Italy

Privacy and data protection – GPS devices installed on company cars

Impact date: 21 March 2025 The Italian Data Protection Authority (“Garante Privacy”) imposed a fine on a transport company for unlawfully monitoring employees through GPS devices installed on company cars. The devices continuously tracked employees’ location, speed, mileage, and car status.

A former employee of the company raised a complaint about the company’s practice. The Data Protection Authority upheld that complaint, finding several violations. Serious deficiencies were found in the information provided to workers, including the failure to indicate the specific methods by which the processing was carried out and the information relating to the direct identification of the drivers of the geolocated vehicles.

The company was fined €50,000. In addition, the company was ordered to provide employees with a clear information notice regarding the use of their data and to update the tracking system to ensure compliance with the required safeguards (e.g. the anonymization of the data collected and the adoption of technological solutions capable of limiting the collection of personal data that were not necessary or exceeded the purposes of security and company organization).

Employer implications/action needed Employers should ensure that data privacy requirements are adhered to in their use of any monitoring devices, including GPS systems.

Employer risk Employers that breach data privacy requirements could face an administrative fine of up to €20,000,000.00 or if higher up to 4% of a company’s total worldwide annual income from the previous financial year.

Link Italian Data Protection Authority – Newsletter No. 533/2025

Temporary agency workers

Impact date: 27 March 2025 A new law provides that where temporary agency workers are employed on a fixed-term basis, the duration of the relevant agreement cannot exceed 24 months. The Ministry of Labour has clarified that only fixed-term agency assignments that begin after 12 January 2025 will be taken into account for the calculation of 24-month maximum duration limit.

Employer implications/action needed Employers should review their practices regarding temporary agency workers that are employed on a fixed-term basis, specifically fixed-term agency assignments that begin after 12 January 2025 which will be taken into account for the calculation of 24-month maximum duration limit.

Employer risk Failure to comply with the legislation regarding limits on the duration of the agreement might imply the conversion of the relevant agreement into an employment agreement on an indefinite basis.

Link Ministry of Labour – Circular No. 6/2025

Fixed-term employment contracts – probationary periods

Impact date: 27 March 2025 A new law provides that the duration of the probationary period in a fixed-term employment contract is calculated by considering one day of effective work for each 15 calendar days period, with a maximum of 30 days for a 12 month fixed-term term employment contract. The Ministry of Labour has clarified that for contracts exceeding 12 months, the probationary period is a maximum of 30 days, unless otherwise provided by a collective bargaining agreement.

Employer implications/action needed Employers should review their practices regarding the duration of probationary periods in fixed-term employment contracts.

Employer risk As a general principle, probationary periods should not exceed the duration provided for law/applicable NCBA. Whether, a probationary period clause is deemed as null, such clause should be considered as not included in the employment agreement and, as a consequence, the relevant agreement should be considered on indefinite basis from the commencement date.

Link Ministry of Labour – Circular No. 6/2025

Resignation

Impact date: 27 March 2025 A new law has established that an employee’s unjustified absence that exceeds the duration provided for by the applicable collective agreement (or, in the absence of which, exceeding 15 days) will result in the termination of the employment relationship, deemed as the employee’s resignation.

This resignation procedure is an alternative to disciplinary dismissal and does not apply where formal certification of the resignation is required by law.

Employer implications/action needed In the event of unjustified absence exceeding the duration set in the applicable collective agreement (or, in its absence, more than 15 days) the employer should notify the Labour Authority (“ITL”) starting from the 16th day of absence. Within the following five days, the employer should then formalize the termination by submitting the mandatory form (“UNILAV”) to the National Social Security Authority (“INPS”). The employment relationship will officially end on the date reported in such form, which cannot be earlier than the date in which ITL has received the notice.

Employer risk N/A

Link Ministry of Labour – Circular No. 6/2025

Privacy and data protection – remote control on employees working from home

Impact date: 8 May 2025 The Italian Data Protection Authority (“Garante Privacy”) imposed a fine on an employer for unlawfully monitoring the geographical location of remote working employees.

An employee of the company raised a complaint about the employer’s use of a geolocation-based clock-in system for remote working employees. The Data Protection Authority upheld the complaint and found several violations. Notably, the employee had been instructed by his manager to activate the geolocation feature via a mobile app, thereby enabling the employer to verify that the employee’s working location matched the address indicated in the individual remote working agreement. The data collected was also used for disciplinary purposes.

Despite the existence of a Trade Union agreement and the employees’ explicit consent, the Data Protection Authority found that the processing was unlawful. It held that the employer’s need to monitor work performance could not justify such an intrusion into employees’ private lives. The company was therefore fined €50,000.

Employer implications/action needed Employers should ensure that any monitoring systems used when employees perform the tasks assigned under remote working respect employee privacy and comply with data protection laws, regardless of whether consent has been obtained.

Employer risk Employers that breach data privacy requirements may face an administrative fine up to €20,000,000.00 or if higher up to 4% of a company’s total worldwide annual income from the previous financial year.

Link Italian Data Protection Authority – Newsletter No. 534/2025

Back to top ↑

Contact

Marcello Floris Executive Partner

E: marcellofloris@eversheds-sutherland.it T: +39 028 928 71

View bio →

Valentina Pomares Executive Partner

E: valentinapomares@eversheds-sutherland.it T: +39 028 928 71

View bio →
eversheds sutherland logo white

© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.