Italian DPA Orders Amazon Entity to Stop Unlawful Employee Data Processing

The Italian Data Protection Authority (Garante per la protezione dei dati personali) has issued an urgent order with immediate effect requiring Amazon Italia Logistica S.r.l. to stop processing personal data relating to more than 1,800 employees at one of its logistics facilities.

The investigation revealed multiple violations from a data protection perspective. In particular, the authority identified the use of an internal platform connected to the company’s attendance system, which was used to systematically record notes following meetings with employees returning from periods of absence.

According to the Garante, the platform enabled the creation of structured records about employees that went far beyond legitimate workforce management. In practice, the system allowed the creation of structured records about employees based on highly personal and sensitive information, including health conditions, trade union activity, and aspects of their private and family life.

The case illustrates several important compliance failures under data protection law.

Data Minimisation

The platform allowed managers to record meeting notes with detailed information that was not necessary for managing attendance or evaluating employees’ professional suitability.

As mentioned by the Garante in both the decision and the related press release, the notes sometimes contained extremely detailed personal information. This included references to specific medical conditions suffered by employees, such as Crohn’s disease or the presence of a pacemaker, as well as references to participation in strikes and trade union activities. The notes also contained highly personal family and private information, for example references to a terminally ill father or marital separation.

Under applicable data protection rules and Italian labour law, employers are not permitted to process employee information that is not relevant to assessing professional suitability. Collecting and recording extensive personal details as previously described therefore directly contradicts the principle of data minimisation.

Systematic Recording of Employees’ Personal Information Through Internal Notes

By systematically documenting personal information following employee absences and linking these records to an internal management system accessible to managers, the platform enabled the creation of structured records about workers.

These profiles contained highly sensitive information that had no legitimate relevance to the employees’ professional role. This systematic recording of data can lead to forms of employee profiling that raise serious data protection concerns.

Excessive Retention

The information recorded through the platform was stored for the entire duration of the employment relationship and for up to ten years after its termination.

Retention periods must be justified by a legitimate purpose and limited to what is necessary. In this case, the extended storage period is particularly problematic given that much of the information recorded should not have been collected in the first place.

Insufficient Access Controls

Access to the platform was not limited to direct supervisors but extended to numerous managers, allowing many individuals to consult the recorded information about employees.

Where sensitive information is involved, organisations are expected to implement strict role-based access controls. Broad internal access increases the risk of misuse, unnecessary consultation, or internal dissemination of personal data.

The Garante’s Decision

As a result of these findings, the authority ordered the company to immediately stop processing the data collected through the platform in relation to the affected employees.

The inspections also identified non-compliant CCTV cameras placed near worker bathrooms and rest areas. The investigation remains ongoing and further aspects of the case are still under examination by the authority.

This decision highlights several recurring compliance risks for organisations managing employee data:

• internal tools that allow managers to record informal but sensitive personal notes about employees
• systems that enable profiling through aggregated employee information
• excessive retention of HR-related information
• insufficient access restrictions within internal management platforms

Even when tools are designed for operational purposes such as attendance management, the way these tools are used can quickly lead to unlawful processing if organisations fail to implement clear processes governing the collection, access, and retention of employee data.

Organisations should therefore ensure that HR systems and internal management tools are regularly reviewed with the involvement of the Data Protection Officer (DPO) or privacy counsel to verify compliance with data protection requirements.