With its decision of 4 March 2026, the Italian Data Protection Authority clarified that digital forensics activities carried out in the context of internal corporate investigations qualify as processing of personal data and must therefore fully comply with data protection rules
In the case at issue—concerning the forensic acquisition and analysis of the corporate email account and storage spaces of a senior executive, initiated following an anonymous whistleblowing report—the Authority found the processing to be unlawful, identifying in particular:
- the lack of prior information provided to the data subject;
- the absence of a valid appointment of the data processor;
- breaches of the principles of data minimisation, purpose limitation and storage limitation.
The decision reiterates that the mere suspicion of wrongdoing does not, in itself, justify generalised or indiscriminate monitoring, that holding a senior position does not entail a reduction of data protection safeguards, and that forensic acquisitions covering the entire information assets, without temporal or content-related limitations, are disproportionate. The ruling thus provides important operational guidance for companies involved in internal investigations and litigation, stressing the need to design and conduct such activities in full compliance with data protection requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]