Garante per la protezione dei dati personali (Italy) - 342/2026

Summary

Italy's data protection authority (Garante) issued a warning in case 342/2026 regarding an AI system that infers employee stress levels in the workplace. While the DPA found no current GDPR violation because data was not transferred to employers and subjects could not be identified from reports, it ordered the controller to implement safeguards against future disclosure of personal data. The decision emphasizes that AI systems inferring emotions in the workplace violate the EU AI Act Article 5(1)(f) and require compliance with GDPR design principles and transparency requirements.

Full text

Help Garante per la protezione dei dati personali (Italy) - 342/2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 11:35, 2 June 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators666 edits Tag: submission [1.0] Latest revision as of 11:41, 2 June 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators666 editsmTag: Visual edit Line 7: Line 7: |DPA_With_Country=Garante per la protezione dei dati personali (Italy)|DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=342/2026|Case_Number_Name=Case number: 342/2026 Internal number: 10255494 |ECLI=|ECLI= Line 85: Line 86: === Holding ====== Holding === The DPA first clarified that the company providing the system acted as a controller in relation to the data subjects, and not the employers who purchased the system. According to the DPA, employers are technically prohibited from accessing the data processed by the controller to provide the service, and would in any case lack the valid legal basis to do so under the GDPR. The DPA compared this to employers entering into a contract for the provision of benefits and services to employees (such as health insurance or access to psychological counselling services). While employers can receive reports of the data subjects’ stress levels, the DPA concluded that the employer in question did not have sufficient information to identify the data subjects involved.The DPA first clarified that the company providing the system acted as a controller in relation to the data subjects, and not the employers who purchased the system. According to the DPA, employers are technically prohibited from accessing the data processed by the controller to provide the service, and would in any case lack the valid legal basis to do so under the GDPR. While employers can receive reports of the data subjects’ stress levels, the DPA concluded that the employer in question did not have sufficient information to identify the data subjects involved.<ref>The DPA compared this to employers entering into a contract for the provision of benefits and services to employees (such as health insurance or access to psychological counselling services).</ref> The DPA also emphasised that the controller has the obligation to comply with the GDPR from the design phase (Article 25 GDPR). In addition, the controller must comply with national provisions that prohibit employers from collecting data that is irrelevant to work activities (Article 113 of the Code). If this provision is not complied with, the processing is not lawful under [[Article 88 GDPR#2|Article 88(2) GDPR]].The DPA also emphasised that the controller has the obligation to comply with the GDPR from the design phase ([[Article 25 GDPR]]). In addition, the controller must comply with national provisions that prohibit employers from collecting data that is irrelevant to work activities ([https://www.garanteprivacy.it/documents/10160/0/Codice+in+materia+di+protezione+dei+dati+personali+%28Testo+coordinato%29 Article 113 of the Code]). If this provision is not complied with, the processing is not lawful under [[Article 88 GDPR#2|Article 88(2) GDPR]]. The DPA also noted that the controller must also comply with Article 5(1)(f) of the AI Act, which expressly prohibits the use of AI systems to infer the emotions of a data subject in the workplace. The DPA highlighted that AI systems can generate further inferences in relation to the data originally processed that may not be understandable or verifiable. Therefore, aspects such as model reliability, quality of the data, transparency and explainability are essential conditions to prevent processing activities that are invasive and non-compliant with the GDPR. It is also essential that companies take a prudent approach when adopting AI systems. The DPA also noted that the controller must also comply with [https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng Article 5(1)(f) of the AI Act], which expressly prohibits the use of AI systems to infer the emotions of a data subject in the workplace. The DPA highlighted that AI systems can generate further inferences in relation to the data originally processed that may not be understandable or verifiable. Therefore, aspects such as model reliability, quality of the data, transparency and explainability are essential conditions to prevent processing activities that are invasive and non-compliant with the GDPR. It is also essential that companies take a prudent approach when adopting AI systems. The DPA did not find a violation of the GDPR, as the controller did not transfer the data to employers, and the company that received the report was unable to identify specific data subjects. However, the DPA issued a warning, as it could not rule out that the processing activities were likely to infringe the GDPR in the future. The DPA was concerned of the possibility that companies and entities could, in the future, identify data subjects from the reports provided by the controller. This would result in a violation of Articles 5, 6, 9, 24, 25 and 88 GDPR, and Article 113 of the Code. Therefore, the DPA ordered the controller to implement measures to prevent it from disclosing data from data subjects to their employers in any way, even indirectly.The DPA did not find a violation of the GDPR, as the controller did not transfer the data to employers, and the company that received the report was unable to identify specific data subjects. However, the DPA issued a warning, as it could not rule out that the processing activities were likely to infringe the GDPR in the future. The DPA was concerned of the possibility that companies and entities could, in the future, identify data subjects from the reports provided by the controller. This would result in a violation of [[Article 5 GDPR|Articles 5]], [[Article 6 GDPR|6]], [[Article 9 GDPR|9]], [[Article 24 GDPR|24]], [[Article 25 GDPR|25]] and [[Article 88 GDPR|88 GDPR]], and [https://www.garanteprivacy.it/documents/10160/0/Codice+in+materia+di+protezione+dei+dati+personali+%28Testo+coordinato%29 Article 113 of the Code]. Therefore, the DPA ordered the controller to implement measures to prevent it from disclosing data from data subjects to their employers in any way, even indirectly. == Comment ==== Comment == Latest revision as of 11:41, 2 June 2026 Garante per la protezione dei dati personali - Case number: 342/2026 Internal number: 10255494 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5 GDPR Article 6 GDPR Article 9 GDPR Article 24 GDPR Article 25 GDPR Article 88(2) GDPR Article 5(1)(f) of Regulation 2024/1689Art. 113 of the Code Type: Investigation Outcome: Violation Found Started: 03.06.2025 Decided: 14.05.2026 Published: Fine: n/a Parties: Myndoor S.r.l. National Case Number/Name: Case number: 342/2026 Internal number: 10255494 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: ap The DPA found that a company providing services to analyse the stress level of employees based on their workplace text messages did not violate the GDPR. However, the DPA issued a warning, stating that it was impossible to rule out that the processing activities were likely to infringe the GDPR. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Myndoor S.r.l. (the controller) is a workplace consulting company. The controller offers a plug-in system that carries out sentiment analysis of messages exchanged by employees (data subjects) that activated the plug-in. The system used AI to analyse the content of messages sent between data subjects in order to assess their stress levels, and generated a report on a w

Entities