CAN I GIVE EMPLOYEE DATA TO THIRD PARTIES?

In my capacity as DPO, or Data Protection Officer for a number of companies and organisations, I am often asked questions about what can and cannot be disclosed. Just recently, I was asked whether an employer could, without their consent, give employees' personal data to a third party in order to organise a trip abroad.

After all, some argued, it is necessary for something related to the employment relationship.

It is fortunate that they asked me, because the employer can only do so if they have received the employee's consent, which must be explicit for that specific case, given that travel abroad is not covered by the normal circumstances of the employment relationship.

This principle was also reiterated by the Court of Appeal of Palermo in its ruling no. 1399 of 6 October 2025, which declared that a municipality, as data controller, is liable for the unlawful disclosure of personal and sensitive data of one of its employees, even if the event is attributable to human error.

Therefore, even the initiative of the person responsible, who in my case was about to communicate the data to third parties, entailed liability for the company.

The Court of Cassation, in its ruling no. 13073/2023, established that the data controller is also liable for the negligent acts of its employees, in application of a general principle similar to Article 2049 of the Italian Civil Code. In this specific case, the disclosure of an employee's non-public “reputational” data, which occurred by mistake in the publication of a decision on the online public notice board, constituted a compensable offence, regardless of the fact that the cause was a mere distraction.

This principle is fully in line with European case law. The Court of Justice of the European Union (Case C-741/21, 11 April 2024) has clarified that, pursuant to Article 82 of the GDPR, the data controller cannot exempt itself from liability simply by invoking the error of a person acting under its authority. In order to be exempted, the entity must demonstrate the absence of a causal link between the breach of its data protection obligations (pursuant to Articles 5, 24 and 32 of the GDPR) and the damage suffered by the data subject.

The employee whose data has been disclosed may invoke Article 82 of the GDPR, which recognises the right of any person who has suffered material or non-material damage as a result of an infringement of the Regulation to obtain compensation from the data controller.

Therefore, all employers should take note and always consult with the DPO or an expert before making decisions regarding personal data!

last update decembre 2025