On 14 May 2026, Italy's data protection authority, the Garante per la protezione dei dati personali, issued Provvedimento n. 342 — a formal warning to Myndoor S.r.l., a Milan-area startup whose plug-in for Slack and Microsoft Teams analyses the semantics of workplace chat to infer employees' psychological stress. The decision is notable not for its severity — no fine was levied — but for its legal architecture: it is one of the first European enforcement actions to invoke the GDPR and the EU AI Act in the same breath. The Garante cited GDPR Articles 5, 6, 9, 24, 25 and 88 alongside Article 5(1)(f) of Regulation (EU) 2024/1689, the AI Act's outright ban on systems that infer emotions in the workplace.
What the regulator actually did
It is worth being precise about what the Garante ordered, because the headline 'Italy bans workplace emotion AI' obscures a more careful intervention. The authority did not order Myndoor to shut down. It warned that transmitting aggregated stress reports to employers — even anonymised, even on request — would likely breach data-protection law and Italian workplace-dignity rules (Article 113 of the Italian Data Protection Code), and it instructed the company to implement technical and organisational measures preventing employers from accessing that data. The remedy targets the data flow, not the existence of the tool.
That distinction matters. As the warning notes, continued operation in breach exposes Myndoor to penalties of up to €20 million or 4% of global annual turnover under GDPR Article 83. But by issuing an avvertimento rather than a sanction, the Garante gave a small company a path to compliance instead of a death sentence. For a regulator often criticised for blunt instruments — its 2023 ChatGPT block being the obvious example — this is a proportionate, well-calibrated first move.
The case for the prohibition
The strongest argument for the AI Act's workplace emotion ban is real and should not be waved away. Employment is a relationship of structural power asymmetry: 'consent' from an employee whose stress score is being read is rarely free. A tool that lets managers see who is fraying can become an instrument of psychological control, discrimination against the anxious, or a pretext for managing people out. The EU-OSHA finds that roughly 29% of EU workers report work-related stress, depression or anxiety — a genuine problem that vendors are eager to monetise, and one where surveillance dressed as 'wellbeing' is a foreseeable abuse. Article 5(1)(f) draws a bright line precisely because the downside is dignitary harm that is hard to undo after the fact.
Where the rule is overbroad
The legitimate worry is the surveillance use. The problem is that the AI Act's prohibition reaches further than the harm. The text bans inferring emotions 'in the areas of workplace' with a narrow carve-out only 'for medical or safety reasons.' But as the Future of Privacy Forum's analysis of the red-lines provisions documents, the scope is riddled with unresolved tension. The statutory definition of an emotion-recognition system keys on biometric data, yet a text-sentiment plug-in like Myndoor's reads written language, not faces or voices — leaving genuine doubt about whether it is even the kind of system Article 5(1)(f) was drafted to catch. The Garante sidestepped that ambiguity by leaning on the GDPR's special-category rules under Article 9, which more comfortably cover inferred mental-health data.
The broader risk is that a flat ban discourages the legitimate version of this technology. A tool that aggregates anonymised stress signals and surfaces them only to the employees themselves, or to occupational-health professionals under the safety exception, could genuinely help address the burnout the data describes. The Garante's order — block the employer pipe, keep the rest — implicitly recognises this. A categorical reading of Article 5(1)(f) does not. Europe should want the version of Myndoor that helps workers; the regulation's text, read maximally, threatens to foreclose it alongside the surveillance version.
The lesson for enforcement
The Myndoor warning is a model for how the AI Act should be enforced: identify the specific data flow that creates the harm, order it stopped, and reserve the €20M hammer for non-compliance rather than swinging it on first contact. It also shows that the GDPR — eight years in and well-tested — remains the sharper tool. The AI Act's Article 5(1)(f), in force since 2 February 2025, supplied the rhetorical headline, but the operative legal work was done by Article 9's special-category protections.
For the rest of the EU, the signal is twofold. Vendors building 'employee wellbeing' AI should assume that any architecture routing inferred mental-health signals to employers is now indefensible. But regulators, in turn, should resist reading Article 5(1)(f) as a ban on the underlying capability. The harm is in who gets to see the data, not in the existence of a model that can read a tired sentence. Italy got that balance right. The next dozen authorities to act should copy the remedy, not just the citation.