Support Centre



Law: Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') ('the Code') and General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: Italian data protection authority ('Garante')

Summary: Italy implemented the GDPR by amending the Code and repealing those sections of the Code which directly conflicted with the GDPR. Supervision over the Code is conducted by the Garante, which, among other things, acts upon data subjects' complaints, provides specific data protection measures for data controllers and processors, and adopts guidelines to assist organisations' compliance with the GDPR. The most recent enforcement actions of the Garante resulted in the imposition of fines in the millions of Euros and focused on concerns including unsolicited telemarketing calls, transparency and consent obligations, the implementation of the principle of Privacy by Design within data breach management systems, and data retention standards. The Garante has also issued specific guidance in key compliance areas such as the processing of special categories of personal data in the employment context, the processing of genetic data, and the processing of personal data carried out for scientific research purposes.


The Whistleblowing Directive is aimed at ensuring a higher degree of protection to individuals who report a violation of EU law and policies, introducing measures and requirements which foster the creation of a safe space for the reporters. The Whistleblowing Directive has been implemented in Italy through Legislative Decree No. 24 of March 10, 2023 (the Decree).

Francesca Gaudino, Partner at Baker McKenzie LLP, discusses key considerations of the Decree regarding whistleblowing systems and reports from a data protection perspective.

The code of conduct for telemarketing and teleselling activities (the Code) was formally adopted by the Italian data protection authority (Garante) with a decision issued on March 9, 2023 (only available in Italian here). It will be fully operational when a monitoring body set up pursuant to the Code will start its activities. It is, however, not yet clear whether before or after the summer of 2023.

Gianluigi Marino, Partner at Osborne Clarke, summarizes the key provisions of the Code.

Any provider negotiating the provision of tech-related services with an Italian data controller has, at some point, to deal with the decision of the Italian data protection authority ('Garante') on the 'Measures and arrangements applying to the controllers of processing operations performed with the help of electronic tools in view of committing the task of system administrator'1, as issued on 27 November 2008 ('the Decision').

Giulia Mariuz, Counsel at Hogan Lovells, summarises the obligations arising from the Decision, sheds light on its interpretation under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and provides practical indications for companies that must deal with it in their day-to-day activities.

Italy was among the first EU countries hit by the COVID-19 pandemic in February 2020. The impact of the pandemic led to a drop in gross domestic product close to 9%, compared to an average drop of 6% in the rest of the EU. The health crisis hit a country that was already facing significant challenges, from low investment rates to limited prospects for public administrations and small- and medium-sized enterprises ('SMEs') to seize the opportunities offered by the digital world.

In this Insight article, Giangiacomo Olivi, Partner at Dentons Group B.V., discusses the National Plan of Recovery and Resilience1 ('PNRR'), particularly focusing on the resulting data protection and privacy implications.

Following the establishment of the Italian National Cybersecurity Perimeter ('the Cybersecurity Perimeter') pursuant to Law Decree No. 105 of 21 September 2019 as amended by Law No. 133 of 18 November 2019 ('the Decree'), the Italian legislative framework on cybersecurity has been recently updated with a view to strengthening the defence mechanisms against cyber attacks. Gianluigi Marino and Antonio Racano, from Osborne Clarke, discuss the new notification obligations.

In order to transpose into the national legal system the provisions of Directive (EU) No. 2019/1152 of the European Parliament and of the Council of 20 June 2019 on transparent and predictable working conditions in the European Union ('the Directive'), the Italian Government recently adopted Legislative Decree No. 104 of 27 June 2022 ('the Transparency Decree'). Rocco Panetta and Marta Fraioli, from PANETTA Law Firm, provide an overview of the controversial aspects of the Transparency Decree from a data protection and privacy perspective, particularly regarding its impact on HR departments' daily activities, as well as on the potential overlays with applicable data protection obligations.

The guidelines on cookies and other similar tracking tools1 ('the Guidelines') of the Italian data protection authority ('Garante') established a period of six-months from their publication in the Official Gazette, on 9 July 2021, for entities to align their operations with its instructions. This means that, as of 9 January 2022, the deadline for compliance has expired.

Having analysed the Guidelines in detail in two previous Insight articles, Italy: Garante's finalised guidelines on cookies and similar tracking technologies - key takeaways2 and Italy: Key points from Garante's updated cookie guidance3, in this Insight OneTrust DataGuidance provides an overview of some frequently asked questions ('FAQs') and answers.

With restrictions being lifted across Europe and businesses planning their return to the office, many employers, in an endeavour to prevent the spread of COVID-19, are faced with the dilemma of whether they can require their employees to be vaccinated or to show proof of their vaccination status. Besides the health and safety concerns associated with the introduction of such measures, there are also some key privacy-related considerations. In particular, an individual's vaccination status falls within the scope of health data under Article 4(15) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and is therefore a special category of personal data under Article 9 of the GDPR, meaning processing is generally prohibited, unless an exception applies.

This article outlines the local requirements in the UK, Germany, the Netherlands, France, and Italy.

Companies subject to the Italian data protection authority's ('Garante') jurisdiction are required to bring their operations into line with the Guidelines on the use of cookies and other tracking tools1 ('the Guidelines') by no later than six months from their publication date in the Official Journal of the Italian Republic. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, discusses the key points found in the Guidelines.

Whilst waiting for the expected Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) ('the Draft ePrivacy Regulation'), on 10 June 2021, the Italian data protection authority ('Garante') issued a new set of Guidelines on the use of cookies and other tracking tools ('the Guidelines'). Massimiliano Pappalardo, Partner at Ughi e Nunziante – Studio Legale, discusses the provisions of the Guidelines.

The Italian data protection authority ('Garante') announced, on 10 July 2021, that it had published, after a period of public consultation, its finalised guidelines on cookies and other similar tracking technologies1 ('the Guidelines'), as well as a summary sheet2 of the same. In particular, the Guidelines aim to illustrate the legislation applicable to the storing of information, or the gaining of access to information already stored, in the terminal equipment of users, as well as to specify the lawful means to provide the cookie policy and collect online consent of data subjects, where necessary, in light of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').