WhatsApp, social media and employee rights: Italian DPA's latest ruling

Background  

With a recent decision dated May 21, 2025, published around a month later, the Garante per la Protezione dei Dati Personali (Italian Data Protection Authority, or DPA) ruled on the legitimacy of the processing of an employee’s personal data by a big and important company in Italy. The case originated from a complaint brought by an employee who alleged that the company had unlawfully used data from her private social media and messaging accounts (Facebook, Messenger, WhatsApp) in the context of disciplinary proceedings that had concluded with her dismissal for cause. The company had received screenshots and messages from other employees and third parties containing defamatory content about the employer, which were then used as evidence in two disciplinary actions. Pending the civil actions brought by the employee to challenge the decision by the company to dismiss her (before the competent Employment Court), the DPA’s investigation focused on whether the collection and use of that data complied with the principles of lawfulness, purpose limitation, and data minimization as required by the EU General Data Protection Regulation (GDPR) and Italian privacy law. 

Legal reasoning 

The DPA found that the company’s use of private communications and social media content constituted a “processing” of personal data under the GDPR, regardless of whether the company had actively sought out the information or passively received it from third parties (which, in that case, had not happened). The DPA emphasized that even the mere receipt and subsequent use of such data in disciplinary proceedings is sufficient to trigger data protection obligations. The company argued that its actions were justified by its legitimate interest in managing the employment relationship and defending its rights, but the DPA found that this interest did not override the employee’s fundamental rights to privacy and data protection, especially given the expectation of confidentiality in private chats and closed social media groups. 

A key aspect of the decision was the distinction between data made publicly available and data shared within a closed or private context. The DPA noted that even if information is accessible to a limited group (such as Facebook friends or participants in a private chat), there is a legitimate expectation of privacy. The use of such information by the employer for purposes unrelated to the original context—such as a disciplinary action— requires a careful balancing of interests and, in most cases, a specific legal basis. The DPA also highlighted that Italian law (notably Article 8 of Law 300/1970 and Article 113 of the Privacy Code) prohibits employers from collecting or processing information about employees’ opinions or facts irrelevant to their professional role, regardless of how the information is obtained. 

The decision  

The DPA concluded that the company had violated several key principles of the GDPR—lawfulness, purpose limitation, and data minimization—since the company had failed to demonstrate that it had conducted a proper balancing test or considered less intrusive means to achieve its objectives. Furthermore, the data used in the disciplinary proceedings related to personal opinions and private communications that were not relevant to the employee’s professional role. The Authority also rejected the company’s reliance on its internal social media policy, stating that such policies cannot override statutory privacy protections. As a result of these findings, the DPA declared the company’s processing of the employee’s personal data to be unlawful and imposed a significant administrative fine of EUR420,000. The decision underscores the heightened level of protection afforded to employees’ personal data in the workplace, particularly regarding private communications and opinions expressed outside the scope of employment.  

Conclusions 

It is unknown if this decision will have an impact on the cases pending before the Employment Court on the legitimacy of dismissals served at the end of disciplinary proceedings, since—according to the Italian Privacy Code—judges have the power to take into consideration information even where its processing is deemed unlawful from a data protection perspective. 

In any event, the strict interpretation provided by the DPA risks further restricting the kinds of activities available to employers, such as investigations and defensive controls, which are, in any event, already subject to several restrictions and safeguards in respect of employees (courtesy of both statutory legal provisions and case law interpretations provided by the Employment Courts, including the Supreme Court), thus further putting at risk any possible action by companies to defend their interests, especially if such information is passively obtained in the context of reports made by other parties.