Recent news reports had already highlighted critical issues in Amazon’s processing of employees’ personal data and its use of video-surveillance systems. By a measure dated 24 February 2026, the Italian Data Protection Authority (Garante per la protezione dei dati personali) ordered Amazon Italia Logistica S.r.l. to impose a definitive restriction on a number of processing activities involving employees’ personal data, carried out in breach of both data-protection legislation and employment-law rules. The case arose from the results of inspections carried out jointly by the Authority, the National Labour Inspectorate (Ispettorato Nazionale del Lavoro), and the Special Unit for Privacy Protection and Technological Fraud of the Italian Financial Police (Guardia di Finanza).
Legal principles protecting workers
Before examining the reasons that led to the adoption of this measure, it is useful briefly to recall certain key principles concerning the processing of workers’ personal data:
- Workers are regarded as a particularly vulnerable category of data subjects, given their position of subordination vis-à-vis the employer, who acts as the controller.
- The need to carry out a Data Protection Impact Assessment (DPIA) where processing is likely to result in a high risk to the rights and freedoms of data subjects (particular care is required in cases of systematic processing, monitoring, profiling, processing of special categories of personal data and processing concerning vulnerable data subjects; see Working Party 29, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679).
- In general, in the context of the employment relationship, the controller may lawfully process personal data relating to employees and collaborators only if one of the applicable lawful bases is present: typically, Article 6(1)(b) and (c) GDPR (for ordinary data) and Article 9(2)(b) GDPR (for special categories of data).
- Article 88 GDPR expressly refers to national employment-law provisions capable of ensuring “appropriate and specific measures to safeguard human dignity, legitimate interests and fundamental rights of data subjects, in particular with regard to the transparency of processing […] and monitoring systems at the workplace”.
- Article 113 of the Italian Privacy Code, entitled “Collection of data and relevance”, preserves the rules laid down in Article 8 of Law No. 300/1970 (Workers’ Statute) and Article 10 of Legislative Decree No. 276/2003, which prohibit employers from carrying out investigations and processing further information relating to facts irrelevant to the assessment of the worker’s professional aptitude.
- With regard to remote monitoring of workers, it should be recalled that, pursuant to Article 4(1) of the Workers’ Statute, “audiovisual equipment and other instruments from which the possibility of remote monitoring of workers’ activity may also derive may be used exclusively for organisational and production needs, for workplace safety and for the protection of company assets” (substantive requirements), subject to a trade-union agreement or, failing that, authorisation by the National Labour Inspectorate (procedural requirements).
The Authority’s measure
The Italian Data Protection Authority, by way of urgency and with immediate effect, prohibited Amazon Italia Logistica S.r.l. from processing the personal data of over 1,800 workers employed at one of the company’s facilities. The grounds underlying the Authority’s decision are analysed below.
- Systematic and unlawful processing of workers’ data: a platform, connected to the time-and-attendance recording system, alerted managers that they needed to conduct interviews with employees returning from periods of absence or when certain events occurred (an employee’s birthday, attainment of a given score, the anniversary of the employment contract being signed). However, it emerged that access to information was broad and that managers were able to request an interview regardless of the system’s alerts. Moreover, the platform enabled the systematic collection of employees’ data for the entire duration of the employment relationship and up to ten years after it ended.
What data were recorded on this platform? Information that was also sensitive in nature: medical conditions, participation in strikes, involvement in trade-union activities, and personal data relating to family members (e.g. the health status of close relatives). However, as is well known, processing of special categories of personal data (e.g. health data, trade-union membership) is prohibited in the absence of an appropriate legal basis under Article 9(2) GDPR, which - within the employment context - may be found in Article 9(2)(b) GDPR. In addition, under Article 8 of the Workers’ Statute, “it is prohibited for the employer, both for the purposes of hiring and during the course of the employment relationship, to carry out investigations, even through third parties, into the worker’s political, religious or trade-union opinions, as well as into facts not relevant for the purposes of assessing the worker’s professional aptitude”.
The Authority therefore prohibited the use of the above platform under the same operating arrangements across all Amazon logistics centres.
- Video-surveillance systems: the Authority’s scrutiny also extended to the processing of data collected through CCTV systems installed in areas reserved for employees (in particular toilets and break areas) and oriented in such a way as to allow identification of workers. The Authority did not consider the privacy mask function (which partially obscures the image) to be sufficient - especially given that the risk of re-identification remains and that, in one case, it was established that this measure had not been activated from the time the camera was installed.
Conclusion
The case highlights the importance of implementing effective safeguards to protect workers and the processing of their personal data. As the Authority emphasises, especially in contexts of high organisational and technological complexity, enhanced guarantees are required for workers throughout the entire data-processing lifecycle - particularly where monitoring systems are used, as they may entail serious risks to the fundamental rights and freedoms of a category as vulnerable as workers.