The Italian Garante per la protezione dei dati personali (Data Protection Authority) has imposed an immediate and urgent ban on Amazon Italia Logistica from processing the personal data of more than 1,800 employees working at its logistics platform in Passo Corese, in the province of Rieti. The order, issued on 24 February 2026 under reference number 107, follows inspections carried out between 9 and 12 February 2026 in cooperation with the Ispettorato Nazionale del Lavoro (National Labour Inspectorate) and the Guardia di finanza’s Nucleo speciale tutela privacy e frodi tecnologiche (Special Unit for Privacy Protection and Technological Fraud). The investigation was launched after media reports concerning the handling of employee data at the site.
At the centre of the inquiry is an internal management tool referred to in the documents as “platform XX”, linked to the attendance tracking system and accessible to numerous managers. The tool was used to monitor employee absences and manage return-to-work interviews, including through an algorithm known as the “Bradford Factor”, which penalises short and frequent absences. The most serious breaches were identified in the use of the platform’s free-text fields, intended for written notes.
Notes entered by managers following return-to-work meetings contained information entirely unrelated to the assessment of professional suitability. The data recorded included specific medical conditions — Crohn’s disease, slipped discs, the presence of pacemakers, surgical procedures and psychiatric problems — as well as information about the health of close relatives, such as terminally ill fathers or sisters with brain tumours. There were also references to marital separations, personal hobbies and even romantic relationships between colleagues.
According to the Authority, particularly serious was the systematic linking of absences with trade union activity. The notes recorded participation in individual strikes, attendance at meetings, opinions expressed in those forums and assessments of what were deemed improper uses of leave by “unionised” workers. This type of processing directly violates Article 113 of the Codice Privacy (Privacy Code) and Article 8 of the Statuto dei Lavoratori (Workers’ Statute), which prohibit employers from collecting information on employees’ political, trade union or religious opinions, as well as on matters not relevant to their work.
The situation was further aggravated by the fact that the information was retained for the entire duration of the employment relationship and for up to ten years after its termination. Access to the platform was granted to a large number of corporate roles, including development teams, without restrictions based on actual operational need. The Authority also found breaches of the data minimisation and storage limitation principles set out in Regulation (EU) 2016/679 (GDPR).
The order also addressed the internal video surveillance system. Inspectors identified four cameras positioned towards the entrances of bathrooms and staff break areas. Despite the application of a “privacy mask” — partial obscuring of images — the system still made it possible to identify workers accessing those areas. The Authority cited a specific case in which the company used system logs to identify a security officer who had entered a bathroom. The placement of the cameras was deemed inconsistent with Amazon’s own internal policies and redundant in light of other devices already installed in the area.
In response to the violations, the Authority imposed three definitive restrictions on processing. The first concerns the data contained in the free-text fields of platform XX relating to health, trade union activity and private life. The second requires the cessation of processing of data collected through the four cameras near bathrooms and break areas. The third measure extends the ban to all Amazon facilities in Italy using the same platform under conditions similar to those identified at Passo Corese. The company must respond to the Authority within seven days of notification of the order.
The Passo Corese logistics centre is one of the main hubs in Amazon’s Italian distribution network. The case forms part of a broader pattern of regulatory scrutiny of workforce management practices in large-scale logistics facilities, where the use of algorithmic tools and digital surveillance has expanded in recent years alongside the growth of e-commerce. The Authority’s investigation remains ongoing to assess further aspects not yet definitively examined. Failure to comply with the measures exposes Amazon Italia Logistica to administrative fines of up to €20 million or 4% of its annual global turnover, as provided for under the GDPR.
Following the announcement of the decision, Amazon issued a statement saying: “We are examining with the utmost attention the order of the Data Protection Authority. We confirm full cooperation and transparency towards the Authority. The protection of personal data represents an absolute priority for us: we adopt dedicated internal policies, periodic training programmes and stringent operational rules aimed at ensuring compliance with current legislation. Should the analysis reveal any areas of non-compliance, we will promptly review our processes and procedures, fully implementing the Authority’s guidance, in order to ensure full compliance and the continuous strengthening of our data protection standards.”
Pietro Rossoni
