Compliance & Risk Management – Compliance risks for employees

| Insights

In this fourth edition of the Compliance & Risk Management Newsletter, professionals of Andersen’s 231/Privacy Service Line have explored the topic of compliance risks for employees in order to highlight the increasingly importance for companies to adopt appropriate measures to mitigate the risks associated with the incorrect storage of metadata and improper or illegal conduct by employees, thereby improving their governance.

When a crime committed by an employee also involves the company

Under Legislative Decree 231/2001, a crime committed by an employee can be extended to the company when the individual acts in the interest or to the advantage of the entity, even only potentially. The benefit does not need to be actually achieved: it is enough that the conduct was suitable or even simply aimed at obtaining it.

However, the company’s liability is not automatic. It is necessary to verify whether the offence is among those covered by the Decree and whether the organisation lacked an adequate prevention system. The absence—or ineffectiveness—of the Organisationl Model becomes the decisive threshold: if the company has not mapped its risks, established clear protocols, or properly trained its personnel, the employee’s conduct may directly impact the entity.

The retention of corporate e-mail metadata

With decision no. 243 of 29.04.2025, the Data Protection Authority intervened on the issue of storing email and browsing metadata in the workplace, setting specific time limits for the storage of metadata (21 days). After this period, metadata should be deleted or, in any case, made unavailable, unless specific guarantees are adopted by the employer and there are proven technical and organisational needs, or a trade union agreement has been reached or specific authorisation has been obtained from the labour authority.

The issue is complex and deserves close attention: employers will have to manage the storage of email (and browsing) metadata in compliance with the requirements of the Data Protection Authority, under penalty of significant sanctions. This applies even though there are still unresolved questions for which an intervention by the Privacy Authority is hoped for.

The risks arising from the improper use of AI by employees

Generative AI is everywhere. People and companies around the world use it every day to perform tasks and duties such as translating texts, identifying key search terms, analysing social media engagement data, and creating images and videos. However, Artificial Intelligence may be used without complying with corporate policies, thus contributing to the growth of what is now known as Shadow AI.

The main risks arising from Shadow AI include security incidents or personal data breaches, violations of company procedures, and violations of company copyright (know-how, trade secrets, confidential information), which have a significant impact not only on the operation and efficiency of processes, but also on reputation.

It is therefore essential to adopt a risk-based approach, which is now the basis of all the latest European regulations (AI ACT, GDPR, NIS 2 Directive, DORA), and an effective governance strategy to strengthen the resilience of the company.