Italy Data Privacy Laws: GDPR & Privacy Code Guide (2026)

Italy has one of the most aggressive data protection enforcement regimes in Europe. While all EU member states apply the GDPR, Italy layers its own national Privacy Code on top of it. The result is a framework that goes further than most, including criminal liability, strict employee monitoring rules, and a supervisory authority that has repeatedly made international headlines by confronting major technology companies.

This guide covers the full scope of Italian data privacy law as it stands in 2026.

The Legal Framework: GDPR Plus the Italian Privacy Code

Italy's data protection regime rests on two pillars that work together.

The GDPR (Regulation EU 2016/679)

The General Data Protection Regulation has applied directly across all EU member states since May 25, 2018. It establishes the core rights and obligations for personal data processing, including consent requirements, data subject rights, breach notification duties, and the penalty framework.

The GDPR is not a directive that requires transposition. It is a regulation, meaning it applies as law in Italy without needing separate legislation. However, the GDPR explicitly leaves certain areas open for member states to regulate further.

The Italian Privacy Code (D.Lgs. 196/2003)

Italy's original data protection law predates the GDPR by 15 years. Legislative Decree No. 196 of June 30, 2003, known as the Codice in materia di protezione dei dati personali (Personal Data Protection Code), was Italy's comprehensive data privacy statute.

When the GDPR took effect in 2018, Italy did not simply repeal the Privacy Code. Instead, Legislative Decree No. 101 of August 10, 2018 substantially amended the Privacy Code to harmonize it with the GDPR.

The amended Privacy Code performs three key functions:

• Fills gaps the GDPR leaves to member states. This includes rules on processing criminal conviction data, the age of consent for minors using digital services, and employment data processing.

• Preserves Italian-specific protections. Title X of the Privacy Code (Articles 121 through 132-quater) implements the EU e-Privacy Directive for electronic communications.

• Establishes criminal penalties. Articles 167 through 172 create criminal offenses for certain data protection violations, a measure the GDPR explicitly allows under Article 84.

Additional Legislation

Several other Italian laws intersect with data protection:

• Law No. 300/1970 (Workers' Statute): Article 4 restricts employer surveillance and monitoring of employees. Article 114 of the Privacy Code cross-references this statute directly.

• Legislative Decree 138/2024 (NIS2 Implementation): Transposes the EU NIS2 Directive into Italian law, expanding cybersecurity obligations for critical infrastructure entities. Applies from October 16, 2024.

• Law No. 132/2025: Addresses AI regulation in Italy, deferring to GDPR for data protection matters while establishing additional transparency requirements.

• Law No. 182/2025: Amended Article 10 GDPR provisions regarding processing of criminal conviction data.

The Garante: Italy's Data Protection Authority

The Garante per la protezione dei dati personali (often shortened to "the Garante" or "GPDP") is Italy's independent data protection supervisory authority. It was established in 1997 and has grown into one of the most active and assertive data protection regulators in Europe.

Structure and Powers

The Garante is a collegiate body composed of four members. Two are elected by the Camera dei Deputati (Chamber of Deputies) and two by the Senato della Repubblica (Senate). Members serve seven-year, non-renewable terms.

The Garante has the full range of investigative, corrective, and advisory powers provided under Article 58 of the GDPR:

• Investigative powers: Conducting audits, requesting information, accessing premises, and reviewing data processing operations.

• Corrective powers: Issuing warnings, reprimands, orders to comply, temporary or permanent processing bans, and administrative fines.

• Advisory powers: Issuing opinions on legislative proposals, codes of conduct, and data protection impact assessments.

Enforcement Track Record

The Garante's enforcement statistics place it among Europe's most prolific regulators. As of the end of 2025:

• Over 575 publicly available enforcement actions have been issued.

• Cumulative fines exceed EUR 315.7 million.

• Italy ranks second only to Spain in total number of sanctions issued, but far exceeds Spain's cumulative fine total of approximately EUR 137.7 million.

The Garante's inspection plan for the first half of 2026 targets over 40 planned inspections, with particular focus on telemarketing practices, AI systems, and workplace monitoring.

Penalties and Sanctions

Italy's penalty framework is unusually comprehensive because it combines GDPR administrative fines with national criminal penalties.

Administrative Fines Under the GDPR

The GDPR establishes two tiers of administrative fines:

• Lower tier (Article 83(4)): Up to EUR 10 million or 2% of global annual turnover for violations related to controllers, processors, certification bodies, or monitoring bodies.

• Upper tier (Article 83(5-6)): Up to EUR 20 million or 4% of global annual turnover for violations of core processing principles, data subject rights, or international transfer rules.

The Garante applies these thresholds considering factors including the nature, gravity, and duration of the infringement; whether it was intentional or negligent; actions taken to mitigate damage; and prior history.

Criminal Penalties Under the Privacy Code

Italy is one of the few EU member states that has exercised the right under GDPR Article 84 to impose criminal penalties. The Privacy Code establishes several criminal offenses:

• Article 167 (Unlawful Processing): Anyone who processes personal data in violation of certain provisions, with the purpose of obtaining a profit or causing harm to another person, faces imprisonment from six months to three years.

• Article 167-bis (Unauthorized Communication and Dissemination): Unauthorized communication or dissemination of personal data on a large scale, for profit, faces imprisonment from one to six years.

• Article 168 (False Statements to the Garante): Making false declarations or producing falsified documents to the supervisory authority carries imprisonment from six months to three years.

• Article 170 (Non-Compliance with Garante Orders): Failing to comply with measures ordered by the Garante carries imprisonment from three months to two years.

Criminal penalties are reduced if an administrative fine has already been imposed by the Garante for the same violation. Italy's Supreme Court has clarified that not every privacy breach qualifies as a criminal offense. The prosecution must prove specific intent (to profit or to harm) for Article 167 convictions.

Breach Notification Requirements

Italy follows the GDPR's breach notification framework with some nationally specific procedural requirements established by the Garante.

When Notification Is Required

Controllers must notify the Garante of any personal data breach that poses a risk to the rights and freedoms of natural persons. Notification is not required if the breach is unlikely to result in such risk.

The 72-Hour Deadline

Notification must be made without undue delay and, where feasible, within 72 hours of the controller becoming aware of the breach. If notification is delayed beyond 72 hours, the controller must provide reasons for the delay.

How to Notify the Garante

Since July 1, 2021, all breach notifications must be submitted through a dedicated electronic tool on the Garante's website. The completed form must be sent via certified email (PEC) and digitally signed with a qualified electronic signature.

The notification must include:

• A description of the nature of the breach, including the categories and approximate number of individuals and records affected.

• The name and contact details of the organization's Data Protection Officer (or other contact point).

• A description of the likely consequences of the breach.

• A description of the measures taken or proposed to address the breach and mitigate its effects.

Notifying Affected Individuals

When a breach is likely to result in a high risk to natural persons, the controller must also notify affected data subjects without undue delay. This notification must be in clear, plain language and must describe the nature of the breach and the steps individuals can take to protect themselves.

Notification to individuals may be waived if the controller has implemented appropriate technical protection measures (such as encryption) that render the data unintelligible, or if subsequent measures have eliminated the high risk.

Key Italian-Specific Provisions

Several areas of Italian data protection law go beyond or differ from the baseline GDPR framework.

Age of Consent for Digital Services

Article 2-quinquies of the amended Privacy Code sets the age at which a minor can independently consent to the processing of personal data in relation to information society services at 14 years. This is lower than the GDPR default of 16 years but above the minimum floor of 13 years that the GDPR permits member states to set.

For children under 14, consent must be given or authorized by the holder of parental responsibility. All communications directed at minors must use "particularly clear and simple, concise and comprehensive language."

Employee Monitoring Restrictions

Italy has some of the strictest employee monitoring rules in Europe. Article 4 of the Workers' Statute (Law No. 300/1970) prohibits the use of audiovisual or other surveillance systems for the purpose of monitoring worker activity.

Remote monitoring tools, including GPS tracking, video surveillance, and email metadata analysis, may only be used when:

• An agreement has been reached with trade union representatives, or

• In the absence of a union agreement, authorization has been obtained from the territorial Labour Inspectorate.

In June 2024, the Garante issued guidelines specifically addressing employee email metadata. The guidelines state that email metadata (sender, recipient, timestamps, subject lines) constitutes personal data that can indirectly reveal employee conduct. Employers may retain email metadata for a maximum of 21 days without triggering the additional safeguards required under Article 4 of the Workers' Statute.

Telemarketing and Direct Marketing

Italy has a persistent telemarketing abuse problem that has driven some of the Garante's largest enforcement actions. The Privacy Code contains specific provisions on marketing communications, and Italy maintains a national opt-out register (Registro delle Opposizioni) that covers both landline and mobile numbers.

The Garante has repeatedly sanctioned companies for acquiring consumer data through unauthorized telemarketing chains. The landmark 2024 Enel Energia fine of EUR 79.1 million was directly tied to the company's failure to verify that its sales agencies were obtaining consumer data lawfully.

Processing of Health Data

The Privacy Code includes specific safeguards for health data processing. Processing of health data for medical diagnosis and treatment does not require explicit consent when carried out by health professionals subject to professional secrecy obligations. However, processing health data for research purposes requires either consent or authorization from the Garante.

Landmark Enforcement Actions

The Garante has been involved in several enforcement actions that have attracted global attention, particularly in the area of artificial intelligence.

Clearview AI: EUR 20 Million Fine (2022)

On February 10, 2022, the Garante imposed a EUR 20 million fine on Clearview AI, the US-based facial recognition company. The investigation, launched following press reports and complaints from privacy organizations in 2021, found multiple GDPR violations:

• No legal basis for processing. Clearview scraped billions of facial images from the internet without consent. The company's claimed legitimate interest was rejected.

• Violation of transparency obligations. Individuals whose images were collected were never informed.

• Breach of purpose limitation. Images posted on social media for personal purposes were repurposed for biometric surveillance without any legal basis.

• Violation of storage limitation. No data retention limits were in place.

Beyond the fine, the Garante ordered Clearview to delete all biometric data relating to individuals in Italy, prohibited further collection and processing of Italian residents' data, and ordered the company to appoint a representative in the European Union.

OpenAI and ChatGPT: Ban, Fine, and Court Battle (2023-2026)

Italy's engagement with OpenAI has been the most high-profile AI enforcement saga in European data protection history.

March 30, 2023: The Garante issued an emergency order temporarily banning ChatGPT from processing personal data of individuals in Italy. Italy became the first Western country to ban a major AI chatbot. The Garante cited four violations: lack of transparency about data processing, absence of a legal basis for training data collection, inaccurate outputs (hallucinations presenting false information as fact), and inadequate age verification.

April 11, 2023: The Garante issued a follow-up order conditionally suspending the ban. OpenAI was given until April 30 to implement corrective measures including publishing a privacy policy, providing an opt-out mechanism for training data, implementing age verification, and conducting an information campaign.

April 28, 2023: ChatGPT was restored in Italy after OpenAI implemented initial compliance measures.

December 20, 2024: The Garante concluded its full investigation and imposed a EUR 15 million fine on OpenAI. The fine broke down as:

• EUR 9 million for unlawful processing of personal data used to train ChatGPT without an adequate legal basis.

• EUR 5.68 million for non-compliance with the corrective measures imposed in April 2023.

• EUR 320,000 for failing to notify the Garante of a March 20, 2023 data breach that exposed 440 Italian users' chat histories and payment information.

The Garante also ordered OpenAI to conduct a six-month public awareness campaign across Italian media (television, radio, and newspapers) to educate the public about ChatGPT's data collection practices and their rights to object, rectify, and delete personal data.

March 2025: A Rome court provisionally suspended the fine while considering OpenAI's appeal.

March 19, 2026: The Rome court overturned the EUR 15 million fine. The court did not immediately release its reasoning. OpenAI stated it "welcomed the decision" and remained "committed to respecting user privacy." The Garante declined to comment.

TikTok: Age Verification and Child Safety (2021)

The Garante took action against TikTok following the death of 10-year-old Antonella Sicomero in January 2021, who died attempting the "blackout challenge" she encountered on the platform.

The Garante issued emergency measures ordering TikTok to block users whose age could not be verified. TikTok was forced to re-verify the age of every user in Italy. The company's self-declaration age verification system was found inadequate.

The result: TikTok removed over 500,000 accounts in Italy, approximately 400,000 for users declaring an age under 13 and 140,000 flagged through moderation and reporting tools.

In 2022, the Garante issued a further warning to TikTok regarding its planned revision to serve personalized advertisements based on legitimate interest, finding this approach incompatible with GDPR requirements for consent-based ad targeting.

DeepSeek: Blocked Within 48 Hours (2025)

On January 28, 2025, the Garante launched an investigation into DeepSeek, the Chinese AI company, requesting information about its data processing practices. Within 48 hours, on January 30, the Garante imposed an immediate and definitive ban on DeepSeek processing Italian users' personal data.

The Garante found DeepSeek's responses to its information requests inadequate, particularly regarding the categories of personal data collected, the sources of that data, the purposes and legal bases for processing, and whether data was stored outside the EU.

Enel Energia: EUR 79.1 Million for Telemarketing (2024)

The largest fine in Italian data protection history was imposed on Enel Energia on February 8, 2024. The EUR 79.1 million sanction resulted from the company's failure to prevent its sales agencies from engaging in unlawful telemarketing.

The investigation revealed that Enel Energia had acquired at least 978 contracts from companies previously sanctioned for illegal telemarketing. The Garante found "serious security shortcomings" in Enel's customer management and service activation systems, including violations of the principles of accountability, privacy by design, and proper risk assessment.

Data Subject Rights in Italy

Individuals in Italy enjoy the full set of GDPR data subject rights:

• Right of access (Article 15): Individuals can request confirmation of whether their data is being processed and obtain a copy of that data.

• Right to rectification (Article 16): Individuals can request correction of inaccurate personal data.

• Right to erasure (Article 17): Also known as the "right to be forgotten," individuals can request deletion of their data when it is no longer necessary, consent is withdrawn, or processing is unlawful.

• Right to restriction of processing (Article 18): Individuals can request that processing be limited in certain circumstances.

• Right to data portability (Article 20): Individuals can receive their data in a structured, commonly used, machine-readable format and transfer it to another controller.

• Right to object (Article 21): Individuals can object to processing based on legitimate interests or for direct marketing purposes.

• Right not to be subject to automated decision-making (Article 22): Individuals have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

Complaints about violations of these rights can be filed directly with the Garante through its online complaint system.

International Data Transfers

Transfers of personal data from Italy to countries outside the European Economic Area (EEA) must comply with GDPR Chapter V requirements.

Adequacy Decisions

Italy recognizes the European Commission's adequacy decisions. As of 2026, the following countries and territories have been deemed to provide adequate protection: Andorra, Argentina, Canada (commercial organizations under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, the United States (under the EU-US Data Privacy Framework), and Uruguay.

Transfer Mechanisms

For transfers to countries without an adequacy decision, organizations must rely on:

• Standard Contractual Clauses (SCCs): Adopted by the European Commission, these must be supplemented with a Transfer Impact Assessment following the Schrems II ruling.

• Binding Corporate Rules (BCRs): Approved by the competent supervisory authority for intra-group transfers.

• Derogations under Article 49 GDPR: Including explicit consent, contractual necessity, and important reasons of public interest.

The Garante expects organizations to implement supplementary technical measures, particularly encryption, when transferring data to jurisdictions whose surveillance laws may not meet EU standards.

Data Protection Officers

The GDPR requirement to appoint a Data Protection Officer (DPO) applies in Italy when:

• Processing is carried out by a public authority or body (except courts acting in their judicial capacity).

• Core activities involve regular and systematic monitoring of individuals on a large scale.

• Core activities involve large-scale processing of special categories of data or criminal conviction data.

The Garante has provided additional guidance emphasizing that all public administrations in Italy must appoint a DPO, and has encouraged private organizations processing sensitive data (particularly in healthcare and financial services) to do so even when not strictly required.

The NIS2 Directive and Cybersecurity

Italy transposed the EU NIS2 Directive through Legislative Decree 138/2024, which took effect on October 16, 2024. While NIS2 is primarily a cybersecurity measure, it has significant implications for data protection.

Key requirements include:

• Expanded scope: The Italian implementation extends beyond the NIS2 minimum to cover local public transport, research institutions, cultural organizations, and publicly controlled companies.

• Registration deadline: Entities within scope were required to register on the National Cybersecurity Agency (ACN) digital platform by February 28, 2025.

• Incident reporting: Significant cybersecurity incidents must be reported to the ACN, with the initial notification due within 24 hours and a detailed report within 72 hours.

• Privacy-specific controls: The Italian framework includes nine controls specifically addressing data protection, covering matters such as notice to data subjects, lawful processing requirements, and privacy risk management.

Current Priorities and Future Outlook

The Garante's enforcement focus for 2026 reflects the evolving digital landscape:

• Artificial intelligence: Following the ChatGPT and DeepSeek actions, the Garante continues to scrutinize AI companies for GDPR compliance. The AI Act (Regulation EU 2024/1689) adds a new layer of requirements that intersect with data protection.

• Telemarketing abuse: Aggressive telemarketing remains a persistent enforcement target, as demonstrated by the record Enel fine.

• Workplace monitoring: The Garante is increasingly focused on employer use of digital surveillance tools, email metadata retention, and GPS tracking.

• Dark pattern consent mechanisms: Cookie banners and consent flows that manipulate users into accepting data processing are under scrutiny.

• Transparency and information obligations: The Garante is participating in the EDPB's 2026 Coordinated Enforcement Framework, which focuses on transparency compliance across all member states.

The European Health Data Space Regulation (EU 2025/327) will apply from March 2027, creating additional data governance requirements for health data processing in Italy.