Retrospective employer monitoring: a further restriction on legitimacy?

by Carlo Impalà, Paola Ritondò

The issue of retrospective employer monitoring, even when carried out through technological tools, has been further clarified by significant judicial ruling. With Order No. 807/2025 of January 13, the Italian Supreme Court of Cassation appears to have further narrowed the scope of legitimacy for such monitoring, establishing that it may be deemed lawful only if it concerns information acquired after the emergence of a well-founded suspicion of employee misconduct.

This principle, reaffirming the position expressed by a lower court (Tribunal of Rome, First Labor Section, Judgment No. 1870/2024), introduces a strict limitation on the employer’s ability to monitor employees’ email accounts.

The case and the judicial proceedings

The case before the Supreme Court originated from the dismissal of a manager by a company, justified by the acquisition of information through a review of the manager’s corporate email account. This monitoring activity had been initiated following an “alert” generated by the company's IT system, indicating a potential anomaly. However, the Court of Appeal (Court of Appeal of Milan, Judgment No. 235/2022) found that the monitoring activity included an analysis of log files containing information predating the emergence of the alert, rendering such information inadmissible for disciplinary purposes. The Court of Appeal also ruled out that the mere provision of a privacy notice to the employee could not remedy the breach of Article 4 of Law No. 300/1970, as amended by Legislative Decree No. 151/2015 (“Italian Workers’ Statute”).

The employer subsequently filed an appeal with the Supreme Court of Cassation, which upheld the Court of Appeal’s decision, reaffirming the strict conditions under which defensive employees’ monitoring, including through technological means, may be considered lawful. These safeguards are established both under labor law regulations and data protection regulations (i.e., Regulation (EU) 679/2016 – “GDPR” –, Legislative Decree No. 196/2006 as amended by Legislative Decree No. 101/2018 and subsequent amendments – “Privacy Code”; hereinafter collectively referred to as the “Privacy Regulations”).

The safeguards for defensive employees’ monitoring

The monitoring activity examined in the Supreme Court’s rulings falls within the category of strict defensive employee’s monitoring (controlli difensivi in senso stretto) — monitoring aimed at detecting unlawful conduct that, based on concrete evidence, can be attributed to individual employees, even if the monitoring occurs during working hours.

Case law (Italian Supreme Court, Labor Section, Nos. 25732/2021, 34092/2021, 18168/2023) consistently holds that this type of monitoring — unlike broader defensive employees’ monitoring (controlli difensivi in senso lato) — does not fall within the scope of Article 4 of the Italian Workers’ Statute, provided that specific conditions are met (for further details, see our previous contribution available on AgendaDigitale, in Italian). In particular, the employer monitoring shall:

  • be aimed at protecting assets unrelated to the employment relationship or preventing unlawful behavior;
  • be conducted based on a well-founded suspicion of misconduct and performed ex post, only after such suspicion has arisen;
  • ensure a proper balance between the business interests and assets, linked to economic freedom, and the fundamental protection of employee dignity and privacy;
  • be carried out in compliance with the Privacy Regulations and relevant regulatory authority decisions (e.g., the Italian Data Protection Authority’s Guidelines applying to the use of e-mails and the Internet in the employment context, dated March 10, 2007; the June 6, 2024, Document on “Software and IT Services for Email Management in the Workplace and Metadata Processing”). These guidelines require compliance with GDPR principles, impose specific information obligations (such as a clear privacy notice under Article 13 of the GDPR and an internal policy governing IT tools), and establish strict data retention periods. Notably, metadata/logs necessary for ensuring email system functionality should not be retained for more than 21 days, except where specific needs justify a longer retention period.

How does this ruling differ from previous Jurisprudence?

The key innovation introduced by the Supreme Court concerns the concept of a “well-founded suspicion”, which serves as the temporal and logical prerequisite for initiating defensive monitoring, including through technological means. While an “alert” generated by the IT system may, in theory, give rise to such suspicion, the Court ruled that reviewing archived and stored data predating the alert violates with Article 4 of the Italian Workers’ Statute.

The Supreme Court clarified that:

  • ex post monitoring shall concern only information acquired after the emergence of the well-founded suspicion;
  • employers are prohibited from searching past work records and archived data to retroactively confirm suspicions and using such data for disciplinary purposes;
  • using data collected before the suspicion arose would disrupt the balance between business interests and employee rights, effectively legitimizing the retrospective use of pre-existing data regardless of any concrete suspicion of misconduct.

Practical implications for employers

The Supreme Court’s ruling significantly restricts the legitimacy of retrospective employer monitoring, aligning with the position already taken by lower courts (such as Judgment No. 1870/2024 of the Tribunal of Rome, which we previously analyzed on AgendaDigitale). Under previous jurisprudence, while the monitoring activity itself had to be conducted ex post, it could include information gathered before the suspicion arose. However, with this ruling, the Supreme Court holds that only subsequent information can justify potential disciplinary action.

Previously, case law allowed monitoring activities to be conducted ex post, even if they involved information gathered before the suspicion arose. However, the Supreme Court now holds that only information acquired after the suspicion arises can justify disciplinary action.

While significant, this ruling reinforces a principle already affirmed by the Italian Data Protection Authority (“DPA”): corporate email should not serve as a tool for preemptively collecting potential future evidence, as it is primarily a work instrument. The processing of employee email data for legal protection purposes should be strictly limited to ongoing or imminent legal disputes, excluding broad or hypothetical justifications (Italian DPA, Decision No. 472 of July 17, 2024, for further details please refer to our previous contribution, available here).

Consequently, while ensuring compliance with Privacy Regulations, employers are effectively left with two options:

  1. conduct retrospective employee monitoring, including through technological means, by meeting the safeguards required under Article 4 of the Workers’ Statute—that is, either through an agreement with trade unions or, failing that, by obtaining authorization from the territorial labor inspectorate.
  2. implement alternative systems to corporate email.

As noted by the Italian DPA (Decisions No. 53/2018, Doc. Web No. 8159221; No. 214/2020, Doc. Web No. 9518890; No. 472/2024, Doc. Web No. 10053224), corporate email systems, due to their inherent characteristics, do not guarantee authenticity, integrity, reliability, readability, and retrievability—features necessary for proper document storage and archiving. As a result, employers seeking to ensure the preservation of critical business documentation should consider adopting dedicated document management systems.