News
🔒 HR & Facebook
HR teams: stop mining employees’ Facebook posts.
🔎 Autostrade per l’Italia fined €420,000 for… “screening” an employee’s Facebook 🇮🇹
Regulator: GPDP (Italian DPA)
Decision: 10143261
📌 Key facts
1 - Complaint (20 May 2024): a manager alleges her employer collected 🔍 her Facebook posts plus Messenger & WhatsApp messages to justify two disciplinary procedures.
2 -The company claimed a legal basis 📑 via “legitimate interest” (Art. 6(1)(f) GDPR) and produced its Social Media Policy.
3 - The Garante (Italian DPA) found the screenshots included ✍️ private opinions unrelated to professional aptitude.
⚖️ Non-compliance findings
|
GDPR Principle |
Breach |
|
Art. 5(1)(a) Lawfulness / transparency |
Collection via third parties, no information notice, no valid legal basis. |
|
Art. 5(1)(b) Purpose limitation |
Private data reused for employment relationship purposes. |
|
Art. 5(1)(c) Data minimisation |
Full copies of conversations + irrelevant posts. |
|
Art. 88 GDPR & Art. 113 Italian Code |
Prohibition on processing an employee’s political / trade-union opinions. |
💥 Verdict
- Multiple violations of Arts. 5, 6, 88 GDPR.
- Administrative fine: €420,000.
- Order to cease similar processing & purge the data.
🚩 Key takeaways for HR & Internal Comms
🔹 Social networks ≠ free-for-all: even public personal info remains protected.
🔹 Legitimate interest? ➜ documented balancing test + clear employee notice.
🔹 Ban “colleague harvesting” or unsolicited screenshots.
🔹 Update ✅ Social Media & IT Use Policies and train managers.
🤔 And you?
Would your organisation draw the “private / professional” line this clearly?
Clarity of rules, information, traceability… the Autostrade case shows a single screenshot can become very expensive.