AI in companies entails risks related to data security and the protection of know-how. Organizations need appropriate policies to ensure ethical and compliant use.

If an employee uses artificial intelligence systems – often generative – to carry out his or her work activities, he or she may, more or less consciously, share company know-how and personal information with external, and thus unauthorized, parties.

The risks of AI in the company, explained by the AI

In an attempt to answer this question, we asked one of the parties directly involved. Below, by points, are the main red flags related to the adoption of generative A.I. that were pointed out to us by herself.

According to the A.I., allowing workers to use these technologies could entail for a company

  • issues related to IT governance and security management,
  • violations of data protection regulations,
  • commission of discriminatory behavior arising from the biases contained in the data it has been trained with,
  • excessive dependence of workers on artificial intelligence which, in the most serious cases, could lead to a danger of reducing the decision-making and critical capabilities typical of human beings.

These are all interesting points to which one cannot fail to add the risk of the disclosure of corporate know-how and thus the dispersion of sensitive information for a company.

For an organization to study, define and implement policies, regulations and corporate guidelines for ethical and aware management of IA, but also to be fully compliant with regulatory dictates and to be protected from the risk of incurring one or more of the foreseen violations, it is essential.

An organization is accountable for its actions, decisions and performance not only to the legal system but also to its stakeholders – be they employees, customers, shareholders, suppliers.

A – now inevitable – implementation of artificial intelligence that is guided, responsible and aware, with careful oversight of its applications, may be the key to ensuring that the benefits and advantages outweigh what may be the risks.

Continue reading the full version published on Agenda Digitale.

The Italian Supreme Court, in its decision no. 807 of January 13, 2025, has once again addressed the legitimacy of employer monitoring of employees’ corporate email accounts. The Court reiterated that while an employer may access an employee’s company email, this action is only lawful if there is a well-founded suspicion of illegal conduct. Information gathered before such a suspicion arises cannot be used for disciplinary purposes. 

In the case at hand, the company had dismissed a manager based on information obtained from an email log check, which was conducted prior to an alert from the company’s system that triggered the suspicion of misconduct. The Court of Appeal had already ruled that the information collected prior to the “employer’s suspicion” could not be used as evidence to support the dismissal, and that only the manager’s statements should be considered as the sole source of evidence. 

This ruling raises important considerations regarding the limits of employer control, particularly in a technological context where surveillance capabilities have expanded. It is crucial to clearly define the boundaries within which monitoring activities and the data collected can be considered lawful and compliant with current regulations. Indeed, any monitoring activity must be proportionate, transparent, and clearly justified, ensuring that employees are informed about the scope and purpose of such surveillance. 

Continue reading the full version published in Norme & Tributi Plus Diritto of Il Sole 24 Ore.

In its judgment of December 19, 2024,  case C-65/23, the Court of Justice of the European Union ruled that (i) the provisions of national collective labor agreements must comply with data protection regulations and that:(ii) ”Should the national court seized of the matter conclude, following its review, that certain provisions of the collective agreement […] do not comply with the conditions and limits set forth by the GDPR, it would be required not to apply such provisions […].”

The case  

The case originates from a claim filed by a German employee, who claimed that the company he worked for was unlawfully processing his personal data. In particular, the company used a SAP software for accounting purposes and the personal data entered in it was transferred to a server located in the United States of America. The company defended itself by claiming that the processing of personal data carried out was lawful because it complied with the provisions of the collective agreements applied in the company.

The employee therefore brought the case before the territorially competent national courts, seeking: (i) access to his personal data, (ii) the deletion of data concerning him and (iii) the recognition of compensation.

The German national judges, called upon to decide the case, raised questions about the scope of the applicability of Article 88 of the GDPR. Article 88 of the GDPR provides that “Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context […]”.

Can collective agreements establish rules on data processing, even by derogating from the provisions of the GDPR, or must they fully comply with them?

In its ruling, the Court of Justice clarified that when the provisions of a national collective agreement regulate the processing of personal data in the workplace, they must comply with the fundamental principles of the GDPR. The effect must be to bind its addressees (employers and trade unions) to ensure compliance with the principles of lawfulness, fairness, and transparency of the processing, the requirements for lawful consent, and the rules regarding the processing of special categories of personal data.

This means that if a judge were to determine that the provisions of a collective agreement regulating one or more personal data processing activities in the workplace violate the conditions and limits set by the applicable sectoral legislation, the judge would be required to disapply the non-compliant provisions, without the discretion available to the parties to the agreement in determining the “necessary” nature of a personal data processing activity preventing the court from exercising full judicial review in this regard.

Other related insights:    

Violates the employer’s directives (even if implicit, but clear) the employee who, although in a hierarchically superior position to the holder of the access credentials to a company’s IT system, has them revealed in order to gain access without specific authorization: the protection of data through access credentials alone is sufficient to make such directives clear”. This has been established by the Supreme Court of Italy, Criminal Section V, no. 40295/2024. 

The case 

An employee of a hotel in Chianciano Terme (Italy) had requested from another employee, directly subordinate to him, the access keys to the company’s IT system for the storage and promotional purposes of the customer database, which included about 90,000 individual records, accessing it for purposes unrelated to the mandate received. In the first two levels of judgment, was established the commission of the crime of «Unauthorized access to an IT or telematic system», under Article 615-ter, paragraph 1, of the Italian Penal Code. 

The employee appealed to the Italian Supreme Court, claiming that it was not an abuse access, both because he had the power «in his capacity as director and superior manager of the employee» from whom he had requested for the credentials, «also for the purpose of supervising her work» and because until shortly before, he had a personal and direct access to those data. 

The position of the Supreme Court 

The Supreme Court of Italy ruled that the offence of unauthorized access to IT systems (under Article 615-ter, paragraph 1, of the Italian Penal Code) also occurs in the case of a hierarchical superior using the access credentials provided by the employee. 

The judges of the Italian Supreme Court did not find convincing the appellant’s argument that relied on his power to access any company location in order to carry out checks on those hierarchically subordinate to him. In the case of an IT system protected by credentials, the Court pointed out that «each authorized person has his/her own ‘key’ (i.e., the access credentials)». «This is because it is data which, quite simply, the owner considers should be protected, both by limiting access to those who are provided with such credentials and, at the same time, by ensuring that a digital trace is left of the individual access and of who carries them out ». 

It is therefore incorrect to hold that the defendant «solely by virtue of his duties, automatically had the power to access data that, on the other hand, according to the employer’s discretionary assessment, were to remain available only to certain employees (even if subordinate to the appellant) » 

Moreover, by doing so, the appellant made it «falsely appear that the access had been made by the employee who, imprudently, had revealed her credentials to him». ​ 

Other related insights:   

Do you know that if you receive an email from an employee of your organization requesting you to update his or her bank details and informing you of the new bank account (IBAN) on which to credit their next salaries, it could be a fraud? 

How does it work? 

Some cyber criminals, by setting up a fake employee mailbox or directly hacking into an employee’s company mailbox, are increasingly sending fake messages to HR managers informing them that they have changed their bank account (IBAN). Reporting the new bank details, which are obviously controlled by the fraudster, they request that future salaries be accredited there.  

How to protect your organization? 

  • Never change an IBAN just because you are asked by email, and always check the sender’s email address. 
  • It is always preferable to speak by phone or vis-à-vis the employee involved. 

But that is not all. Please consider that improper processing of personal information exposes an organization to the risk of incurring one or more of the breaches set out in the privacy regulations. 

Continue reading the full version published in Norme e Tributi Plus Lavoro del Il Sole 24 Ore.