Internal investigations in Italy: Regulation, case law, and operational challenges

Italy’s corporate landscape is increasingly focused on compliance, transparency, and ethics. Under expectations to implement comprehensive internal control systems, companies are prioritizing the detection and mitigation of potential unlawful conduct.

In this context, the capacity to conduct internal investigations has proved to be an essential tool for Italian companies, particularly when addressing fraudulent practices, breach of fiduciary duty, conflicts of interest, or unlawful transactions within the organization.

When properly structured and conducted in compliance with relevant legislation, internal investigations make it possible to (1) timely identify perpetrators of misconduct; (2) uncover and address gaps in the internal control system; and (3) promptly adopt the appropriate corrective measures.

However, misconduct prevention in Italy is shaped by a legislative framework that continues to generate interpretative uncertainties and practical challenges. Moreover, the use of IT monitoring tools requires a careful and sensitive balancing of interests, as it overlaps with a further relevant issue, the protection of employee confidentiality.

Within this framework, Italian case law has consistently tended to narrow the scope of internal investigations conducted directly by employers, setting strict boundaries on their legitimacy. Such orientation, reaffirmed by recent Italian Supreme Court decisions, intensifies the challenges faced by companies in protecting their interests within strict regulatory limits.

The Italian regulatory framework: Monitoring activities conducted by employers

Article 4 of Law No. 300/1970 (the Workers’ Statute) provides for certain restrictions on the possibility of monitoring employees, stating that – with the exception of tools used by employees to perform their work activities and to track entry and attendance – audiovisual systems and other tools enabling the remote monitoring of employees' work activities may only be used under the following conditions:

• The existence of one of these alternative purposes: organizational and production needs, workplace safety, or protection of company assets
  
  
• The conclusion of a prior collective agreement with the relevant trade union representatives, or, in the absence of such an agreement, prior authorization from the National Labor Inspectorate
  
  
• Provision of prior notice to the employee on how such tools shall be used and how monitoring activities are carried out, according to the Italian Privacy Code (Legislative Decree No. 196/2003)

Although legal requirements for monitoring employees have been clearly outlined, it should be noted that, under certain circumstances, companies may need to carry out covert monitoring – without incurring complex bureaucratic processes – in order to uncover misconduct that could harm the company itself and potentially trigger criminal liability.

In this context, it is therefore necessary for companies to balance, on one hand, the need to safeguard employees confidentiality and, on the other, the need to implement effective investigative tools.

Italian case law on defensive monitoring: An apparent protection granted to companies

In light of the above, Italian case law has established so-called defensive monitoring. The scope of Article 4 of the Workers’ Statute is limited to matters directly or indirectly related to work activities. Defensive monitoring aims to detect misconduct that falls outside that scope.

Drawing from the provisions of Article 4 of the Workers' Statute, Italian case law (among others, see Supreme Court No. 25732/2021) – in line with leading European case law, such as Bărbulescu v. Romania – traditionally distinguishes between two categories of defensive monitoring:

• Broadly defensive monitoring, which is conducted to safeguard company assets, is lawful only when the above requirements set by Article 4 of the Workers' Statute are met.
  
  
• Strictly defensive monitoring, meanwhile, aims to detect misconduct that may be lawful even beyond the requirements set out in Article 4 of the Workers' Statute, provided that specific conditions are still met. These include:

• Compliance with Article 8 of the European Convention of Human Rights, which guarantees a balance between the need to protect corporate interests/assets and the protection of employees' dignity and privacy, and
  
  
• The implementation of ex post strictly defensive monitoring, which may only be carried out after the unlawful conduct of one or more employees has been committed and where the employer has reasonable grounds to suspect such conduct. Specifically, case law establishes that ex post strictly defensive monitoring is legitimate solely from the moment the well-founded suspicion arises. Retroactive monitoring (ie, the examination of data predating the suspicion) is prohibited.

More recently, in January 2025, the Italian Supreme Court in Judgment No. 807/2025, further tightened the requirements for the legitimacy of defensive monitoring carried out by companies. The case concerned the dismissal of a manager following the discovery, during an internal investigation triggered by an IT alert, of files stored on the employee's personal computer. The Supreme Court ruled that the dismissal was unlawful, stating that the log files could not be used for the purposes of dismissal, and reaffirmed that ex post strictly defensive monitoring on employees cannot be retroactive, ie, it cannot look at data and information predating the onset of the suspicion of misconduct.

The same principle was further reinforced by the Italian Supreme Court in June 2025 (Judgment No. 23158), holding that strictly defensive monitoring conducted beyond the legitimate scope (as defined by recurrent case law) may trigger criminal liability, constituting the offenses of unauthorized access to a computer system and violation of correspondence (provided for by Articles 615-ter and 616 of the Italian Criminal Code).

Defensive investigations under the Italian Code of Criminal Procedure

In light of the increasingly restrictive case law on employers’ defensive monitoring of employees, it is worth highlighting that such limitations do not apply when the company appoints a defense counsel to carry out preventive defensive investigations – pursuant to Articles 327-bis and 391-novies of the Italian Code of Criminal Procedure – with a view to the possible initiation of criminal proceedings in the event that the company is involved as an interested party, injured party, or damaged party; or in any other procedurally relevant capacity.

In such cases, investigative activities carried out by defense counsel are governed by an autonomous set of criminal law provisions safeguarding counsel’s activities within certain boundaries and in compliance with principles of criminal procedural law. Notably, there are no legislative provisions or case law extending the limitations of Article 4 of the Workers’ Statute to such defensive activities.

Moving forward

When there is reason to suspect that employees’ misconduct may constitute a criminal offense that could potentially involve the company in criminal proceedings, it may be advisable to appoint defense counsel to conduct investigations under the Italian Code of Criminal Procedure, in full compliance with its applicable provisions. This approach enables companies to address the most serious cases without the risk of infringing the restrictions set out in Article 4 of the Workers’ Statute governing defensive monitoring performed directly by employers.

For more information, please contact the author.