This January edition of our privacy case law blog addresses a central question: to what extent may public authorities and employers monitor citizens and employees? Two recent decisions illustrate that this boundary may be exceeded sooner than is often assumed. The European Court of Human Rights (hereinafter: the “ECHR” or “Court”) held that the Italian tax authorities enjoyed excessively broad discretion to access citizens’ banking data without adequate oversight. A Dutch court, in turn, clarified that employers likewise exceed permissible limits when, in the absence of a valid justification, they access and read employees’ private messages, even where such messages are available through business equipment.
Although the factual contexts differ (fiscal supervision versus workplace monitoring), the underlying legal message is essentially the same. Convention rights (including Article 8 ECHR) are not absolute. Any interference with the right to respect for private life must be in accordance with the law, pursue a legitimate aim, and be necessary in a democratic society. In terms of Convention case law, this entails, inter alia, that the applicable legal framework must be sufficiently accessible and foreseeable and must provide effective safeguards against arbitrariness and abuse. Where such conditions are not met, the individual’s privacy interest prevails, even if the monitoring is prompted by practical or organisational considerations.
ECHR: Italy went too far in accessing bank data
On 8 January 2026, the ECHR found against Italy. In Ferrieri and Bonassisa v. Italy, the Court held that the Italian tax authorities exceeded permissible limits when obtaining access to citizens’ banking information. The Court concluded that Italy had violated Article 8 ECHR.
Background
In the context of a tax audit, the Italian tax authorities obtained access, without prior authorisation, to the bank accounts and transaction data of two individuals. The domestic legal framework granted the authorities virtually unfettered powers: banking data could be requested without prior judicial authorisation, and the individuals concerned were not informed. Furthermore, the individuals had no effective opportunity to challenge the access ex post before an independent supervisory or judicial body.
The Court’s assessment
The ECHR held that Italy failed to provide sufficient safeguards against abuse. While a statutory basis existed, the Court considered the relevant provisions insufficiently precise and foreseeable. Individuals could not reasonably predict in which circumstances their financial data might be accessed, and the framework lacked effective independent oversight, whether judicial or otherwise.
The ECHR reiterated that legislation enabling interferences with private life must be adequately circumscribed, must meet the requirements of quality of law, and must be accompanied by safeguards ensuring that the interference is not arbitrary. In the present case, the authorities were able to act too easily and without meaningful external control. The Court therefore held that the interference was not “in accordance with the law” within the meaning of Article 8 ECHR.
Broader implications
The ECHR treated the issue not as incidental, but as indicative of a structural deficiency in the Italian legal framework. Italy is expected to amend its legislation to delineate more clearly the circumstances in which the tax authorities may access banking data, and to introduce effective oversight mechanisms, for example judicial authorisation or review by an independent supervisory authority.
This judgment is also relevant in the Dutch context. Authorities such as the Dutch Tax and Customs Administrationand the FIOD (Fiscal Information and Investigation Service) possess far-reaching information-gathering powers. For instance, under the General Act on State Taxes (AWR), third parties may be required to provide information relating to taxpayers. In criminal investigations, the FIOD may rely on investigative powers under criminal procedural law to obtain financial information. The ECHR’s judgment underscores that such powers must be embedded in a framework that is sufficiently transparent and equipped with effective checks and balances.
Privacy in the workplace
An employer who accesses and reviews employees’ WhatsApp communications is exposed to significant legal risk. The question arises whether an employer may read employees’ private messages if these are left open on a company laptop. A judgment of the District Court of North Holland demonstrates where the boundary lies between legitimate supervision and an unlawful interference with privacy. The subdistrict court assessed the employer’s conduct not only in light of the standard of good employership, but also against Article 8 ECHR. In addition, the matter engages the General Data Protection Regulation (the “GDPR”), as the employer’s actions involve the processing of personal data.
Facts
Two cooks employed by a hospitality group used WhatsApp Web on a company laptop. A supervisor discovered that a conversation between them was open, proceeded to take photographs of the screen, and captured messages in which the employees made negative remarks about colleagues. The images were shared with management, after which the employer decided not to renew the employees’ fixed-term employment contracts. The employees argued that their privacy had been infringed and sought fair compensation on the basis of seriously culpable conduct on the part of the employer.
Assessment by the subdistrict court
The court emphasised that WhatsApp communications are, as a rule, private and fall within the scope of protection of Article 8 ECHR. From a data protection perspective, the employer’s conduct constituted processing of personal data within the meaning of Article 4(2) GDPR (including accessing, collecting and disclosing by transmission). The court considered Articles 5 and 6 GDPR to be relevant: any processing must comply with the principles of the GDPR, such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and integrity and confidentiality, and must be based on a valid legal basis.
The employer unlawfully interfered with the employees’ right to respect for private life by relying on privately exchanged messages that had been obtained without justification. Even if the conversation had been left open inadvertently, this did not entitle the supervisor to actively scroll through the messages, photograph them, and share them internally. Such conduct amounted to an unjustified intrusion into the employees’ private sphere. The court underlined that an interference of this nature requires a pressing social need and must satisfy the requirements of necessity and proportionality, criteria which were not met in this case.
Moreover, the decision not to renew the employment contracts was based directly on the unlawfully obtained information. The causal link between the privacy infringement and the non-renewal was therefore established. The court qualified the employer’s conduct as seriously culpable and awarded both employees fair compensation of EUR 2,000 gross per person.
GDPR compliance and good employership
The judgment aligns with a broader judicial trend in which employees’ privacy at the workplace is afforded meaningful protection. Employers must handle employees’ personal data with due care, including where such data are accessible through business devices. Under the GDPR, an employer may process personal data only where a valid legal basisunder Article 6 GDPR applies. In this case, such a basis appears to have been absent; nor was it established that the processing met the standards of necessity and proportionality.
In addition, the employer qualifies as controller and is therefore required to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR (see, inter alia, Articles 24 and 32 GDPR). Accessing and disseminating private communications without a legitimate basis is not merely a breach of trust; it is also incompatible with the GDPR’s core principles, including data minimisation and confidentiality.
The award’s signalling effect
Finally, the subdistrict court noted that the award of compensation serves a signalling function: employers should appreciate that privacy infringements within an employment relationship carry significant legal and ethical weight. A desire to understand team dynamics or to “get to the bottom of things” does not, in itself, constitute a sufficient justification for intruding into employees’ private communications.
Would you like to read more case law? View our privacy case law blog for December 2025 here.
