Home

Internal

Global

Contact

de|en|it

Rödl & Partner Italy: 2024 turnover grows to a record level of 33.3 million euros |

Worldwide

We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.

Italian Court of Cassation rules on unauthorised access by employees

published on 21 November 2025 | reading time approx. 4 minutes

In a ruling published on November 1, 2025, the Italian Supreme Court of Cassation ruled on the case of an employee of a hospital undertaking who had unlawfully accessed special categories of personal data relating to acquaintances of hers for personal and unauthorized purposes.

In particular, the healthcare facility had detected more than thirty unlawful accesses, carried out over a period of approximately three years by the employee, to the electronic health records of some neighbors, in the absence of any justification or work-related reason. These were individuals whom she had also insulted and even threatened with death, circumstances for which she had already been convicted in criminal proceedings. Following her summary dismissal for just cause, the employee challenged the decision, arguing that the accesses were not abusive, that she was required to access patients' health records in light of the activities of her department, as well as contesting the admissibility of the evidence gathered in the criminal proceedings and denying that her conduct reached the requisite threshold of seriousness.

In its ruling, the Italian Supreme Court agreed with the previous regional court which, in its opinion, had expressed its judgment on the existence of the disciplinary offense and its seriousness based on a logically reasoned factual assessment. Given that, in the opinion of the Supreme Court, a company cannot place its trust in an employee who takes advantage of their position and of her privileged access to IT systems to obtain information, including special categories of personal data (such as health data), concerning third parties for personal purposes, in any case, according to the disciplinary code, dismissal is envisaged as a sanction for "the commission, in general, including against third parties, of intentional acts or conduct which, although not amounting to criminal offences, are of such gravity as not to permit even the provisional continuation of the employment relationship".

Moreover, as regards disciplinary sanctions, the Italian Supreme Court had already laid down the principle of law where by the assessment of the proportionality between the dismissal and the misconduct alleged is a matter for the trial court, as it involves an assessment of the facts that gave rise to the dispute, and can only be reviewed on grounds of legitimacy when the reasoning of the contested judgment on this point is completely lacking, or is affected by substantial legal defects.

Therefore, in the case in question, the measures adopted by the hospital to protect the governance of employee privileges for access to IT systems supported the investigation into the intentional misconduct committed in the workplace and enabled the employer to legitimately invoke dismissal for just cause.

As a precautionary measure, the hospital can further strengthen security measures to protect sensitive data by requiring employees who already have privileges to specify the reason for each request to consult the data.

The most effective measures include database encryption, strong authentication, detailed log recording, and the aforementioned role-based access control.

In addition, it is also advisable to develop a structured training and awareness plan for staff, so that they are aware of the permitted conduct and the disciplinary and criminal consequences in the event of violations.

The appointment of a Data Protection Officer can ensure, among other things, the monitoring of training compliance and, above all, the effectiveness of the method and technical measures themselves.

Digital traceability is crucial: automatic monitoring and alert systems allow anomalies to be identified and provide useful evidence in court.

On the disciplinary side, an internal code in accordance with the Workers' Statute allows charges to be contested promptly, guaranteeing the employee's right to a fair trial. Sanctions can be graded: from a written warning to dismissal for just cause in the event of serious or repeated misconduct.

An integrated approach combining IT governance, training and the correct application of the disciplinary system not only allows for a response to unlawful conduct, but also prevents it, thus protecting business continuity and the company's reputation.

Finally, it is also worth noting that unauthorised access and processing of personal data for additional and unlawful purposes, in the absence of an adequate legal basis, constitute a data breach that the company is obliged to report to the Data Protection Authority and to the data subjects, given the possible impact of a breach involving special categories of data, as provided for by the GDPR.