For foreign employers, employee monitoring in Italy is rarely just a privacy question. It sits at the intersection of GDPR, the Italian Privacy Code, labour law, industrial relations, and the concrete way a monitoring tool is configured, deployed, and used inside the business.

This article is the fourth in P&S Legal's series on GDPR and foreign companies in Italy, following our earlier analyses of GDPR territorial scope, how operational structures in Italy activate privacy obligations, and when Article 27 GDPR requires a EU representative. Employee monitoring should be read inside that broader operating model, not as a detached HR compliance topic.

Foreign companies often approach employee monitoring in Italy with a familiar assumption: if the employer has a legitimate business reason, gives employees a privacy notice, and perhaps obtains some form of acknowledgment or consent, the monitoring framework is largely in place. In Italy, that assumption is often wrong.

The Italian framework is more structured, and more restrictive, than many international groups expect. It does not ask only whether personal data are processed lawfully under the GDPR. It also asks whether the employer is using tools that can enable remote monitoring of workers, whether the monitoring purpose falls within the narrow purposes admitted by law, whether the required procedural guarantees have been activated, and whether the actual technical configuration of the system remains proportionate over time.

This matters particularly for international groups operating with centralised IT, HR, security, or compliance functions. A tool selected at headquarters and rolled out globally may look perfectly standard from a group governance perspective, yet still create serious legal exposure when applied to employees in Italy. The issue is not only the software. The issue is the legal architecture of monitoring in the Italian employment context.

Why Italy requires a different legal reading

The GDPR expressly allows Member States to adopt more specific rules for processing in the employment context. Italy uses that space through the interaction between the GDPR, the Italian Privacy Code, and the Workers' Statute (Law No. 300/1970). Two provisions are particularly relevant: Article 4, as replaced by Article 23 of Legislative Decree No. 151/2015, which governs remote monitoring, and Article 8 of the Workers’ Statute, which prohibits employer investigations into workers' personal opinions and facts unrelated to professional aptitude. Article 8 is often overlooked in cross-border monitoring projects, yet it draws a firm boundary around the categories of personal information an employer may legitimately pursue.

This means that a foreign employer cannot stop the analysis at the usual GDPR layer. In Italy, a monitoring measure may fail even where the employer has identified a conceivable GDPR legal basis, if the labour-law conditions governing remote monitoring have not been respected. The privacy analysis and the employment-law analysis are complementary. One does not replace the other.

That is precisely where many foreign employers misread the problem. They treat employee monitoring as a documentation issue. In reality, it is a design issue. The first legal question is often not whether the privacy notice has been updated, but what exactly the system is doing in practice, and under which Italian legal route it is being introduced.

The core rule foreign employers tend to underestimate

Italian law does not prohibit every form of employer monitoring. But it does sharply regulate the use of systems from which the possibility of remote monitoring of workers may derive. Article 4(1) of Law No. 300/1970 allows such tools only for specific purposes: organisational and production needs, workplace safety, and the protection of company assets. As a rule, the employer must also activate a procedural safeguard, meaning a union agreement or, failing that, authorisation from the relevant labour inspectorate.

There is an important exception for tools used by the employee to perform the work, and for systems that record access and attendance. But foreign employers often overread that exception. A laptop, smartphone, company mailbox, or collaboration platform is not a legal free zone. The fact that a device is assigned to perform work does not mean that any additional monitoring function built on top of it automatically falls outside Article 4. Once the tool is configured or enriched in a way that serves monitoring purposes, the legal analysis changes.

Italian authorities have repeatedly stressed that the same device can move from being a work tool to becoming, in legal terms, part of a remote-monitoring system if the employer adds tracking, filtering, logging, localisation, or analytics features that go beyond what is strictly necessary for the employee to perform the job.

The most common mistakes foreign employers make

1.     Treating technical metadata as if it were legally neutral

One of the most common errors is to assume that email metadata, internet navigation logs, delivery reports, or similar system-generated data are merely technical exhaust with no special labour-law significance. The Garante has taken the opposite view. In its guidance on workplace email systems and metadata, it made clear that default configurations of cloud email services can generate preventive and generalised collection of workers' metadata, including sender, recipient, subject line, timestamp, and message size. Where this collection is limited to what is strictly necessary for the functioning and essential security of the email infrastructure, a short retention period may in some cases remain within the narrower exception for work tools. As an orientative benchmark in the Garante's guidance, and following technical assessments under the accountability principle, such retention should normally not exceed 21 days. Beyond that threshold, the collection is likely to move into the stricter regime of Article 4(1), requiring the relevant procedural guarantees.

In 2025, with Decision No. 243 of April 29, 2025 the Garante sanctioned Regione Lombardia over the collection and retention of internet browsing logs and email metadata relating to employees, confirming that the issue is not resolved simply by calling the processing technical or IT-security related. The authority also treated the absence of a prior data protection impact assessment under Article 35 GDPR as a separate violation. For foreign groups, the practical implication is clear: a default Microsoft, Google, or third-party SaaS configuration is not automatically compliant in Italy merely because it is market standard or designed for security administration.

2.    Assuming that work devices can be monitored without a second legal step

Another recurring mistake is to think that, because a device is assigned to the employee in order to work, anything the employer does through that device remains within the exemption for work tools. Italian practice is more exacting. The Ministry of Labour has long clarified that PCs, tablets, and smartphones count as work tools only insofar as they serve the employee to render the service. If the employer modifies those tools by adding localisation, filtering, or comparable monitoring functions, the analysis no longer stays within the simple work-tool exemption. At that point, the employer must assess whether Article 4(1) applies and whether the union or labour-inspectorate route must be activated.

This is one of the reasons why global employee-monitoring rollouts often fail in Italy. Headquarters may treat a productivity plug-in, screen-behaviour tracker, browser-control layer, or behavioural analytics module as a standard feature of the group's digital workplace. Italian law asks a different question: is that feature still part of the employee's work tool, or has it become an instrument through which remote monitoring may derive?

3.    Believing that notice, policy, or employee consent solves the problem

Foreign employers often try to stabilise the issue through policy language. They circulate an acceptable-use policy, an IT policy, a remote-working policy, or an employee acknowledgment form and assume this covers the deployment. It does not. Under EDPB Guidelines 05/2020, consent in the employment context is generally problematic because of the power imbalance between employer and employee: the Board states that, given this structural asymmetry, freely given consent is possible only in exceptional circumstances. A worker's signature or click-through acknowledgment does not neutralise that asymmetry.

The Garante's 2025 enforcement (doc. web n. 10128005) on geolocation in smart working makes the same point in practical terms. In that case, the employer relied on a system that, upon the employee's consent to geolocation, captured the worker's location at clock-in and clock-out in order to verify that the smart-working activity was being performed from the approved location. The Garante did not accept that structure. It held that the processing pursued a purpose not admitted by the relevant sectoral framework, and that the worker's consent did not cure the unlawfulness. Transparency matters. Internal policies matter. But none of these can legalise a monitoring purpose or monitoring architecture that is unlawful under the applicable employment and data-protection framework.

4.    Keeping former employees' mailboxes active or auto-forwarded

International groups frequently underestimate the post-termination phase. From a business continuity perspective, it may seem efficient to leave an employee's mailbox active for months, auto-forward incoming emails to colleagues, or let managers access the account while the handover is being sorted out. Italian enforcement shows why that approach is dangerous. In multiple 2025 decisions – namely no. 8 of 16 January, no. 364 of 23 June, and no. 386 of 10 July - the Garante found unlawful the continued activation of individualised company email accounts after termination, as well as the automatic forwarding of incoming messages to other corporate accounts for extended periods. The authority also reiterated that company email systems are not a proper substitute for formal records-management or protocol systems. The group sees continuity. The Italian regulator sees excessive retention, continued interception of communications addressed to a named worker, and a failure to design a lawful off-boarding process.

5.    Treating smart working as a lighter-control environment

A further mistake is to believe that because remote work creates legitimate managerial concerns, the employer gains wider latitude to verify location, time, connectivity, or presence through digital controls. Italian law does not support that conclusion. In the 2025 geolocation decision, the Garante took issue with a system designed to verify whether the employee in smart working was physically located in the place indicated in the individual agreement. The authority considered that purpose outside the admissible framework and also highlighted the absence of a data protection impact assessment under Article 35 GDPR and failures in the information provided to workers. Smart working does not suspend the legal constraints on employee monitoring. It often increases the need for careful design. Since smart working, geolocation, and the use of company devices raise additional issues of configuration and boundary-setting, we will address that area in a dedicated article.

6.    Ignoring DPIA and vendor governance

Where monitoring systems involve systematic observation, behavioural analysis, location data, email metadata, browsing logs, or similar worker-related monitoring patterns, foreign employers often focus on policy documents and overlook the deeper accountability layer. Italian enforcement shows that the Article 35 GDPR data protection impact assessment is not ornamental, and neither is vendor governance under Article 28. In the Regione Lombardia decision, the Garante treated the absence of a prior DPIA as a specific violation in addition to the substantive monitoring issues, and raised shortcomings in the regulation of service providers involved in the processing. A foreign group introducing monitoring technologies in Italy should therefore assess not only the legal theory of the deployment, but also the vendor contract stack, the default settings, the access model, the retention logic, the actual administrators who can retrieve logs, and the traceability of those access events.

A practical sequence for foreign employers assessing monitoring in Italy

A sound Italian assessment should usually follow a visible sequence:

1.     Identify the exact system, not just the business objective. Map the actual tool and its functions: CCTV, access control, email metadata retention, internet logs, endpoint monitoring, productivity analytics, call monitoring, location tracking, collaboration-platform analytics, or hybrid configurations. The legal answer depends on what the system really does, not on the business label attached to it.

2.    Define the precise purpose and test it against Italian labour-law categories. Ask whether the actual purpose falls within the narrowly recognised grounds that may justify remote-monitoring-capable systems under Article 4(1). Generic references to efficiency, managerial oversight, or quality control are not enough.

3.    Determine whether the system falls under Article 4(1) or within a narrow Article 4(2) exception. Do not assume that because the system runs through a work device it is automatically exempt. Review the configuration, the default settings, the retention period, the retrieval capabilities, and whether the system can generate indirect control over worker activity.

4.    Build the GDPR layer only after the employment-law route is correct. Once the labour-law path is properly qualified, structure the data-protection layer: legal basis, Article 13 information, retention logic, role allocation, Article 28 processor terms, security measures, access restrictions, and any rules governing disciplinary use of lawfully collected data.

5.    Assess DPIA under Article 35 GDPR and accountability before deployment, not after the first complaint. In monitoring contexts, a DPIA is often where the real risk picture becomes visible. It forces the employer to test proportionality, alternatives, data minimisation, retention, and the risk of function creep. Waiting until an inspection or employee complaint defeats the purpose.

6.    Coordinate legal, HR, IT, security, and industrial-relations functions. In cross-border groups, monitoring projects often fail because each function sees only its own piece. IT sees infrastructure. Security sees risk. HR sees workforce policy. Legal sees notices and contract clauses. In Italy, these elements need to be integrated before rollout. Otherwise the organisation may deploy a technically elegant but legally unstable monitoring architecture.

The real issue is governance design, not just compliance paperwork

For foreign employers, the main Italian lesson is not that employee monitoring is impossible. The lesson is that monitoring must be legally engineered. A group-wide tool may still be deployable in Italy. But that conclusion usually depends on a prior exercise of legal qualification, technical scoping, industrial-relations strategy, retention design, and accountability controls. Where those elements are treated as an afterthought, the employer often discovers too late that the system is not problematic because it is invasive in an abstract sense, but because it was introduced through the wrong legal route, for the wrong operational purpose, or with the wrong configuration defaults.

That is why sophisticated employers should resist the temptation to reduce the issue to a privacy notice update, a one-line legitimate-interest assessment, or a generic employee policy. In Italy, employee monitoring belongs to the architecture of governance, not to documentation cosmetics.

If your group is introducing workplace monitoring, security logging, productivity controls, access systems, or other employee-facing technologies in Italy, the key legal question is not whether the software exists or whether the rollout is standard elsewhere in the group. The key question is whether the monitoring architecture is lawful, proportionate, and operationally coherent in the Italian employment context.

P&S Legal works with foreign companies and international groups to map monitoring exposure in Italy, qualify the correct legal route, coordinate the interaction between GDPR and labour-law constraints, and translate group-level control frameworks into governance architectures that can withstand real operational use.