Italy Data Privacy Laws: GDPR, Privacy Code & Garante Guide (2026)

Italy governs personal data through the GDPR (Regulation 2016/679), the Italian Privacy Code (Legislative Decree 196/2003, amended by Legislative Decree 101/2018), and Law No. 132/2025 on artificial intelligence. The Garante enforces these laws and can impose fines up to EUR 20 million or 4% of global turnover under GDPR Article 83.

Italy operates one of the most aggressive and comprehensive data protection regimes in Europe. While every EU member state applies the GDPR, Italy layers its own national Privacy Code on top, adds criminal liability for serious violations, and enforces these rules through the Garante per la protezione dei dati personali, a supervisory authority that has repeatedly set enforcement precedents affecting technology companies worldwide.

This guide covers the full legal framework, constitutional basis, key Italian-specific provisions, the Garante''s enforcement record through 2026, Italy''s national AI law, and practical compliance considerations.

Jurisdiction scope: This article addresses Italian data protection law as it stands in 2026, covering the EU GDPR, the Italian Privacy Code (D.Lgs. 196/2003 as amended), Law No. 132/2025 on artificial intelligence, and the Garante''s enforcement record. For the broader EU framework, see EU data privacy laws. For Italy''s recording consent rules, see Italy recording laws.

Quick Answer: Italy''s Data Privacy Framework

Italy''s data protection regime rests on three interlocking legal instruments. The EU GDPR (Regulation 2016/679) applies directly as supranational law, establishing core principles, rights, and penalties. The Italian Privacy Code (Legislative Decree 196/2003, substantially amended by Legislative Decree 101/2018) supplements the GDPR in areas where EU law explicitly leaves room for member state regulation, and it adds criminal penalties for the most serious violations. Law No. 132/2025, enacted September 23, 2025, overlays an AI-specific framework that interacts directly with both the GDPR and the EU AI Act. The Garante per la protezione dei dati personali, established in 1997, supervises compliance, investigates complaints, and issues fines. Any organization processing personal data of individuals in Italy, regardless of where that organization is established, falls within this framework.

Constitutional Basis

Italy''s Constitution does not expressly mention a right to privacy or to data protection. Both the Constitutional Court (Corte Costituzionale) and the Supreme Court of Cassation have read privacy protections into two constitutional provisions.

Article 14 of the Italian Constitution guarantees the inviolability of the home. Article 15 guarantees the freedom and confidentiality of correspondence and every other form of communication, and provides that restrictions may only be imposed by judicial authority in the manner provided by law.

Building on these two articles, Italian courts established privacy as a fundamental right well before the GDPR era. The constitutional foundation means data protection norms in Italy carry a heavier legal weight than a purely statutory regime would. Legislation that fails to respect this constitutional baseline can be struck down.

The Charter of Fundamental Rights of the European Union (Articles 7 and 8) adds another layer, guaranteeing respect for private and family life and the protection of personal data as distinct, independent fundamental rights. As EU law, the Charter applies directly in Italy and takes precedence over conflicting national legislation.

The GDPR: Italy''s Primary Data Protection Instrument

The General Data Protection Regulation (Regulation EU 2016/679) has applied directly across all EU member states since May 25, 2018. It is a regulation, not a directive, meaning it does not require transposition and operates as law in Italy without separate implementing legislation.

The GDPR establishes:

• Six lawful bases for processing (Article 6): consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. Consent must be freely given, specific, informed, and unambiguous. Legitimate interest requires a balancing test against the rights of data subjects.

• Special categories of personal data (Article 9): health data, genetic data, biometric data used for identification, racial or ethnic origin, political opinions, religious beliefs, trade union membership, and data concerning sex life or sexual orientation. These categories require one of the more demanding legal bases in Article 9(2), such as explicit consent or substantial public interest.

• Data subject rights (Articles 12 to 22): access, rectification, erasure (the right to be forgotten), restriction of processing, data portability, objection, and the right not to be subject to solely automated decisions with significant effects.

• Controller and processor obligations (Articles 24 to 43): data protection by design and by default, records of processing activities, data protection impact assessments for high-risk processing, data protection officers, and security measures.

• Breach notification (Articles 33 and 34): supervisory authority notification within 72 hours and individual notification without undue delay for high-risk breaches.

• International transfer restrictions (Articles 44 to 49): transfers to third countries require an adequacy decision, standard contractual clauses, binding corporate rules, or other approved mechanisms.

• Administrative fines (Article 83): up to EUR 10 million or 2% of global turnover for lower-tier violations, and up to EUR 20 million or 4% of global turnover for upper-tier violations.

The Italian Privacy Code (D.Lgs. 196/2003)

Italy''s original data protection law predates the GDPR by 15 years. Legislative Decree No. 196 of June 30, 2003, the Codice in materia di protezione dei dati personali, was Italy''s comprehensive data privacy statute before the GDPR took effect.

When the GDPR became applicable in May 2018, Italy did not repeal the Privacy Code. Instead, Legislative Decree No. 101 of August 10, 2018 substantially revised it to harmonize with the GDPR. The amended Privacy Code performs several distinct functions.

Member State Discretions

The GDPR explicitly reserves certain areas for national regulation. Italy''s Privacy Code fills these gaps:

• Age of digital consent: Article 2-quinquies sets 14 as the age at which a minor may independently consent to information society services. This is lower than the GDPR''s default of 16 but above the minimum floor of 13 that member states may set. For children under 14, consent must be provided or authorized by a holder of parental responsibility, and all communications directed at minors must use particularly clear, simple, and concise language.

• Criminal conviction data: The Privacy Code specifies the conditions under which data relating to criminal offenses or convictions (GDPR Article 10) may be processed.

• Journalism and freedom of expression: Title XII of the Privacy Code balances data protection against journalistic and academic freedom, mirroring the GDPR''s requirement that member states reconcile these rights by law.

• Public interest processing: The Privacy Code identifies specific categories of public-interest processing that qualify as legal bases under GDPR Article 6(1)(e), including taxation, statistical purposes, and judicial proceedings.

The ePrivacy Provisions

Title X of the Privacy Code (Articles 121 through 132-quater) implements the EU ePrivacy Directive (Directive 2002/58/EC) for electronic communications. These provisions govern cookies, direct marketing by electronic means, location data, traffic data, and unsolicited communications.

The key rule for cookies is Article 122: installing cookies or accessing information stored on a user''s device requires informed consent, except for technically necessary cookies strictly required for the service requested by the user.

The Garante published updated Cookie Guidelines on July 9, 2021, which entered into force January 9, 2022. These guidelines require:

• A cookie banner offering a genuine, frictionless reject option equivalent in prominence to the accept option.
• Granular consent choices covering categories of cookies and individual third parties.
• No legitimate interest as a legal basis for profiling cookies. Consent is the only valid basis under Article 122 of the Privacy Code.
• Analytics cookies using full IP addresses require consent; analytics cookies with masked IPs may be treated as technical if covered by an adequacy agreement with the analytics provider.

In June 2022, the Garante found that use of Google Analytics on Italian websites was unlawful under GDPR Chapter V, because the tool transmitted Italian users'' personal data, including IP addresses, to the United States without adequate safeguards. The ruling prompted widespread reassessment of analytics tools across Italy.

In February 2025, the European Commission formally withdrew its proposed ePrivacy Regulation after eight years of stalled negotiations. The ePrivacy Directive, transposed in Italy through Articles 121 to 132-quater of the Privacy Code, remains the applicable law for electronic communications privacy.

Criminal Penalties

Italy is one of the few EU member states that exercises the right under GDPR Article 84 to impose criminal penalties alongside administrative fines. The Privacy Code''s criminal provisions are:

• Article 167 (Unlawful Processing): Processing personal data in violation of specified provisions, with intent to profit or cause harm, carries imprisonment from six months to three years.

• Article 167-bis (Unauthorized Communication and Dissemination): Unauthorized communication or large-scale dissemination of personal data, for profit, carries imprisonment from one to six years.

• Article 168 (False Statements to the Garante): Making false declarations or submitting falsified documents to the authority carries imprisonment from six months to three years.

• Article 170 (Non-Compliance with Garante Orders): Failing to comply with a measure imposed by the Garante carries imprisonment from three months to two years.

Criminal penalties are reduced where the Garante has already imposed an administrative fine for the same conduct. Italy''s Supreme Court of Cassation has clarified that Article 167 requires proof of specific intent: the defendant must have processed data with the purpose of gaining a profit or inflicting harm. An inadvertent breach does not trigger criminal liability.

The Garante: Structure, Powers, and Track Record

The Garante per la protezione dei dati personali is Italy''s independent supervisory authority under GDPR Article 51. It was established in 1997 as one of the first dedicated data protection authorities in Europe.

Structure

The Garante is a collegiate body of four members. Two are elected by the Camera dei Deputati (Chamber of Deputies) and two by the Senato della Repubblica (Senate). Members serve seven-year non-renewable terms. The authority''s enforcement operations are supported by the Guardia di Finanza (financial police).

Powers

Under GDPR Article 58, the Garante holds the full range of supervisory powers:

• Investigative: Ordering controllers and processors to provide information, conducting audits, accessing business premises, and reviewing certifications.

• Corrective: Issuing warnings and reprimands, ordering compliance, ordering data subject notification, imposing temporary or permanent processing bans, ordering erasure, and imposing administrative fines.

• Advisory: Issuing opinions on draft legislation, codes of conduct, and certification criteria; publishing guidelines; and conducting prior consultations on high-risk processing operations.

Enforcement Statistics

The Garante''s enforcement output places Italy consistently among the most active data protection regulators in Europe. As of mid-2026, cumulative administrative fines issued by the Garante exceed EUR 315 million across more than 575 published enforcement actions. Italy ranks second in Europe by total number of sanctions issued, with Spain the only country ahead on volume, while Italy''s cumulative fine total substantially exceeds Spain''s.

The Garante''s inspection program is developed twice yearly. For the first half of 2026, the plan targets over 40 planned inspections, with priority focus areas including telemarketing in the energy sector, AI tools in educational contexts, anonymization techniques, whistleblowing systems, and cookie compliance.

Legal Bases and Consent

Under GDPR Article 6, controllers must identify one of six lawful bases before processing personal data. In Italy, several nuances affect how these bases apply in practice.

Consent must comply with the strict standard in GDPR Article 7 and Recital 32. The Garante consistently rejects pre-ticked boxes, bundled consent, and consent obtained through misleading interfaces or dark patterns. A February 2023 fine against digital marketing company Ediscom was the first EU decision to formally sanction dark patterns in consent mechanisms as a standalone GDPR violation.

Legitimate interests carries particular scrutiny. The Garante has held that legitimate interest cannot serve as the legal basis for marketing activities, behavioral advertising, or cookie placement. Controllers relying on legitimate interest must document a genuine balancing test.

Contract performance is broadly accepted for processing genuinely necessary to perform a contract. However, the Garante has warned that service providers should not bundle consent to marketing data processing into general terms and conditions and then claim contract performance as the basis.

Data Subject Rights

Individuals in Italy are entitled to the full suite of GDPR Chapter III rights. Controllers must respond to access requests within one month, extendable to three months for complex requests with prior notice. The Garante has a dedicated online complaint portal through which individuals can submit complaints about violations of their rights.

The right to erasure has generated substantial enforcement activity. The Garante has ordered erasure in cases involving outdated criminal records, inaccurate public databases, and historical news articles that no longer serve a legitimate journalistic purpose proportionate to the privacy intrusion.

For automated individual decision-making under Article 22, Italian financial institutions and insurers face particular scrutiny when using algorithmic scoring for credit applications, insurance pricing, or employment screening without meaningful human review.

Breach Notification Requirements

Controllers must notify the Garante of any personal data breach that poses a risk to the rights and freedoms of natural persons within 72 hours of becoming aware of it. Notification is not required if the breach is unlikely to result in any such risk.

Since July 1, 2021, all breach notifications must be submitted through a dedicated electronic tool on the Garante''s website, accompanied by a certified email (PEC) with a qualified digital signature. The notification must describe the nature of the breach, the approximate number of individuals and records affected, the likely consequences, and the measures taken or proposed.

When a breach is likely to result in a high risk to affected individuals, the controller must also notify those individuals directly, without undue delay, in clear and plain language.

The EUR 320,000 component of the 2024 fine against OpenAI illustrates the cost of breach notification failures: that portion concerned OpenAI''s failure to notify the Garante of a March 2023 breach that exposed 440 Italian users'' chat histories and payment information.

Data Protection Officers

The GDPR mandates DPO appointment for:

• Public authorities and bodies (except courts in their judicial capacity).
• Organizations whose core activities involve regular and systematic monitoring of individuals on a large scale.
• Organizations whose core activities involve large-scale processing of special categories of data or criminal conviction data.

The Garante has extended this through guidance: all Italian public administrations must appoint a DPO regardless of scale. The authority has also strongly encouraged private sector organizations in healthcare, financial services, and insurance to appoint a DPO even where not strictly mandated.

DPO contact details must be registered with the Garante and published in privacy notices.

Employee Monitoring: Italy''s Strict Workplace Rules

Italy has some of the most restrictive employee monitoring rules in Europe. The framework operates at the intersection of GDPR obligations and Article 4 of the Workers'' Statute (Law No. 300/1970).

Article 4 of the Workers'' Statute prohibits using audiovisual or other tools for the purpose of monitoring worker activity. Remote monitoring systems, including GPS tracking, email monitoring, screen capture software, and video surveillance, may only be deployed if:

• An agreement has been reached with the relevant trade union representatives; or
• In the absence of a union agreement, authorization has been obtained from the territorial Labour Inspectorate (Ispettorato del Lavoro).

In June 2024, the Garante issued guidelines on email metadata, finding that metadata generated by corporate email systems (sender, recipient, timestamp, subject line, attachment presence) constitutes personal data that can reveal employee conduct. Under these guidelines, employers may retain email metadata for a maximum of 21 days without triggering the full procedural requirements of Article 4 of the Workers'' Statute.

On April 29, 2025, the Garante imposed the first-ever fine under these guidelines: a EUR 50,000 sanction against the Lombardy Region for retaining email metadata for 90 days and internet browsing logs for 365 days. The fine was divided into EUR 20,000 for the email metadata retention, EUR 25,000 for the browsing logs, and EUR 5,000 for help desk ticket data retained for 10 years.

In a separate 2025 decision, the Garante fined a private company EUR 420,000 for using content from an employee''s personal Facebook, WhatsApp, and Messenger accounts, accessed without authorization, as the basis for disciplinary proceedings.

Telemarketing: Italy''s Most-Fined Sector

Telemarketing and direct marketing abuse is the single largest driver of Garante enforcement by fine volume. Italy maintains a national opt-out register (the Registro delle Opposizioni) covering both landline and mobile numbers.

The Privacy Code''s direct marketing provisions require controllers to:

• Obtain specific, prior consent before marketing by telephone, email, SMS, or other electronic means.
• Verify that consent is genuine and traceable to the individual before contacting them.
• Ensure that their downstream partners (call centers, resellers, agents) themselves comply.

The GDPR accountability principle under Article 5(2) means a company cannot escape liability by pointing to an independent contractor who violated the rules. If the company directed or enabled unlawful marketing, it bears responsibility.

International Data Transfers

Transfers of personal data from Italy to countries outside the European Economic Area require compliance with GDPR Chapter V.

As of mid-2026, the European Commission''s adequacy decisions cover Andorra, Argentina, Canada (commercial organizations under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom (adequacy extended to 2031), the United States under the EU-US Data Privacy Framework (upheld by the EU General Court in September 2025), and Uruguay.

For transfers to countries without an adequacy decision, controllers must use:

• Standard Contractual Clauses (SCCs): The 2021 European Commission SCCs, supplemented by a Transfer Impact Assessment documenting whether the destination country''s laws undermine the protections the SCCs provide.
• Binding Corporate Rules (BCRs): For intra-group transfers, approved by the competent lead supervisory authority.
• Derogations under Article 49 GDPR: Including explicit consent for occasional transfers, contractual necessity, and important public interest grounds.

The Garante''s 2022 Google Analytics ruling illustrates the stakes: the authority found that IP address data transferred to Google''s US infrastructure was personal data subject to Chapter V, and the supplementary measures then in place were inadequate.

NIS2 and Cybersecurity Obligations

Italy transposed the EU NIS2 Directive through Legislative Decree 138/2024, which took effect October 16, 2024. The Italian transposition extends NIS2''s scope beyond the EU minimum to include local public transport operators, research institutions, cultural organizations, and publicly controlled companies.

Key obligations:

• Registration: Entities in scope were required to register on the National Cybersecurity Agency (ACN) digital platform by February 28, 2025.
• Incident reporting: Significant cybersecurity incidents require an initial notification to the ACN within 24 hours and a detailed follow-up report within 72 hours.
• Security measures: Risk management policies, incident handling, business continuity, supply chain security, cryptography, and multi-factor authentication.

The Italian NIS2 framework includes nine controls specifically addressing data protection, covering lawful processing requirements and privacy risk management.

The EU AI Act and Italy''s National AI Law

Italy''s AI regulatory environment now operates across three layers: the GDPR and Privacy Code, the EU AI Act, and Law No. 132/2025.

The EU AI Act (Regulation EU 2024/1689)

The EU AI Act entered into force August 1, 2024. Key milestones:

• February 2, 2025: Prohibitions on unacceptable-risk AI practices apply. These include real-time remote biometric identification in public spaces (with limited exceptions), social scoring systems, and certain manipulative AI techniques.
• August 2, 2025: Obligations for providers of general-purpose AI (GPAI) models apply. Providers must maintain technical documentation, publish summaries of training data, comply with EU copyright law, and conduct systemic risk assessments for the most capable models.
• August 2, 2026: Full European Commission enforcement powers over GPAI providers enter into application.

The AI Act governs AI system safety and risk classification. The GDPR governs the processing of personal data by those systems. An AI system that processes personal data must comply with both frameworks simultaneously.

The Garante retains all its GDPR powers over AI systems that process personal data, as it has demonstrated repeatedly through actions against ChatGPT, DeepSeek, Replika, and Clothoff.

Law No. 132/2025: The First EU National AI Law

Italy became the first EU member state to enact dedicated national AI legislation. Law No. 132/2025 was signed on September 23, 2025, and entered into force October 10, 2025. The law is organized in 28 articles across six chapters.

Key provisions:

Core principles: AI systems must operate with transparency, proportionality, security, data protection, non-discrimination, and respect for human dignity. The law mandates lawful, fair, and transparent processing of personal data, reinforcing GDPR principles explicitly in the AI context.

Healthcare and research: Secondary use of pseudonymized personal data for AI-driven research is permitted without renewed consent, provided the research serves a public interest and transparency safeguards are in place. Before processing begins, controllers must notify the Garante with security measures documentation, a data protection impact assessment, and processor details. Processing may start after 30 days unless the Garante issues a blocking measure.

Employment: Employers must inform employees whenever AI systems are deployed in work processes. This obligation covers the logic and purpose of the AI system, the nature of data and parameters used, accuracy and robustness metrics, human oversight mechanisms, and update protocols. The law requires consultation with unions and regulatory authorities before deploying AI in ways that affect employee evaluation or monitoring.

Protection of minors: Minors under 14 require parental consent for AI system access and related data processing. Minors aged 14 to 18 may consent independently, provided information is easily accessible and comprehensible.

Copyright: The law amended Italy''s copyright statute to distinguish AI-assisted works, where human creative effort is present and copyright subsists in the human author, from purely AI-generated works, where no genuine human creative intervention occurred and copyright protection does not attach.

Government delegation: Law 132/2025 delegates the Government to issue implementing legislative decrees within 12 months, establishing the legal framework for data, algorithms, and mathematical models used in AI training, including a penalties regime.

The Garante retains all GDPR powers without alteration under Law 132/2025.

Penalties: The Full Framework

Italy''s penalty structure combines GDPR administrative fines with national criminal penalties, making it the most layered enforcement framework in the EU.

Criminal penalties are reduced when an administrative fine has already been imposed for the same conduct under Article 84 GDPR principles.

Landmark Enforcement Actions

Enel Energia: EUR 79.1 Million for Telemarketing (February 2024)

The largest fine in Italian data protection history. The Garante imposed EUR 79.1 million on Enel Energia on February 8, 2024, for systemic failures in managing its commercial network. The authority found that Enel had acquired at least 978 contracts from companies previously sanctioned for illegal telemarketing. The investigation revealed serious shortcomings in customer management systems, violations of the accountability and privacy-by-design principles, and failure to conduct adequate risk assessments on downstream sales agencies.

Clearview AI: EUR 20 Million (February 2022)

The Garante imposed EUR 20 million on Clearview AI on February 10, 2022, for scraping billions of images from the internet and building a biometric identification database without any lawful basis. The violations included: no legal basis for processing; breach of transparency obligations; violation of purpose limitation (images posted for personal use repurposed for biometric surveillance); and no data retention limits. The Garante ordered deletion of all biometric data relating to individuals in Italy and required Clearview to appoint an EU representative.

OpenAI and ChatGPT (March 2023 to March 2026)

On March 30, 2023, the Garante issued an emergency ban on ChatGPT processing Italian users'' personal data, making Italy the first Western country to ban a major AI chatbot. The cited violations: lack of transparency; no legal basis for training data collection; AI hallucinations presenting false information about real individuals; and inadequate age verification.

The ban was suspended on April 11, 2023, after OpenAI committed to corrective measures. ChatGPT was restored on April 28, 2023.

On December 20, 2024, the Garante concluded its full investigation and imposed a EUR 15 million fine: EUR 9 million for processing personal data without an adequate legal basis; EUR 5.68 million for non-compliance with the 2023 corrective measures; and EUR 320,000 for failing to notify the Garante of a March 2023 breach affecting 440 Italian users.

The Garante also ordered a six-month public awareness campaign across Italian television, radio, and newspapers.

OpenAI appealed. A Rome court provisionally suspended the fine in March 2025. On March 19, 2026, the Rome court overturned the EUR 15 million fine. The court has not published its full reasoning.

TikTok: Age Verification and Child Safety (2021 to 2022)

Following the death of 10-year-old Antonella Sicomero in January 2021 during a challenge she encountered on TikTok, the Garante ordered TikTok to block users whose age could not be verified. TikTok was required to re-verify every Italian user''s age. The result: over 500,000 accounts removed, approximately 400,000 for users declaring an age under 13. In 2022, the Garante issued a further warning to TikTok regarding its planned use of legitimate interest for behavioral advertising, finding that approach incompatible with Italian consent requirements.

DeepSeek: Blocked Within 48 Hours (January 2025)

On January 28, 2025, the Garante sent a formal information request to DeepSeek''s operators. DeepSeek responded before the 20-day deadline, but the Garante found the responses insufficient. The company claimed it did not operate in Italy and was not subject to the GDPR; its own privacy policy stated that user data was stored in China without the safeguards required by GDPR Chapter V. On January 30, 2025, the Garante imposed an immediate and definitive ban on DeepSeek processing Italian users'' personal data. The ban remains in effect.

Replika / Luka Inc.: EUR 5 Million (May 2025)

On May 20, 2025, the Garante fined Luka Inc. EUR 5 million for GDPR violations by the Replika AI companion chatbot. The authority found no valid legal basis for processing user data under GDPR Article 6, and found that Replika lacked any effective age verification despite targeting emotionally vulnerable users including minors. The EDPB published the finding.

Intesa Sanpaolo: EUR 31.8 Million for Insider Breach (March 2026)

On March 26, 2026, the Garante imposed EUR 31.8 million on Intesa Sanpaolo after a single employee made 6,637 unauthorized queries of banking data belonging to 3,573 customers, including politicians and senior officials, over more than two years. The authority found inadequate access controls, monitoring thresholds, and breach notification to affected individuals. The bank had previously received a separate EUR 17.6 million fine for unlawfully processing approximately 2.4 million customers'' data during a corporate restructuring involving the transfer of accounts to its digital subsidiary Isybank.

Clothoff: AI Deep Nude App Blocked (October 2025)

On October 3, 2025, the Garante issued an emergency 60-day limitation on Clothoff, a generative AI application that creates hyper-realistic fake nude images by processing uploaded photographs. The investigation found no consent mechanism from individuals whose images were processed, no disclosure that content was AI-generated, and no age verification preventing minors from using the tool or being depicted in generated images.

Recent Developments (2024 to 2026)

ePrivacy Regulation withdrawn: In February 2025, the European Commission formally withdrew its proposed ePrivacy Regulation after eight years of stalled negotiations. The ePrivacy Directive (2002/58/EC), transposed in Italy through Articles 121 to 132-quater of the Privacy Code, remains the applicable law.

EU-US Data Privacy Framework upheld: In September 2025, the EU General Court dismissed a challenge to the EU-US Data Privacy Framework, confirming the United States provides adequate protection for personal data transferred from the EU. Transfers to Framework-certified US organizations remain permissible.

UK adequacy extended to 2031: On October 20, 2025, the EDPB adopted a positive opinion on extending the UK''s adequacy decision, confirming the UK continues to maintain a data protection regime essentially equivalent to the GDPR.

Brazil adequacy proceeding: In September 2025, the European Commission published a draft adequacy decision for Brazil, with a positive EDPB opinion following in October 2025.

EDPB 2026 Coordinated Enforcement: The EDPB''s 2026 coordinated enforcement initiative focuses on transparency obligations across all member states. The Garante is participating, meaning organizations in Italy should expect heightened scrutiny of privacy notices and transparency documentation.

European Health Data Space: Regulation EU 2025/327 will apply from March 2027, creating new governance requirements for health data processing in Italy that will interact with the AI research permissions under Law 132/2025.

Business Compliance Considerations

Organizations processing personal data of individuals in Italy should address the following:

Legal basis documentation: Identify and document the lawful basis for every processing activity. Review whether consent obtained for marketing is genuine, specific, and freely given. Eliminate pre-ticked boxes and consent bundled with terms of service.

Privacy notices: Provide Italian-language privacy notices for services directed at Italian residents. Notices must be clear and concise, with granular disclosure of data categories, purposes, retention periods, recipients, and international transfers.

Cookie banner compliance: Deploy a consent management platform that offers an equally prominent reject option and records consent with timestamp and method. No legitimate interest for profiling cookies.

Employee monitoring: Any system capable of monitoring employee activity requires either a union agreement or Labour Inspectorate authorization. Email metadata retention must not exceed 21 days without full compliance with Article 4 of the Workers'' Statute.

Data breach response: Maintain a documented breach response procedure with a clear 72-hour Garante notification window, internal escalation paths, a breach log, and criteria for assessing whether individual notification is required.

DPO appointment: All public bodies must appoint a DPO. Private organizations in healthcare and financial services should assess whether appointment is mandatory or strongly advisable.

International transfers: For US transfers, verify EU-US Data Privacy Framework certification of the recipient. For all non-EEA transfers without an adequacy decision, execute current SCCs and document the Transfer Impact Assessment.

AI systems: Any AI system processing personal data of Italian residents must comply with the GDPR, satisfy the relevant tier of EU AI Act obligations, and for workplace deployments, satisfy the transparency and union consultation requirements of Law 132/2025.

Records of processing: Maintain Article 30 ROPA documentation. The Garante requests the ROPA as a first step in almost any investigation.