Support Centre



Law: Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') ('the Code') and General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: Italian data protection authority ('Garante')

Summary: Italy implemented the GDPR by amending the Code and repealing those sections of the Code which directly conflicted with the GDPR. Supervision over the Code is conducted by the Garante, which, among other things, acts upon data subjects' complaints, provides specific data protection measures for data controllers and processors, and adopts guidelines to assist organisations' compliance with the GDPR. The most recent enforcement actions of the Garante resulted in the imposition of fines in the millions of Euros and focused on concerns including unsolicited telemarketing calls, transparency and consent obligations, the implementation of the principle of Privacy by Design within data breach management systems, and data retention standards. The Garante has also issued specific guidance in key compliance areas such as the processing of special categories of personal data in the employment context, the processing of genetic data, and the processing of personal data carried out for scientific research purposes.


At long last, on March 15, 2023, the Legislative Decree No. 24 of March 10, 2023 (the Decree), transposing the Whistleblowing Directive, was published in the Official Journal of the Italian Republic (only available in Italian here).

The Decree replaced Law No. 179 of November 30, 2017 (the Whistleblowing Law) and includes important changes, requiring companies to create new reporting channels or update existing ones in compliance with the new provisions.

Ilaria Curti, Laura Liguori, Gaia Accetta, and Livia Petrucci, from Portolano Cavallo Studio Legale, discuss the Decree's key features and analyze its interplay with Legislative Decree No. 231 of June 8, 2001 (Decree 231).

The Whistleblowing Directive is aimed at ensuring a higher degree of protection to individuals who report a violation of EU law and policies, introducing measures and requirements which foster the creation of a safe space for the reporters. The Whistleblowing Directive has been implemented in Italy through Legislative Decree No. 24 of March 10, 2023 (the Decree).

Francesca Gaudino, Partner at Baker McKenzie LLP, discusses key considerations of the Decree regarding whistleblowing systems and reports from a data protection perspective.

The code of conduct for telemarketing and teleselling activities (the Code) was formally adopted by the Italian data protection authority (Garante) with a decision issued on March 9, 2023 (only available in Italian here). It will be fully operational when a monitoring body set up pursuant to the Code will start its activities. It is, however, not yet clear whether before or after the summer of 2023.

Gianluigi Marino, Partner at Osborne Clarke, summarizes the key provisions of the Code.

Any provider negotiating the provision of tech-related services with an Italian data controller has, at some point, to deal with the decision of the Italian data protection authority ('Garante') on the 'Measures and arrangements applying to the controllers of processing operations performed with the help of electronic tools in view of committing the task of system administrator'1, as issued on 27 November 2008 ('the Decision').

Giulia Mariuz, Counsel at Hogan Lovells, summarises the obligations arising from the Decision, sheds light on its interpretation under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and provides practical indications for companies that must deal with it in their day-to-day activities.

Since 2022, the Government of Italy ('the Government') has been working on the establishment of a new eHealth database named 'Health Data Ecosystem' ('Ecosistema Dati Sanitari' or 'EDS'), as well as on strengthening the existing database named 'Electronic Health Record' ('Fascicolo Sanitario Elettronico' or 'FSE'). Cristina Criscuoli, Lawyer at DLA Piper, explores key considerations to keep in mind from a privacy and data protection perspective, in relation to the establishment and implementation of centralised eHealth databases.

Italy was among the first EU countries hit by the COVID-19 pandemic in February 2020. The impact of the pandemic led to a drop in gross domestic product close to 9%, compared to an average drop of 6% in the rest of the EU. The health crisis hit a country that was already facing significant challenges, from low investment rates to limited prospects for public administrations and small- and medium-sized enterprises ('SMEs') to seize the opportunities offered by the digital world.

In this Insight article, Giangiacomo Olivi, Partner at Dentons Group B.V., discusses the National Plan of Recovery and Resilience1 ('PNRR'), particularly focusing on the resulting data protection and privacy implications.

Following the establishment of the Italian National Cybersecurity Perimeter ('the Cybersecurity Perimeter') pursuant to Law Decree No. 105 of 21 September 2019 as amended by Law No. 133 of 18 November 2019 ('the Decree'), the Italian legislative framework on cybersecurity has been recently updated with a view to strengthening the defence mechanisms against cyber attacks. Gianluigi Marino and Antonio Racano, from Osborne Clarke, discuss the new notification obligations.

In order to transpose into the national legal system the provisions of Directive (EU) No. 2019/1152 of the European Parliament and of the Council of 20 June 2019 on transparent and predictable working conditions in the European Union ('the Directive'), the Italian Government recently adopted Legislative Decree No. 104 of 27 June 2022 ('the Transparency Decree'). Rocco Panetta and Marta Fraioli, from PANETTA Law Firm, provide an overview of the controversial aspects of the Transparency Decree from a data protection and privacy perspective, particularly regarding its impact on HR departments' daily activities, as well as on the potential overlays with applicable data protection obligations.

On 8 October 2021, some major novelties were proposed to the Italian legal system by means of Law Decree no. 139/2021 ('the Decree') which addresses access to cultural, sporting, and recreational activities in light of COVID-19 restrictions. Notwithstanding the aforementioned focus of the Decree, it also seeks to simplify the provisions governing the processing of personal data by public authorities, in light of COVID-19 given the 'extraordinary urgency and necessity' of the matter. Rocco Panetta, Managing Partner at PANETTA Law Firm discusses the impact of the Decree in this article.

The guidelines on cookies and other similar tracking tools1 ('the Guidelines') of the Italian data protection authority ('Garante') established a period of six-months from their publication in the Official Gazette, on 9 July 2021, for entities to align their operations with its instructions. This means that, as of 9 January 2022, the deadline for compliance has expired.

Having analysed the Guidelines in detail in two previous Insight articles, Italy: Garante's finalised guidelines on cookies and similar tracking technologies - key takeaways2 and Italy: Key points from Garante's updated cookie guidance3, in this Insight OneTrust DataGuidance provides an overview of some frequently asked questions ('FAQs') and answers.

With restrictions being lifted across Europe and businesses planning their return to the office, many employers, in an endeavour to prevent the spread of COVID-19, are faced with the dilemma of whether they can require their employees to be vaccinated or to show proof of their vaccination status. Besides the health and safety concerns associated with the introduction of such measures, there are also some key privacy-related considerations. In particular, an individual's vaccination status falls within the scope of health data under Article 4(15) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and is therefore a special category of personal data under Article 9 of the GDPR, meaning processing is generally prohibited, unless an exception applies.

This article outlines the local requirements in the UK, Germany, the Netherlands, France, and Italy.