On May 14, 2026, Italy's data protection authority—the Garante per la Protezione dei Dati Personali—issued Provvedimento n. 342, a formal warning to Myndoor S.r.l., a startup based in Rosate, south of Milan, whose AI plug-in for Slack and Microsoft Teams analyzes the semantic content of employee chat messages to infer psychological stress levels. The decision represents the first time a European data protection authority has simultaneously invoked both the General Data Protection Regulation and the EU AI Act's prohibited-practices chapter against a single AI product. That dual-law posture is the precedent that matters, not the warning itself.
What Myndoor Built
Myndoor's architecture was designed with a specific privacy mitigation in mind. Individual employees voluntarily activate the plug-in; the system scores the psychological stress content of their messages; those scores are then pooled. The company imposed a minimum-population floor of ten active weekly users before any report surfaces to employers, generating a statistical aggregate on team-level well-being rather than individual results. No raw identifiers appear in the output. Employers access reports through a view-only portal with no download capability. Myndoor's premise was that aggregation at this threshold breaks the link to individuals and removes the processing from the special-category regime that governs health data.
The Garante disagreed.
Two Legal Pillars
The Authority's intervention rests on two distinct legal frameworks applied concurrently.
The first is the GDPR. The Garante cited Articles 5 (data minimization and purpose limitation), 6 (lawful basis for processing), 9 (prohibition on processing health-related special-category data without a qualifying ground), 24 and 25 (controller accountability and privacy-by-design obligations), and 88 (employment-context data processing restrictions). Italian domestic law reinforces this: Articles 2-ter and 113 of the national data protection code impose strict limits on what employers may lawfully learn about employees' psychological state, grounding worker dignity as an independent constraint on surveillance.
The GDPR analysis turns on a contested question: whether psycho-emotional stress inferred from message patterns constitutes health data under Article 9. The Garante treated it as such. If that reasoning holds, the lawful basis for transmitting even aggregated stress indices to employers is extraordinarily difficult to establish—ordinary legitimate interest cannot override special-category protections, consent in the employment relationship is structurally compromised, and occupational-health grounds require far more stringent conditions than a commercial plug-in can satisfy.
The second pillar is Article 5(1)(f) of the EU AI Act (Regulation (EU) 2024/1689), which has been in force since February 2, 2025. The provision flatly prohibits "the placing on the market, the putting into service for this specific purpose, or the use of AI systems to infer emotions of a natural person in the areas of workplace and education institutions," with narrow exceptions for medical or safety purposes. The Garante invoked it directly, treating Myndoor's product as falling within the prohibition.
The Regulator's Strongest Case
Before assessing proportionality, the regulator's concern deserves honest treatment. Employees occupy a structurally subordinate position. Even nominally voluntary activation of a monitoring tool carries coercive undertones when refusal is socially costly—a dynamic that GDPR Recital 43 acknowledges explicitly in the employment context. Workplace messaging platforms contain dense, intimate communication: an AI layer that converts that stream into a psychometric signal gives employers an unprecedented window into workers' mental health. The concern is not hypothetical. Aggregate department-level stress scores can be correlated with restructuring decisions, performance reviews, or denial of flexible working in ways that damage individuals who are never individually identified. The AI Act's categorical prohibition in the workplace reflects a legislative judgment, made after extensive deliberation, that this risk outweighs the tool's benefits in normal commercial deployment.
Where Genuine Ambiguity Remains
The more nuanced policy question is whether Article 5(1)(f) reaches Myndoor's architecture at all. The prohibition targets systems that infer emotions based on biometric data. The European Commission's February 2025 implementation guidelines interpret "biometric data" as including physiological and behavioral characteristics—but the same guidelines exclude pure written-text analysis from that definition, noting that textual processing of the kind found in NLP systems does not engage the biometric data provisions that undergird Article 5(1)(f).
Myndoor processes message semantics, not facial expressions, voice pitch, or physiological signals—the canonical biometric modalities. Whether text-based sentiment analysis in a messaging platform constitutes biometric-data processing under the AI Act, or whether the GDPR framework alone applies, is precisely the question the Garante chose not to fully resolve. The warning proceeds as if the prohibition applies without engaging the definitional argument head-on.
That gap matters for the broader market. Dozens of employee engagement, burnout prediction, and mental-health-monitoring tools use natural-language processing on workplace text rather than cameras or biometric sensors. The Myndoor decision puts them on notice without giving them a clear compliance target.
Aggregation Does Not Sanitize the Inference
On the GDPR side, the Garante's analysis does address Myndoor's aggregation argument directly—and rejects it. A ten-user threshold is insufficient to rule out re-identification risk in small teams or departments. More fundamentally, even a group-level stress report transmitted to employers was derived from individual health-proximate inferences: the aggregation occurs downstream of the prohibited processing, not instead of it. The destination of the data does not sanitize the upstream inference that generated it. This reasoning carries implications well beyond Myndoor; many HR analytics products are structured around aggregate-only outputs on the assumption that aggregation alone satisfies data minimization. It does not.
Sanctions and What Happens Next
The Garante issued a formal warning (avvertimento) under GDPR Article 58(2)(a)—not a fine and not a product ban. The investigation, opened on June 3, 2025, and closed on May 14, 2026, concluded without established violations on current facts. Myndoor is on notice, not under order. Continued distribution of aggregate stress reports to employers in the same configuration would, however, expose the company to fines of up to €20 million or 4% of global annual turnover under GDPR Article 83 for Article 9 violations, as well as up to €35 million or 7% of global annual turnover under AI Act Article 99 for breaches of prohibited-practice rules.
The warning structure is itself a message to the market. Regulators across the EU will now read the dual-law invocation as a template. Every HR analytics vendor with EU distribution should audit two questions: first, whether its AI architecture meets the functional definition of an emotion-recognition system under the AI Act, even when text-based; second, whether its aggregation strategy genuinely eliminates the upstream special-category inference or merely relocates it.
Pro-innovation policy does not require permitting every product that can be built. But it does require regulators to articulate clear, predictable standards—not decisions that leave the central definitional question unresolved. Startups designing mental-health and wellness tools need to know where the line is, not merely that a line exists somewhere nearby.