Skip to content Skip to sidebar Skip to footer
Menu
Menu
Data Protection & Cybersecurity

Privacy Fine in Italy to Use Private Chats in Disciplinary Actions on the Workplace

13 hours ago
6 minRead time
privacy chats workplace
Share This Article
Share Post

The Italian Data Protection Authority (Garante) has fined a company EUR 420,000 for violating privacy laws in the workplace. The decision centers on the employer’s use of content from Facebook, WhatsApp, and Messenger—shared from the employee’s personal accounts—for disciplinary purposes.

This ruling will have serious repercussions for any employer operating in Italy, especially those dealing with internal investigations that touch on social media or private messaging platforms.

The Garante’s message is clear: even in the workplace, privacy must be respected, and breaching it can result in heavy fines.

The Case: Private Isn’t Public—Even at Work

The case began when an employee filed a complaint, challenging the lawfulness of two disciplinary measures taken against her. The employer had cited:

  • Posts published on her closed Facebook profile;
  • Private messages exchanged on Messenger with a third party;
  • WhatsApp messages shared with colleagues.

The content hadn’t been actively monitored or scraped by the company. Instead, it was voluntarily forwarded to management by co-workers and others involved in the conversations. The company claimed it had no “active role” in collecting the data and justified its use under the GDPR’s legitimate interest basis.

But according to the Garante, this passive reception of data did not exempt the company from privacy compliance obligations.

The Garante’s Key Findings

The Garante Privacy Authority took a firm stance:

  1. Using content—even when received passively—is still data processing. Once the employer decided to use the messages and posts in disciplinary procedures, it engaged in full processing under GDPR.
  2. A closed Facebook profile implies a reasonable expectation of privacy. Content shared only with “friends” cannot be considered public. Therefore, the company should have assessed whether using that data respected the employee’s rights.
  3. Messenger and WhatsApp are protected forms of communication. Even if content is forwarded by a participant in the conversation, this does not authorize an employer to use it unless a proper legal basis exists.

Why the Legitimate Interest Argument Failed

The company attempted to rely on Article 6(1)(f) GDPR—legitimate interest—to justify the processing. However, the Garante highlighted several shortcomings:

  • No documented balancing test was provided;
  • The company didn’t show that the disciplinary goals could not be achieved without infringing on privacy;
  • The employee had no reasonable way to expect her private conversations would be used against her at work.

Moreover, the Garante emphasized that in Italy, employment-related data processing is subject not only to the GDPR but also to Article 113 of the Italian Privacy Code, which strengthens protections for employees. It prohibits the use of personal opinions, beliefs, or information unrelated to professional aptitude for workplace assessments or investigations.

The Broader Impact on Employers in Italy

This decision sends a strong message: workplace privacy is not optional, even in the face of disciplinary concerns.

Employers must now:

  • Think twice before using personal communications in internal proceedings against employees, even if those communications are handed over by others;
  • Conduct and document a detailed balancing test if relying on legitimate interest;
  • Avoid using private messaging data or social media posts unless they are clearly relevant, proportionate, and legally justifiable;
  • Align internal policies—such as social media and IT use policies—with GDPR and national law;
  • Respect the boundaries between employee conduct and private expression, especially when expressed on platforms like WhatsApp or Facebook.

A Warning Shot: USD420,000 Fine and Public Sanction

The company was ultimately found to have breached Articles 5, 6, and 88 of the GDPR and Article 113 of the Italian Privacy Code. The fine of USD420,000 reflects the Garante’s view that the violations were not minor.

In addition to the financial penalty, the Garante ordered the publication of the decision on its website, amplifying the reputational impact of the case.

This dual penalty—economic and reputational—should be a wake-up call for any company operating in Italy or managing employees whose private digital behavior might intersect with corporate compliance.

Final Takeaways

The case is a clear signal that the privacy of employees in the workplace remains protected, even when messages and social media content circulate beyond their original audience.

Companies must remember:

  • A forwarded message is not a license to investigate.
  • Personal posts—unless clearly public—are not fair game.
  • Italy takes employee privacy seriously, and the fines will match the offense.

If you’re unsure whether your internal disciplinary processes align with GDPR and national law, now is the time to review your policies. Because in today’s digital workplace, privacy breaches don’t go unnoticed—and they don’t go unpunished.

On the same topic, you can read the article The Garante Issues First GDPR Fine Over Employees Email Metadata Privacy Breach in Italy

(Visited 2 times, 2 visits today)
Tags:
0LikesShare Post