News
๐ HR & Facebook
HR teams: stop mining employees’ Facebook posts.
๐ Autostrade per l’Italia fined €420,000 for… “screening” an employee’s Facebook ๐ฎ๐น
Regulator: GPDP (Italian DPA)
Decision: 10143261
๐ Key facts
1 - Complaint (20 May 2024): a manager alleges her employer collected ๐ her Facebook posts plus Messenger & WhatsApp messages to justify two disciplinary procedures.
2 -The company claimed a legal basis ๐ via “legitimate interest” (Art. 6(1)(f) GDPR) and produced its Social Media Policy.
3 - The Garante (Italian DPA) found the screenshots included โ๏ธ private opinions unrelated to professional aptitude.
โ๏ธ Non-compliance findings
|
GDPR Principle |
Breach |
|
Art. 5(1)(a) Lawfulness / transparency |
Collection via third parties, no information notice, no valid legal basis. |
|
Art. 5(1)(b) Purpose limitation |
Private data reused for employment relationship purposes. |
|
Art. 5(1)(c) Data minimisation |
Full copies of conversations + irrelevant posts. |
|
Art. 88 GDPR & Art. 113 Italian Code |
Prohibition on processing an employee’s political / trade-union opinions. |
๐ฅ Verdict
- Multiple violations of Arts. 5, 6, 88 GDPR.
- Administrative fine: €420,000.
- Order to cease similar processing & purge the data.
๐ฉ Key takeaways for HR & Internal Comms
๐น Social networks ≠ free-for-all: even public personal info remains protected.
๐น Legitimate interest? โ documented balancing test + clear employee notice.
๐น Ban “colleague harvesting” or unsolicited screenshots.
๐น Update โ
Social Media & IT Use Policies and train managers.
๐ค And you?
Would your organisation draw the “private / professional” line this clearly?
Clarity of rules, information, traceability… the Autostrade case shows a single screenshot can become very expensive.