{"id":30260,"date":"2025-12-12T16:36:43","date_gmt":"2025-12-12T15:36:43","guid":{"rendered":"https:\/\/it.andersen.com\/?p=30260"},"modified":"2025-12-12T16:50:21","modified_gmt":"2025-12-12T15:50:21","slug":"compliance-risk-management-compliance-risks-for-employees","status":"publish","type":"post","link":"https:\/\/it.andersen.com\/en\/compliance-risk-management-compliance-risks-for-employees\/","title":{"rendered":"Compliance &amp; Risk Management &#8211; Compliance risks for employees"},"content":{"rendered":"<p>In this fourth edition of the <strong>Compliance &amp; Risk Management<\/strong> Newsletter, professionals of Andersen&#8217;s <strong>231\/Privacy<\/strong> Service Line have explored the topic of <strong>compliance risks for employees<\/strong> in order to highlight the increasingly importance for companies to adopt appropriate measures to mitigate the risks associated with the incorrect storage of metadata and improper or illegal conduct by employees, thereby improving their <strong>governance<\/strong>.<\/p>\n<h2>When a crime committed by an employee also involves the company<\/h2>\n<p>Under Legislative Decree 231\/2001, a crime committed by an employee can be extended to the company <strong>when the individual acts in the interest or to the advantage of the entity, even only potentially<\/strong>. <strong>The benefit does not need to be actually achieved<\/strong>: it is enough that the conduct was suitable or even simply aimed at obtaining it.<\/p>\n<p>However, the company\u2019s liability is not automatic. It is necessary to verify <strong>whether the offence is among those covered by the Decree <\/strong>and whether the organisation lacked an adequate prevention system. The absence\u2014or ineffectiveness\u2014of the <strong>Organisationl Model<\/strong> becomes the decisive threshold: if the company has not mapped its risks, established clear protocols, or properly trained its personnel, the employee\u2019s conduct may directly impact the entity.<\/p>\n<h2>The retention of corporate e-mail metadata<\/h2>\n<p>With <strong>decision no. 243 of 29.04.2025<\/strong>, the Data Protection Authority intervened on the issue of <strong>storing email and browsing metadata <\/strong>in the workplace, setting specific <strong>time limits<\/strong> for the storage of metadata (<strong>21 days). <\/strong>After this period, metadata should be deleted or, in any case, made unavailable, unless specific <strong>guarantees <\/strong>are adopted by the employer and there are proven technical and organisational needs, or a trade union agreement has been reached or specific authorisation has been obtained from the labour authority.<\/p>\n<p>The issue is complex and deserves close attention: employers will have to manage the storage of email (and browsing) metadata in compliance with the requirements of the Data Protection Authority, under penalty of significant <strong>sanctions<\/strong>. This applies even though there are still unresolved questions for which an intervention by the Privacy Authority is hoped for.<\/p>\n<h2>The risks arising from the improper use of AI by employees<\/h2>\n<p><strong>Generative AI<\/strong> is everywhere. People and companies around the world use it every day to perform tasks and duties such as translating texts, identifying key search terms, analysing social media engagement data, and creating images and videos. However, Artificial Intelligence may be used without complying with corporate policies, thus contributing to the growth of what is now known as <strong>Shadow AI<\/strong>.<\/p>\n<p>The main <strong>risks<\/strong> arising from Shadow AI include security incidents or personal <strong>data breaches<\/strong>, violations of company procedures, and <strong>violations of company copyright<\/strong> (know-how, trade secrets, confidential information), which have a significant impact not only on the operation and efficiency of processes, but also on <strong>reputation<\/strong>.<\/p>\n<p>It is therefore essential to adopt a <strong>risk-based approach<\/strong>, which is now the basis of all the latest European regulations (AI ACT, GDPR, NIS 2 Directive, DORA), and an effective <strong>governance<\/strong> strategy to strengthen the <strong>resilience<\/strong> of the company.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this fourth edition of the Compliance &amp; Risk Management Newsletter, professionals of Andersen&#8217;s 231\/Privacy Service Line have explored the topic of compliance risks for employees in order to highlight the increasingly importance for companies to adopt appropriate measures to mitigate the risks associated with the incorrect storage of metadata and improper or illegal conduct [&hellip;]<\/p>\n","protected":false},"author":146,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[50],"tags":[],"_links":{"self":[{"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/posts\/30260"}],"collection":[{"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/users\/146"}],"replies":[{"embeddable":true,"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/comments?post=30260"}],"version-history":[{"count":2,"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/posts\/30260\/revisions"}],"predecessor-version":[{"id":30262,"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/posts\/30260\/revisions\/30262"}],"wp:attachment":[{"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/media?parent=30260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/categories?post=30260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/it.andersen.com\/en\/wp-json\/wp\/v2\/tags?post=30260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}