DPA's Ruling on Employee Privacy: Social Media and WhatsApp Evidence

In a landmark ruling dated May 21, 2025, the Italian Data Protection Authority (DPA) has significantly restricted the ability of employers to utilize information obtained from third-party reports, private conversations, and social media platforms as evidence in disciplinary actions against employees. This decision has sparked renewed debate regarding employee privacy rights in the digital age, particularly in the context of workplace disciplinary proceedings.

The case in question arose from a complaint by an employee who alleged that her employer had unlawfully accessed her private social media and messaging accounts, specifically Facebook, Messenger, and WhatsApp, during the course of disciplinary actions that led to her dismissal. The company had gathered screenshots and messages from colleagues and external parties containing derogatory remarks about the employer, which were then presented as evidence in two separate disciplinary hearings. The Italian DPA's investigation sought to determine whether the use and processing of this personal data were compliant with the principles outlined in the European Union's General Data Protection Regulation (GDPR) and domestic privacy laws.

According to Dr. Elena Rossi, a privacy law expert and Professor at the University of Milan, "The DPA's ruling underscores the importance of adhering to lawful data processing principles, especially when it concerns private communications. This case highlights the need for a clear distinction between public and private data."

The DPA concluded that the company's actions constituted a processing of personal data under the GDPR, irrespective of whether the data was actively sought or merely received. Even passive receipt and use of such information in disciplinary contexts trigger obligations under data protection laws. The company contended that its actions were justified by a legitimate interest in managing employment relationships; however, the DPA found that this interest did not outweigh the employee's fundamental rights to privacy, particularly given the expectation of confidentiality in private communications.

The ruling emphasized that information shared within closed or private contexts, even if accessible to a limited audience like friends or chat group members, carries an inherent expectation of privacy. The use of such information for purposes unrelated to its original context, such as disciplinary actions, necessitates a careful balancing of interests and a specific legal basis. The DPA noted that Italian law, specifically Article 8 of Law 300/1970 and Article 113 of the Privacy Code, prohibits employers from collecting or processing information regarding employees' opinions or facts that are irrelevant to their professional roles, regardless of how the information is obtained.

In light of these findings, the DPA determined that the employer had violated crucial GDPR principles, specifically lawfulness, purpose limitation, and data minimization. The authority stated that the company failed to conduct a proper balancing test and did not consider less intrusive means to achieve its objectives. Consequently, the DPA imposed a significant administrative fine of EUR 420,000 on the company, reinforcing the stringent protections afforded to employees regarding personal data in the workplace.

The implications of this ruling could extend beyond the specific case at hand. Legal experts suggest that the decision may affect ongoing cases in Employment Courts regarding the legitimacy of dismissals based on similar grounds. As noted by Claudio Chiarella, an attorney specializing in employment law at A&O Shearman, "The DPA's interpretation could limit the ability of employers to defend their interests, especially when information is obtained indirectly through reports from third parties."

This decision illustrates a critical shift in the landscape of employee rights and privacy in Italy, particularly as digital communication becomes increasingly integrated into professional settings. The ruling calls into question existing practices and policies that allow employers to monitor and utilize data derived from employees' private communications and highlights the need for businesses to reassess their data handling practices to align with stringent privacy regulations.

As the legal landscape continues to evolve, companies must navigate the complexities of employee privacy rights while balancing organizational interests. The DPA's ruling serves as a significant reminder of the importance of adhering to privacy laws in an era where digital communication plays a pivotal role in workplace dynamics.