Italy's data protection authority, the Garante per la Protezione dei Dati Personali, today published a formal warning against Myndoor S.r.l., a Milan-area startup that developed an artificial intelligence plug-in for Slack and Microsoft Teams capable of analysing the emotional content of workplace chat messages to infer employees' psychological stress levels. The decision, registered as Provvedimento n. 342 of 14 May 2026 and bearing document reference 10255494, represents one of the first European enforcement actions to invoke both the General Data Protection Regulation and the EU AI Act simultaneously in the context of a workplace AI product.

The warning does not impose a financial penalty. Instead, it places Myndoor on formal notice that the transmission of aggregated stress-level reports to employers would likely violate several provisions of the GDPR and the EU AI Act, and instructs the company to implement technical and organisational measures to prevent employers from accessing, even indirectly, the psychological data generated by its system.

What the Myndoor system does

According to the Garante's decision, the Myndoor plug-in can be purchased by companies and public bodies to make available to employees who voluntarily choose to activate it. Once a worker opts in, the application monitors the textual content of messages they send within Slack or Teams and applies a semantic analysis model - described in the company's own privacy notice as using artificial intelligence to evaluate "stress parameters" - to determine an emotional or psychological state.

The data processed by the system, as described in Myndoor's own information notice cited in the decision, falls into two categories. Data di elaborazione - processing data - consists of the full textual content of messages, which the system analyses for stress indicators. The company states this includes common data such as name, surname, email address, telephone number, place and date of birth, and place of residence, as well as special categories of personal data as defined under Article 9 of the GDPR. Once the analysis is completed and a response generated, those underlying messages and associated personal data are deleted. The second category is dati di utilizzo - usage data - comprising anonymised statistics such as the number of messages analysed and the stress scores produced.

The stated purpose of the processing, according to the company's privacy notice, is "preventive medicine, diagnosis and assistance," specifically the identification of general wellbeing and stress levels through analysis of textual content entered by the user in Slack or Teams during daily work activity.

Inspection triggers and istruttoria timeline

The Garante's investigation began following press reports about the Myndoor system. The authority launched formal inspections on 3 and 4 June 2025 under Article 58(1) of the GDPR and Articles 157 and 158 of Italy's national data protection code. Press reports had suggested the plug-in was in use at several public administration bodies. Myndoor, however, told investigators during those sessions - making declarations subject to criminal liability under Article 168 of the code - that the named public entity had not purchased the workplace chat plugins at that time.

On 2 July 2025, Myndoor submitted supplementary documentation. Its privacy notice, as reproduced in the decision, confirmed that the company acts as data controller rather than processor. This matters legally: it means that employing organisations that purchase the product for their workforce are not treated as controllers of the underlying personal data generated by its use. Myndoor made that architecture explicit in a follow-up submission dated 24 December 2025, stating that "companies and entities that have purchased the service to make it available to their employees do not have the possibility of accessing the personal data of the data subjects, which are processed directly and exclusively by Myndoor S.r.l. as data controller."

That same December submission described a recent overhaul of the technical infrastructure. According to Myndoor's declarations, the system no longer acquires personal data in a directly identifiable form when delivering its service. Plugin activation now relies exclusively on a unique anonymous identifier (ID) that, the company said, cannot be traced back to an individual, "ensuring the provision of services in a regime of anonymity for the provider."

The aggregate report and re-identification risk

The most contested element in the decision is a weekly aggregate report that Myndoor offers to client organisations. According to the decision, this report is generated only when at least 10 workers have simultaneously activated the plugin. It covers the entire employee population of the client - at least on Teams - rather than any specific department or sub-unit, precisely to limit the risk of identifying individuals. No raw identifiers are included. The report is accessible only through Myndoor's own platform inside a protected company account, with no automated data transmission or file download.

Despite those safeguards, the Garante found the arrangement legally precarious. As of the date of the decision, only one company had ever received such a report and, as the authority noted, that company did not possess additional information sufficient to allow re-identification of the individuals whose data underlay the analysis. On that basis, the authority concluded there was insufficient evidence that actual GDPR violations had already occurred. The absence of a fine reflects that conclusion.

But the Garante was not satisfied that future distributions of such reports would be safe. The decision explicitly identifies the impossibility of categorically excluding "the eventuality that, in future, entities and companies that request the aggregate report could trace back to the identity of their employees who have individually chosen to use the service." The authority points specifically to the variable characteristics of employer organisations - size, composition of workforce, departmental structure - as factors that could make re-identification feasible even from an aggregate statistical output with a 10-person threshold.

The technical safeguards Myndoor described in its December 2025 filing include a minimum population threshold of 10 active weekly users before any report is generated, with automatic system-level disabling if that threshold falls below the minimum. There is also view-only access to reports through the company's platform, with no raw data download capability. Myndoor stated that semi-aggregated or micro-data is excluded, with visibility limited to the final statistical output of the algorithm. These measures, the authority acknowledged, represent reasonable steps - but not sufficient ones to eliminate the risk.

The legal analysis in the Garante's decision draws on two parallel regulatory frameworks, and the intersection between them is where the decision has the broadest implications.

On the GDPR side, the authority invokes Article 113 of the Italian data protection code, which incorporates national employment law requirements barring employers from collecting data irrelevant to work activity - specifically referencing Article 8 of Italy's Workers' Statute of 20 May 1970 and Article 10 of Legislative Decree 297/2003. Violations of those provisions carry criminal sanctions under Article 171 of the Italian code. The Garante's position is that an employee's emotional state and psychological stress levels fall squarely within the scope of Article 113, making them off-limits for employers by definition. Separately, the authority notes that the declared purpose of "preventive medicine, diagnosis and assistance" cannot be pursued by an employer acting on its own initiative. That role belongs exclusively to the occupational health physician (medico competente) under Legislative Decree 81/2008 and Article 5 of the Workers' Statute.

The Garante also invokes Articles 5, 6, 9, 24, 25 and 88 of the GDPR, as well as Articles 2-ter and 113 of the national code. Articles 24 and 25 address data controller accountability and privacy by design and by default - the obligation to build data protection into product architecture from the outset. The decision makes clear that Myndoor should have pre-emptively designed the system so that employers could never access psychologically derived inferences about their workers, rather than relying on post-hoc contractual or procedural measures.

On the AI Act side, the decision invokes Article 5(1)(f) of Regulation (EU) 2024/1689 of 13 June 2024, which prohibits "the placing on the market, putting into service for this specific purpose or use of AI systems to infer the emotions of a natural person in the workplace." That prohibition entered into application on 2 February 2025, as tracked extensively by PPC Land. The Garante states that this provision "imposes and confirms that the use of such systems must not result in the provision to employers of information, inferred through artificial intelligence systems, regarding their own personnel."

The authority uses that convergence to reinforce a broader principle: products that process personal data through AI inference must not merely comply with GDPR by default, but must also ensure their architecture does not enable uses that are prohibited under the AI Act. Where a function lacks a legal basis, is incompatible with the purposes of processing, or conflicts with sectoral law, the privacy by design obligation under Article 25 of the GDPR requires that function to be deactivated.

Explainability and algorithmic opacity

A notable section of the Garante's decision is dedicated not to compliance technicalities but to a more fundamental concern about how AI-based inferential systems operate. The authority warns of the risks inherent in semantic analysis and large language models when their outputs are used to classify people. The decision states that these systems produce inferences "sometimes not immediately foreseeable or controllable" relative to the data originally processed, and that the opacity of their reasoning creates risks including discriminatory effects, amplification of existing biases, and margins of error that are not always easily detectable.

The Garante references Article 13 of the AI Act, which requires high-risk AI systems to provide adequate transparency documentation including the intended purpose, expected accuracy levels, robustness and cybersecurity metrics, risks to health and safety or fundamental rights, and the technical characteristics relevant to explaining system output. The implication is that a stress-inferring semantic analysis system deployed in an employment context sits at a high-risk threshold, at minimum, and may need to meet those documentation requirements.

The decision frames explainability and human oversight not as technical desiderata but as essential conditions for lawful processing in sensitive contexts. Without them, algorithmic outputs "generated through statistical patterns and predictive models" could cause "harmful effects and discrimination, with consequences that are sometimes irreversible in relation to the identity and dignity of the person."

Why this matters for the marketing and HR tech community

The Myndoor case is narrow in its immediate scope - a small Italian startup, a single report distributed to a single corporate client. But the legal logic the Garante applies has considerably wider reach. As the AI Act's prohibited practice restrictions entered application on 2 February 2025, any AI system marketed for use in workplace contexts that infers emotional states from behavioural data faces the same dual legal exposure this decision describes. The Italian authority is the first European data protection regulator to apply that framework explicitly to a commercial HR technology product.

The case also illustrates how the GDPR's special categories regime under Article 9 interacts with the AI Act's prohibitions in ways that may not be immediately obvious to product developers. Psychological stress data inferred from text analysis may or may not constitute health data within the strict Article 9 definition, but Italian employment law independently forecloses employer access to it on different grounds. Developers building tools that touch mental health, emotional wellbeing, or behavioural patterns in employment settings face multiple overlapping obligations, not a single compliance test. The EDPB's 2025 annual report, published in April 2026, noted that joint GDPR-AI Act guidelines are being developed with the European Commission and are due throughout 2026 - meaning the legal interplay between the two frameworks will become more formalised before the year is out.

The Dutch regulator's consultation on social scoring prohibition under Article 5(1)(c) of the AI Act, published in November 2025, touched adjacent territory - systems that assess or classify individuals based on behaviour in ways that lead to detrimental treatment. A system that rates employee stress levels and transmits those ratings to an employer, even in aggregate form, fits that pattern closely. Giulio Coraggio, head of intellectual property at a major international law firm and a specialist in AI legal frameworks, noted in a LinkedIn post on the day the Garante's decision became public that "AI systems used to infer emotions in the workplace are prohibited, except in very limited scenarios," adding that "certain AI tools deployed in HR environments may not simply create compliance risks - they may be unlawful by design."

Separately, the case reinforces a point about product architecture that has appeared repeatedly in European enforcement. The France-Amazon GDPR decision on warehouse monitoring, reduced from EUR 32 million to EUR 15 million by France's Conseil d'Etat in December 2025, established that the lawfulness of a monitoring tool depends heavily on how precisely its functions are scoped and what data is retained. The Myndoor warning goes further: it requires that the system architecture make employer access technically impossible, not merely contractually prohibited.

For organisations that have deployed or are evaluating AI tools integrated with Slack, Teams, or similar collaboration platforms - whether for workforce analytics, productivity monitoring, sentiment analysis, or wellbeing programmes - the Garante's reasoning signals that European regulators will examine whether the product design, not just the contractual framework, ensures that psychologically sensitive data stays out of employer hands.

Garante's formal instruction

The operative portion of the decision, issued under Article 58(2)(a) of the GDPR and Article 154(1)(f) of the Italian data protection code, formally warns Myndoor S.r.l. - registered at via Aldo Moro 5/3, 20088 Rosate (MI), VAT number 12097060961 - that the planned processing activities would likely violate the GDPR and worker dignity protections. The specific articles cited are Articles 5, 6, 9, 24, 25 and 88 of the GDPR and Articles 2-ter and 113 of the Italian code.

The decision also orders publication of the warning on the authority's website. It does not specify a deadline for Myndoor to adapt its product, but the legal effect of a formal warning under the GDPR is that continued operation of the reported configuration - specifically, the option to transmit aggregate stress reports to employers - would expose the company to enforcement action and potential fines. Under Article 83(4) and (5) of the GDPR, infringements of the principles in Article 5 or the conditions for processing special category data under Article 9 can attract fines of up to EUR 20 million or 4 percent of global annual turnover, whichever is higher.

Recipients of the decision may challenge it before ordinary courts within 30 days of communication, or within 60 days if the challenger is resident abroad, pursuant to Articles 78 of the GDPR, 152 of the Italian code, and 10 of Legislative Decree 150/2011.

The decision was signed on 14 May 2026 in Rome by President Pasquale Stanzione, with Ginevra Cerrina Feroni named as rapporteur and Luigi Montuori as Secretary General. An accompanying press release was published on 28 May 2026.

Timeline

  • 3-4 June 2025 - Garante inspectors carry out on-site verification activities against Myndoor S.r.l., including formal interviews producing certified minutes
  • 2 July 2025 - Myndoor submits supplementary documentation including its Article 13 GDPR information notice, confirming itself as sole data controller and describing data categories processed
  • 2 February 2025 - EU AI Act prohibited practice restrictions enter application across the European Union, including Article 5(1)(f) banning AI emotion-inference systems in workplaces (PPC Land coverage)
  • 24 December 2025 - Myndoor submits a further filing describing a revised technical architecture using anonymous identifiers and the 10-user threshold for aggregate reports; confirms only one company has received an aggregate report
  • 14 May 2026 - Garante adopts Provvedimento n. 342, formally warning Myndoor that transmitting stress reports to employers would likely violate the GDPR and Italian employment law; decision references AI Act Article 5(1)(f)
  • 28 May 2026 - Garante publishes accompanying press release on its website (today)

Summary

Who: Italy's Garante per la Protezione dei Dati Personali, acting against Myndoor S.r.l., a startup registered in Rosate (Milan province) with VAT number 12097060961.

What: A formal warning under Article 58(2)(a) of the GDPR advising that Myndoor's practice of making available aggregate employee stress-level reports to purchasing organisations would likely violate GDPR provisions on special category data, employer data collection limits, and privacy by design, as well as Article 5(1)(f) of the EU AI Act prohibiting workplace emotion-inference AI systems.

When: The decision is dated 14 May 2026 (Provvedimento n. 342). The underlying inspections took place on 3-4 June 2025. The accompanying press release was published today, 28 May 2026.

Where: The decision was issued in Rome by the Garante and applies to Myndoor's operations across Italy. The system operates via plug-ins integrated with Slack and Microsoft Teams, processing data generated during remote and in-office work.

Why: The authority found that psychological stress information inferred from employee communications falls within the category of data employers are forbidden to collect under Italian employment law and GDPR Article 9, regardless of whether it is presented in aggregate form. The AI Act's prohibition on workplace emotion-inference systems reinforces that conclusion. The Garante concluded that while no verified GDPR violation had yet occurred, the product's architecture created conditions in which future violations were a foreseeable risk.

Share this article
The link has been copied!