February 2024

1. Governing Texts

Italy has implemented the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') by amending the Italian Personal Data Protection Code ('the Code'). Supervision over the GDPR and the Code is conducted by the Italian Data Protection Authority ('Garante') which, among other things, manages data subjects' complaints, provides specific data protection measures for data controllers and processors and adopts guidelines to assist organizations' compliance with personal data protection laws.

1.1. Key acts, regulations, directives, bills

Legislative Decree no. 101 of 10 August 2018 (only available in Italian here) ('the Decree') has amended the Code in order to implement the provisions of the GDPR. In particular, the Decree was published in the Italian Official Gazette on September 4, 2018 (coming into effect on September 19, 2018) and repealed those sections of the Code – stemming from the implementation of the previous Data Protection Directive (Directive 95/46/EC) – which were directly conflicting with the GDPR. Furthermore, the Decree introduced a number of new provisions as a consequence of the GDPR.

1.2. Guidelines

The Garante has enacted a general guide on the application of the GDPR (only available in Italian here) which provides for an high-level guidance on how to apply it. The Garante has also published a number of Guidelines (only available in Italian here) and/or frequently asked questions ('FAQs') (only available in Italian here) on various topics related to the application of the GDPR (e.g., undesired marketing calls, video surveillance, etc. and approved a new code of conduct under Article 40 GDPR, the Code of conduct for telemarketing and teleselling activities (only available in Italian here), which, however, is not yet in force as the competent monitoring body pursuant to Article 41 GDPR has not yet been appointed.

On January 9, 2022, the new Guidelines on the use of cookies and other tracking tools – published by the Garante on June 10, 2021, came into force.

1.3. Case law

Please find below some recent decisions of the Italian Supreme Court ('the Supreme Court'):

• Decision no. 28385 of 11 October 2023: with regard to breach of the provisions on the processing of personal data, the Garante may also impose administrative fines on public authorities or public bodies.
• Decision no. 13121 of 12 May 2023: the processing of judicial personal data carried out by the Court Appointed Expert ('Consulente Tecnico') is not subject to the obligation to provide information and collect prior consent, provided that the data is (i) related to judicial matters and disputes that justified the collection, (ii) processed only for the purposes for which it was collected, and (iii) the Court Appointed Expert is authorized by the Judge.
• Decision no. 13073 of 12 May 2023 (only available in Italian here): regarding unlawful processing of personal data, the principle of damage 'in re ipsa' must be excluded. Instead, the right to compensation for damage has to be balanced with the principle enshrined in the Constitution of the Italian Republic ('the Italian Constitution'). It follows that the mere violation of formal prescriptions on the subject of data processing may not give rise to damage, whereas a violation that concretely offends the actual scope of the right to privacy may lead to compensation.
• Decision no. 9313 of 4 April 2023 (only available in Italian here): the person responsible for the obligation to provide an answer as to whether or not a data subject's personal data is in their possession is the data controller, the recipient of the access request, whereas the data subject cannot be required to prove in court that the data controller held the personal data concerning him. The data controller must always reply to the proposed request, even in negative terms, expressly stating whether or not they are in possession of the data for which access is requested.
• Decision no. 2893 of 01 January 2023 (only available in Italian here): with regard to the processing of personal data and the right to be forgotten, it is lawful for a press article, previously legitimately published, to remain in the digital archive of a newspaper regarding events from the past that were the subject of a judicial investigation leading to the defendant's acquittal. However, this is permissible only if, upon the individual's request, the article is deindexed and not searchable through common search engines but can be accessed solely through the newspaper's historical archive. Furthermore, upon request of the individual, a concise informational note must be added to the article, stating the outcome of the judicial proceeding. This approach aims to balance the right to be informed and to freedom of speech enshrined in Article 21 of the Constitution with the right of the data subject to avoid undue harm to their social image.
• Decision no. 9920 of 28 March 2022: following the same reasoning adopted in decision no. 11019 of 26 April 2021 outlined below, the electronic communication aimed at collecting the data subject's consent represents itself an electronic communication under Article 130(1) of the Code, and therefore requires the previous consent of the data subject.
• Decision no. 11019 of 26 April 2021: a telephone communication aimed at obtaining consent for marketing purposes from a data subject who previously denied it is itself a new commercial communication because asking customers' consent for marketing purposes is a processing of personal data for marketing purposes itself.

2. Scope of Application

2.1. Personal scope

No variations from the GDPR are provided by Italian data protection laws.

2.2. Territorial scope

No variations from the GDPR are provided by Italian data protection laws.

2.3. Material scope

No variations from the GDPR are provided by Italian data protection laws.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The main regulator for data protection is the Garante, which is headquartered in Rome.

3.2. Main powers, duties and responsibilities

The Garante's main functions are:

• supervising data processing activities to ensure the respect of data protection rules;
• taking actions upon complaints lodged by data subjects;
• laying down ethical rules for personal data processing carried out both by public and private bodies in the employment context;
• reporting crimes that can be prosecuted ex officio and detected in the exercise of its powers and functions;
• mandating specific measures to data controllers and processors to correctly process personal data;
• prohibiting or blocking data processing activities that may constitute a risk for data subjects;
• adopting resolutions and draft opinions;
• suggesting to the Italian Government and the Italian Parliament about the adoption of specific legislative/regulatory measures;
• raising awareness among citizens about data protection and involving them in public consultations in relation to the drafting of general resolutions;
• controlling or assisting in matters of data protection provided by national ratification laws, by international conventions or by acts of the EU;
• cooperating with the other Italian independent administrative authorities and assisting them in the performance of their duties; and
• adopting guidelines related to organizational and technical measures implementing the GDPR principles.

Also, the Garante may be legally represented by the State's Attorneys (Avvocatura dello Stato) and is also entitled to take legal action against any data controllers or data processors that violate provisions concerning the protection of personal data. According to Article 167(5) of the Code, the Garante is entitled to transmit documentation collected during its assessment's activities to the judicial authorities if it found elements that lead to the presumption of the perpetration of a crime. Furthermore, the Garante has been granted with the power of introducing simplified procedures/means for small and medium-sized companies to comply with the data controller's obligations under the GDPR.

Finally, pursuant to Article 144-bis of the Code, individuals 14 years and older who have a strong reason to believe that explicit images or videos concerning them could be disseminated without their consent may submit a report or complaint to the Garante. The Garante is required to proceed in accordance with Article 58 of the GDPR and Articles 143 and 144 of the Code within 48 hours of receipt of the request, by initiating the appropriate investigations.

4. Key Definitions

Data controller: No variations from the GDPR are provided by Italian data protection laws.

Data processor: No variations from the GDPR are provided by Italian data protection laws.

Personal data: No variations from the GDPR are provided by Italian data protection laws.

Sensitive data: No variations from the GDPR are provided by Italian data protection laws.

Health data: No variations from the GDPR are provided by Italian data protection laws.

Biometric data: No variations from the GDPR are provided by Italian data protection laws.

Pseudonymization: No variations from the GDPR are provided by Italian data protection laws.

Communication: According to Article 2-ter(4)(a) of the Code, any form of disclosure of personal data made to one or more specific persons other than the following: data subjects, representatives of the data controller in the territory of the EU, or authorized persons pursuant to Article 2-quaterdecies of the Code.

Dissemination: According to Article 2-ter(4)(b) of the Code, the disclosure of personal data made to unspecified or unknown persons anyhow, including by making them available for consultation.

5. Legal Bases

5.1. Consent

Children consent

Article 2-quinquies of the Code provides that children who have reached the age of 14 years can validly express their consent to data processing in relation to the offer of information society services. Where the child is under the age of 14 years, such consent must be provided by their responsible parent (see also section on special categories of personal data).

Special categories of personal data

Article 107 of the Code provides that consent to the processing of special categories of personal data (when used as a legal basis) may also be given in accordance with simplified arrangements approved by the Garante, as set out in the rules of conduct referred to in Article 106 of the Code (e.g., codes of conduct and professional practices by private and public entities, including scientific societies and professional associations, which are involved in the processing of data for statistical or scientific purposes), or in the measures referred to in Article 2-septies (e.g., a decision by the Garante that takes into account the guidelines, recommendations and best practices published by the European Data Protection Board ('EDPB') and best practices on the processing of personal data). For the sake of completeness, the processing of special categories of personal data should also comply with the general authorizations published by the Garante (see section on legal bases in other instances).

Article 110 of the Code provides that the data subject's consent shall not be required for the processing of personal data relating to health for scientific research purposes in the medical, bio-medical, or epidemiological sectors.

5.2. Contract with the data subject

No variations from the GDPR are provided by Italian data protection laws. As a general remark, the Garante raised objections and pushed for the denial of the usability of the contractual legal basis for behavioral advertising activities in proceedings before the Irish Data Protection Commission. 

5.3. Legal obligations

Article 2-ter of the Code provides that processing based on 'legal obligations' pursuant to Article 6(1)(b) and Article 6(3)(b) of the GDPR shall only be permitted when required either by law, regulation, or an administrative act of a general nature (e.g., acts adopted by competent Ministries having general scope of application).

5.4. Interests of the data subject

No variations from the GDPR are provided by Italian data protection laws.

5.5. Public interest

Article 2-ter of the Code provides that personal data may be communicated between controllers for the performance of a task carried out in the public interest or in the exercise of official authority only if either:

• the communication is provided by a law or a regulation; or
• the communication is necessary to carry out tasks in the public interest or to fulfil institutional duties and the Garante has been previously informed.

Furthermore, pursuant to Article 2-ter (1-bis) of the Code, public administrations, independent authorities, as well as state-controlled companies, are always allowed to process personal data if necessary for the performance of a task carried out in the public interest or for the exercise of public powers granted to the same.

Where the purpose of the processing is provided neither by a law nor a regulation, the purpose of the processing is indicated by the same administration/the state-controlled company in line with the task performed or the powers exercised. Such authorities shall provide:

• the identity of the data controller and the purposes of the processing; and
• any other information necessary to ensure correct and transparent processing regarding data subjects and their rights to obtain confirmation and communication of the processing of their personal data.

5.6. Legitimate interests of the data controller

No variations from the GDPR are provided by Italian data protection laws.

As a general remark, the Garante warned a social platform that it is unlawful to process personal data stored in users' devices to profile and send them personalized advertising without their explicit consent, stating that the use of legitimate interest as a legal basis for 'personalized' advertising is unlawful (decision available in Italian here).

5.7. Legal bases in other instances

The Garante has the power to adopt general authorizations and ethical rules and approve codes of conduct (described below), which set forth further specifications on conditions of lawfulness on certain processing activities.

The Garante's general authorizations

The general authorizations issued by the Garante set forth the conditions for certain processing activities, by indicating the permitted purposes and modalities of the processing. Pursuant to Article 21(1) of the Decree, the Garante, by means of Resolution no. 497 of 13 December 2018 (only available in Italian here) and the Resolution no. 146 of 5 June 2019 (only available in Italian here), identified and updated the general authorizations that are compatible with the GDPR and with the Decree. The general authorizations currently effective are those regarding:

• the processing of special categories of personal data in the employment context (former general authorisation no. 1/2016) (only available in Italian here);
• the processing of special categories of personal data by associations and foundations (former general authorisation no. 3/2016) (only available in Italian here);
• the processing of special categories of personal data by private investigators (former general authorisation no. 6/2016) (only available in Italian here);
• the processing of genetic data (former general authorisation no. 8/2016) (only available in Italian here); and
• the processing of personal data for scientific research purposes (former general authorisation no. 9/2016) (only available in Italian here).

The previous general authorizations, considered incompatible, are no longer effective.

Ethical rules and codes of conduct

After the entry into force of the GDPR, the Garante amended the previously issued codes of ethics (renamed 'ethical rules') in order to align them to the new European provisions and adopted new versions of codes of conduct. Pursuant to Article 2-quarter of the Code, ethical rules are issued directly by the Garante and their compliance constitutes an essential condition for the lawfulness and correctness of the processing of personal data to which they relate. Any failure to comply with such provisions may lead to the application of sanctions as set out in Article 83(5) of the GDPR.

Codes of conduct are instead drafted by associations or other entities representing the categories of data controllers or processors and are subject to the Garante's approval. Adherence to such codes of conduct is not compulsory.

The ethical rules and codes of conduct currently in force are the following:

• ethical rules for the processing of personal data in the journalistic activity (only available in Italian here);
• ethical rules for the processing of personal data for defensive investigations or to assert or defend a right in judicial proceedings (only available in Italian here);
• ethical rules for processing for archiving purposes in the public interest or for historical research purposes (only available in Italian here);
• ethical rules for the processing for statistical or scientific research purposes carried out within the National Statistical System (only available in Italian here);
• ethical rules for processing for statistical or scientific research purposes (only available in Italian here);
• code of conduct for information systems managed by private entities on consumer credit, reliability and punctuality of payments (only available in Italian here);
• code of conduct for the processing of personal data for commercial information purposes, drawn up by the National Association of Commercial Information and Credit Management Companies (only available in Italian here);
• code of conduct for the processing of health data for educational and scientific publication purposes (only available in Italian here); and
• code of conduct for telemarketing and teleselling activities (only available in Italian here).

On March 4, 2022, the Garante published the Register of Codes of Conduct (only available in Italian here) as provided for by Article 40(6) of the GDPR. The Register of Codes of Conduct – that will be kept constantly updated – includes all the codes of conduct approved by the Garante or the EDPB.

6. Principles

No variations from the GDPR are provided by Italian data protection laws.

7. Controller and Processor Obligations

7.1. Data processing notification

According to Article 110-bis of the Code, the Garante can authorize the processing of personal data after it is submitted to the same for prior consultation, including of special categories of personal data listed under Article 9 of the GDPR, carried out by third parties for scientific and statistical purposes when it is impossible for them to inform the data subjects or when such notification implies a disproportionate effort or if it may hinder significantly the purposes of the research. In such cases, it is necessary to adopt appropriate measures for the protection of rights, freedoms, and legitimate interests of the data subjects.

Furthermore, data controllers are required to notify the Garante before the commencement of the processing based on a legitimate interest and involving the use of new technologies or automated tools, where processing personal data which is functional to authorizing a change of name or surname of minors (Article 22(5) of the Decree). With reference to such processing, the Garante may, within the limits and in the manner set forth in Article 36 of the GDPR, adopt general measures pursuant to Article 2-quinquiesdecies of the Decree, concerning processing activities that present high risks for the performance of a task of public interest.

The notice to the Garante must include the object, purpose, and context of the processing, and be done in accordance with the template to be provided by the Garante (Article 1(1022) of Law of 27 December 2017, n. 205, Budget of the State for the Financial Year 2018 and Multi-Year Budget for the Three-Year Period 2018-2020 (only available in Italian here) ('the Budget Law'). However, in order to simplify the administrative burden, entities that comply with the measures referred to in the second sentence of Article 22(5) of the Decree are exempt from sending to the Garante the information notice referred to in Article (1)1022 of the Budget Law.

Following such notification, the Garante will assess the processing and, should it establish that there is a risk to the rights and freedoms of the data subjects, it can request further information and integrations, and where it deems that the processing would have a negative impact, it can forbid the same (Article 1(1023) of the Budget Law).

Notably, as far as we are aware, the Garante has not issued a notification template for the abovementioned notification requirement. However, you may contact the Garante at [email protected], or at its certified address, [email protected].

7.2. Data transfers

No variations from the GDPR are provided by Italian data protection laws.

7.3. Data processing records

No variations from the GDPR are provided by Italian data protection laws.

7.4. Data protection impact assessment

Pursuant to Article 35 of the GDPR, the Garante issued Resolution no. 467 of 11 October 2018 (only available in Italian here) providing for a non-exhaustive list of processing operations subject to a Data Protection Impact Assessment ('DPIA') ('the Italy Blacklist').

The Italy Blacklist provides that the following types of processing operations require a DPIA:

• evaluation or scoring processing on a large scale, as well as processing involving profiling of data subjects and the performance of predictive activities, also carried out online or through apps, relating to aspects concerning professional performance, economic situation, health, preferences or personal interests, reliability or behaviour, location or movements of the data subject;
• automated processing for the purpose of taking decisions having 'legal effects' or having 'similarly significant effects' on the affected person, including decisions preventing the exercise of a right, the use of a good or service, or continuing to be a part of an existing contract (e.g., screening of a bank's clients through the use of data recorded in a risk centre);
• processing involving the systematic use of data for the observation, monitoring, or control of data subjects, including the collection of data through networks, also carried out online or through apps, as well as the processing of unique identifiers capable of identifying users of information society services including web services, interactive TV, etc. in relation to their habits of use and viewing data for extended periods. This also includes the processing of metadata, e.g., in the field of telecommunications, banks, etc., not only for profiling purposes, but more generally for organizational reasons, budget forecasts, technological upgrades, network improvements, anti-fraud, anti-spam, and security services, etc.;
• large-scale processing of data of a highly personal nature. This includes, inter alia, data related to family or private life (such as data relating to electronic communications whose confidentiality needs to be protected), or processing affecting on the exercise of a fundamental right (such as location data, the collection of which jeopardizes freedom of movement) or the violation of which has a serious impact on the daily life of the data subject (such as financial data that could be used to commit fraud in relation to payments);
• processing carried out as part of the employment relationship using technological systems (including video surveillance and geolocation systems) from which it is possible to carry out a remote control of employees' activities;
• non-occasional processing of data of vulnerable persons (minors, disabled, elderly, mentally ill, patients, asylum seekers);
• processing carried out through the use of innovative technologies, even when adopting specific organizational measures (e.g., Internet of Things ('IoT'), artificial intelligence ('AI') systems, use of on-line voice assistants through voice and text scanning, monitoring performed by wearable devices, proximity tracking such as wi-fi tracking), whenever at least one of the other criteria identified in the Guidelines is met;
• processing involving the exchange of data between different controllers on a large scale and by telematic means;
• processing of personal data carried out by means of interconnection, combination, or comparison of information, including processing that involves the crossing of consumption data of digital goods with payment data (e.g., mobile payment);
• processing of special categories of data pursuant to Article 9 of the GDPR or of data relating to criminal convictions and crimes pursuant to Article 10 of the GDPR, when interconnected with other personal data collected for different purposes;
• systematic processing of biometric data, taking into account, in particular, the volume of data, the duration, meaning, the persistence, of the processing activity; and
• systematic processing of genetic data, taking into account, in particular, the volume of data, the duration, meaning, the persistence, of the processing activity.

The Garante has not however issued a list of activities that do not require a DPIA ('the Whitelist').

Furthermore, the Garante has not issued any templates or checklists. However, the French data protection authority ('CNIL') has launched a DPIA assessment tool which can be accessed online here or here, or downloaded for Windows here, for Mac OS here, and for Linux here. The Italian language version of the tool has been developed with the collaboration of the Garante.

Please also see the Garante's dedicated page on DPIAs (only available in Italian here) ('the DPIA Webpage'). The Garante specifies in the DPIA Webpage that the processing of biometric data must be understood as the processing of data processed to uniquely identify a natural person. In addition, the expressions 'systematic' and 'not occasional' processing can be traced back to the concept of 'large scale'.

In addition, the Garante has published a video tutorial on risk identification management (only available in Italian here).

Notably, the sanctions provided by Article 83(4) of the GDPR apply in the event that the data controller fails to carry out a DPIA in the context of medical, biomedical, and epidemiological research (Sections 110(1) and 166(1) of the Code).

7.5. Data protection officer appointment

The Garante issued FAQs on data protection officer's ('DPO') (only available in Italian here) ('the DPO FAQs') which provide an illustrative and non-exhaustive list of organizations which may be required to appoint a DPO, which includes, among others, the following (Point 3 of the DPO FAQs):

• credit institutions;
• insurance companies;
• credit information systems;
• financial companies;
• commercial information companies;
• auditing companies;
• debt collection companies;
• trade unions;
• companies operating in the utilities sector (telecommunications, electricity, or gas distribution);
• employment services and personnel recruitment companies;
• companies operating in the healthcare sector;
• call centre companies; and
• companies providing IT services.

Furthermore, in relation to organizations which are not required to appoint a DPO, the appointment is recommended in light of the accountability principle. The Garante provides an illustrative and non-exhaustive list of these organizations, which include the following (Point 4 of the DPO FAQs):

• freelance professionals operating on an individual basis;
• agents, representatives, and brokers operating on a non-large scale;
• individual or family businesses; and
• small and medium-sized enterprises, with reference to the processing of personal data related to the day-to-day management of relations with suppliers and employees.

DPO requirements

Section III of the Regional Administrative Tribunal of Lecce issued, on September 13, 2019, published its decision No. 1468/2019 on the role of DPOs ('Decision I'). In particular, Decision I states that, whenever a DPO activity is carried out by a legal person, the natural person factually in charge of the activity must 'belong' to the structure of the legal person, as provided by the Guidelines [Article 29 Working Party ('WP29')'s Guidelines on DPOs], in accordance with the GDPR. Furthermore, Decision I outlines that the natural person must necessarily be a 'member' of the organization.

Furthermore, in relation to the qualifications of the DPO, Section I of the Regional Administrative Tribunal of Friuli Venezia Giulia, published, on September 13, 2018, its ruling No. 287 regarding a request for annulment of a decision on the assignment of the role of DPO for a health care division ('Decision II'), upon a unsuccessful candidate's complaint. In particular, Decision II held that requiring candidates to hold an information management systems auditor/lead auditor ISO/IEC/27001 certification to participate in the selection process violated Articles 37 and 39 of the GDPR, along with other administrative provisions on the functioning of the public administration, since such certification did not appear relevant to the functions of a DPO. Information about how to communicate the contact details of the DPO to the Garante can be found on this specific Garante webpage (only available in Italian here). The webpage also includes FAQs for private entites (only available in Italian here), and for public entities (only available in Italian here). Moreover, Article 2-sexiesdecies of the Code requires judicial authorities to appoint a DPO when processing personal data for the exercise of their duties.

The Garante has also adopted an online procedure for notifying DPOs' contact details (only available in Italian here).

7.6. Data breach notification

No variations from the GDPR are provided by Italian data protection laws.

The Garante has just modified the content and the modalities to notify a personal data breach and introduced a specific telematic procedure (only available in Italian here).

7.7. Data retention

Article 99 of the Code provides that processing of personal data for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes may be carried out also for no longer than is necessary for achieving the purposes for which the data had been previously collected or processed.

7.8. Children's data

As indicated in the section on consent, Article 2-quinquies of the Code provides that children who have reached the age of 14 years can validly express their consent to data processing in relation to the offer of information society services. Whereas the child is under the age of 14 years, consent must be given by their parental responsible.

7.9. Special categories of personal data

Processing of special categories of personal data

Processing necessary for substantial public interest reasons

Article 2-sexies of the Code, by addressing the exceptions set forth by Article 9(1)(g) of the GDPR, provides that the processing of special categories of personal data for reasons of substantial public interest shall be carried out only if pertaining to the areas indicated in Article 2-sexies(2) of the Code and it is provided under EU or Italian laws or regulations. In this regard, the Garante issued a note clarifying how Italian data protection law regulates the processing of special categories of personal data for public interest reasons (see Garante's President's Note on Processing Special Categories of Personal Data for Significant Public Interest Reasons, only available in Italian here).

Processing for archiving in the public interest, scientific or historical research, or statistical purposes

Article 100 of the Code, by addressing the exception set forth by Article 9(1)(j) of the GDPR, permits public entities, such as universities and research institutions, to disclose and disseminate personal data to specified recipients to support science and technological research and strengthen collaboration in certain circumstances. However, this exception does not apply to the disclosure or dissemination of special categories of personal data or criminal conviction and offense data.

The Garante's updated general authorization no. 9/2016 on processing personal data for scientific research purposes sets out requirements for universities, research institutes, health professionals, health organizations and other specified persons that process personal data for scientific research purposes (see section on legal bases in other instances).

The Garante also adopted the following ethical rules for processing personal data for archiving in the public interest, scientific or historical research, or statistical purposes (see section on legal bases in other instances):

• ethical rules for processing for archiving purposes in the public interest or for historical research purposes;
• ethical rules for the processing for statistical or scientific research purposes carried out within the Italian National Institute of Statistics; and
• ethical rules for processing for statistical or scientific research purposes.

Processing health data

Article 110 of the Code permits the processing of health data to carry out research in the medical, biomedical, and epidemiological fields without data subject consent (including where research is part of a biomedical or health program under Article 12-bis of Legislative Decree no. 502/1992 (only available in Italian here). Such processing is permitted if EU/Italian law or regulation authorizes the scientific research and the controller performs a DPIA which is made publicly available, or if informing data subjects involves disproportionate effort or is likely to render impossible or seriously impair the purposes to be achieved by the research (according to the conditions set forth under the Code). Finally, Article 110(2) of the Code provides that if in such circumstances controllers processing personal data receive a data subject rectification or completion request pursuant to Article 16 of the GDPR it must record the request without modifying the data if the rectified or completed data do not produce significant effects on the outcome of the research.

Processing of genetic, biometric, and health data

Article 2-septies of the Code provides that the processing of genetic, biometric, and health data shall be carried out only if both the processing complies with Article 9(2) of the GDPR and certain security measures (such as encryption, pseudonymization, and minimization) are implemented. Such security measures will be established by the Garante at least every two years. However, the Garante has not adopted new safeguards since the GDPR took effect, but it has:

• updated the general authorization no. 8/2016 on processing of genetic data (see section on legal bases in other instances); and
• issued further guidance on the requirements for processing health data (only available in Italian here).

Moreover, the Code prohibits the dissemination of genetic, biometric, and health data, while permitting the processing of biometric data with regard to the procedures for physical and logical access to data by authorized persons, provided that all processing security requirements pursuant to the Code and Article 32 of the GDPR are met.

Lastly, the Garante adopted on November 12, 2014, the General Application Order Concerning Biometrics. Although the order was issued before the entry into force of the GDPR, it may still provide useful guidance on the processing of biometric data.

Garante's general authorizations

The Garante identified the provisions that are compatible with the GDPR and with the Decree and updated the general authorizations (see section on legal bases in other instances) regarding:

• the processing of special categories of personal data in the employment context;
• the processing of special categories of personal data by associations and foundations;
• the processing of special categories of personal data by private investigators; and
• the processing of genetic data.

Processing of criminal conviction and offense data

Article 2-octies of the Code provides that the processing of personal data relating to criminal convictions or offenses may be carried out if an Italian law or regulation authorizes the processing and provides appropriate measures to safeguard data subjects' rights and freedoms. Where such provisions are not enacted, requirements for the lawful processing of judicial data shall be determined through a decree of the Ministry of Justice.

In this regard, the Garante also published ethical rules on the processing of personal data carried out in order to carry out defensive investigations or to assert or defend a right in judicial proceedings (see section on legal bases in other instances).

7.10. Controller and processor contracts

No variations from the GDPR are provided by Italian data protection laws.

8. Data Subject Rights

Restrictions to data subject rights

Article 2-undecies of the Decree provides for limitations to the rights of data subjects, established in compliance with Article 23 GDPR. By way of example, the rights referred to in Articles 15 to 22 GDPR may not be exercised if the exercise would affect:

• interests protected by laws on money laundering; or
• interests protected under laws regarding the support for victims of extortion.

Furthermore, Legislative Decree no. 24 of 10 March 2023 (only available in Italian here) ('the Whistleblowing Decree') implementing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law) has introduced a new restriction to data subject's rights. In particular, Article 13 (3) of the decree amended letter 'f' of Article 2-undecies of the Code, now provides that the rights under Articles 15-22 of the GDPR may not be exercised by a request to the data controller or by a complaint pursuant to Article 77 of the GDPR when the exercise of those rights may result in actual and concrete prejudice to the confidentiality of the identity of the person who reports breaches of which he has become aware by reason of his employment relationship or duties.

8.1. Right to be informed

Legislative Decree no. 104 of 27 June 2022 (only available in Italian here) ('the Transparency Decree' implementing Directive (EU) 2019/1152 of the European Parliament and of the Council of 20 June 2019 on transparent and predictable working conditions in the European Union) has introduced the obligation for the employers to provide their employees with meaningful information about the employment relationship. In particular, pursuant to Article 1-bis, the employer shall provide information on the automated decision-making or monitoring systems:

• used to carry out an automated decision-making process capable of affecting the employment relationship; or
• affecting the monitoring, assessment, performance, and fulfillment of contractual obligations of employees.

8.2. Right to access

Pursuant to Article 59 of the Code, the disclosure of official documents is governed by the following laws:

• Law no. 241/1990 (Law on Administrative Proceedings) (only available in Italian here); and
• Legislative Decree no. 33/2013 (reorganization of Laws and Regulations Concerning the Duties of Publicity, Transparency, and Dissemination of Information by Public Entities) (only available in Italian here).

Moreover, Article 60 of the Code permits the processing of genetic data, health data, or data concerning a data subject's sex life or sexual orientation if the legally relevant situation that has to be protected by the access's request to the administrative documents is at least equally important to the rights of the data subjects or consists of a personality or another fundamental rights or freedoms.

8.3. Right to rectification

See the introductory paragraph of the section on data subject rights above.

8.4. Right to erasure

See the introductory paragraph of the section on data subject rights above.

8.5. Right to object/opt-out

See the introductory paragraph of the section on data subject rights above.

8.6. Right to data portability

See the introductory paragraph of the section on data subject rights above.

8.7. Right not to be subject to automated decision-making

See the introductory paragraph of the section on data subject rights above.

8.8. Other rights

No variations from the GDPR are provided by Italian data protection laws.

9. Penalties

With regard to sanctions, the Italian legislator has consistently modified the previous legislative framework on the basis of the so-called opening clause of the GDPR, which grants to all Member States the possibility of providing for criminal sanctions for certain violations of privacy legislation. Such sanctions have been added to the administrative sanctions already provided under the GDPR and certain criminal offenses under the previous draft of the Code have been modified. In this respect, the main purpose is to avoid any possible violation of the ne bis in idem principle, according to which no one shall be prosecuted twice for the same criminal behavior.

Administrative sanctions

Article 166 of the Code refers to the following administrative sanctions established by the GDPR, specifically:

• Article 83(4) of the GDPR for violations of specific provisions of the Code, e.g.:
  • Article 2-quinquies(2) on children's consent for information society services, namely in cases where the information notice does not meet the relevant requirements;
  • Article 123(4) on traffic data, namely in cases where the information notice given by providers of a public communication network or publicly available electronic communications service does not comply with the relevant GDPR provisions; and
  • Article 110(1), namely in cases of failing to carry out the DPIA in the context of medical, biomedical, and epidemiological research; and
• Article 83(5) of the GDPR, imposing administrative fines up to €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year if higher, for most serious violations of the Code, e.g.:
  • Article 2-ter on the legal basis for personal data processing pursuant to a public interest;
  • Article 2-quinquies(1) on children's consent for information society services, where the child's consent is not properly collected;
  • Article 2-septies(8) on safeguards for the processing of biometric, genetic, and health-related data; or
  • Article 2-octies on the processing of judicial data.

Criminal offences

New crimes introduced by the Decree are:

• unlawful communication and dissemination of personal data where large-scale processing takes place with the aim of making profit or causing damage in violation of specific provisions of the Code (Article 167-bis of the Code), for which the sanction is imprisonment from one to six years (but it may be lowered in case administrative sanctions also apply); and
• fraudulent acquisition of personal data where large-scale processing takes place intending to make a profit or cause damage (Article 167-ter of the Code), which is sanctioned with imprisonment from one to four years.

The Italian legislator has also made a few changes to the existing criminal offenses, specifically:

• misrepresentation/false statements given to the Garante and intentional interruption of the Garante's exercise of powers (Article 168 of the Code), for example, the performance of proceedings or investigations;
• non-compliance with the Garante's decisions (Article 170 of the Code); and
• violation of provisions on employees' remote monitoring and the prohibition of opinion surveys, referring to the sanctions established by the Workers' Statute, Law no. 300/1970 (only available in Italian here).

9.1 Enforcement decisions

The Garante adopted several decisions and opinions on various topics over the past few years. Some of the most relevant topics are summarized below:

• On July 18, 2023, the Garante issued a fine of €100,000 to a telecommunications company highlighting the failure to comply with the principles of fairness and transparency (Article 5(1)(a), Article 12(1), and Article 13(2)(a)), reiterating the lack of indication of retention periods for marketing and profiling purposes. The same principles were also found to have been infringed in relation to the call-back service, as customers were not able to adequately understand which promotional initiatives they were giving their consent to (only available in Italian here).
• On June 8, 2023, the Garante fined a major clothing manufacturing company €300,000 for unlawfully processing customers' personal data in marketing and profiling activities, through the use of loyalty cards (only available in Italian here).
• On March 30, 2023, the Garante ordered the provisional restriction of the processing of personal data of data subjects residing in Italy against a large company that develops AI systems. The Garante found, in particular, that no adequate information notice was provided to users, and that the legal basis in relation to the collection of personal data and their processing for the purpose of training the algorithms underlying the operations of the AI model (initially identified in the contractual legal basis) was not appropriate; furthermore, there was no verification of the age of users using the AI platform, despite the fact that the company had stated that the use of its AI systems was restricted to users over the age of 13 (the decision is only available in Italian here). This decision was followed by a further one published on April 11, 2023 (available in English here), suspending the provisional restriction.
• On January 11, 2023, the Garante issued an opinion on a draft legislative decree implementing the EU directive  2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law ('the Whistleblowing Directive'). The Garante stated that the adaptation of the text meets the renewed need to guarantee the right to the protection of personal data of those affected by the application of the regulation (only available in Italian here).
• On July 7, 2022, the Garante warned a social media platform that the legitimate interest cannot be used as a legal basis to provide users over the age of 18 with personalized advertising and/or track their behavior within the platform (only available in Italian here). In its decision, the Garante underlined that according to Article 5(3) of Directive 2002/58/EC and Article 122 of the Italian Privacy Code, 'the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent'.
• On December 1, 2022, the Garante imposed a fine of €100,000 on a regional public body for multiple violations of privacy regulations related to the processing of metadata from the email accounts of its employees. It ruled that the generalized collection and storage of email metadata, which constitutes a form of correspondence protected by the Italian Constitution, is not instrumental to the performance of employees' duties, and therefore found that the Region had processed personal data without an appropriate legal basis and in violation of sectoral rules on remote control of employees and data collection (only available in Italian here).
• On June 9, 2022, the Garante declared the data transfer carried out through the use of a data analytics tool unlawful. In its decision (only available in Italian here), the Garante highlighted that the transfer of personal data to a company based in the US, without implementing appropriate safeguards as required by Chapter V of the GDPR, should no longer take place. Among others, the Garante stressed that the adequacy of the measures adopted for data transfers cannot be assessed based on subjective criteria, and the data controller shall always implement appropriate and effective safeguards to protect the rights and freedoms of data subjects and to be able to demonstrate compliance with the GDPR.
• On February 10, 2022, the Garante sanctioned a face recognition app used by enforcement agencies for unlawful processing of biometric and geolocation data. In its decision (only available in Italian here), the Garante noted that the legitimate interest of the app did not qualify as such. In addition, the Garante found that several principles of the GPDR had been violated (including the principles of transparency and of purpose and storage limitation) and that the company failed to appoint a representative in the EU according to Article 27 of the GDPR.
• On July 22, 2021, the Garante sanctioned a food delivery company €2.5 million for unlawful processing of riders' personal data also through the use of algorithms. In its decision (only available in Italian here), the Garante noted, among other things, that the company had not adequately informed the riders of the existence of automated decision-making and had not guaranteed procedures to protect the right to obtain human intervention, express one's opinion, and object to the decisions made through the use of the algorithm.
• On November 12, 2020, the Garante sanctioned a major telecommunications company €12.2 million for having unlawfully processed the personal data of millions of users for telemarketing purposes. In its decision (only available in Italian here), the Garante found violations with respect to consent requirements and key principles for data processing such as accountability and Data Protection by Design as set forth in the GDPR.
• On December 11, 2019, the Garante sanctioned a major energy company €8.5 million for unlawful processing of personal data for marketing purposes in the context of unsolicited telemarketing practices. Among other things, the Garante highlighted in its decision (only available in Italian here) that telemarketing calls were made without the consent or despite the data subject's objection to receiving promotional calls and the data controller acquired the personal data of potential customers from providers that had not collected valid consent.
• On April 4, 2019, the Garante sanctioned an Italian political association with a fine of €50,000 for the violation of Articles 32 and 83(4)(a) of the GDPR. In its decision (only available in Italian here), the Garante declared that the sharing of login credentials among several data subjects for the management of the same online platform violates the obligation for data controllers to adopt adequate technical and organizational measures.
• In order to enable compliance with national vaccine obligations, in accordance with the tight schedule envisaged in the law, on September 1, 2017, the Garante issued a decision to authorize schools to directly communicate children's non-sensitive personal data to public and private health authorities.
• On March 10, 2017, as part of an investigation carried out by the Rome Public Prosecutor's Office, the Garante imposed fines for a total amount of over €11 million on five money transfer companies that had processed personal data of over one thousand individuals unlawfully and without their knowledge (the money transfer case) (only available in Italian here).

On several occasions, the Garante has been requested to provide indications and clarifications on the application of the GDPR, with particular reference to the DPIAs to be carried out in the health sector and on the procedures to be followed in the case of requests of exercise of rights by data subjects concerning health data.

In regard to the privacy roles of the subjects involved in processing activities, the Garante issued many decisions on the matter. By way of example, the Garante fined an advertising company and a hospital for a total of €280,000.