Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy - Data Protection Overview
Back

Italy - Data Protection Overview

November 2021

INTRODUCTION

Italy implemented the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') by amending the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to General Data Protection Regulation (Regulation (EU) 2016/679) ('the Code') and repealing those sections directly conflicting with the GDPR. Supervision over the Code is conducted by the Italian data protection authority ('Garante'), which, among other things, acts upon data subjects' complaints, provides specific data protection measures for data controllers and processors, and adopts guidelines to assist organisations' compliance with the GDPR.

1. GOVERNING TEXTS

1.1. Key acts, regulations, directives, bills

Legislative Decree No. 101 of 10 August 2018, Provisions for the Adaptation of the National Legislation to the Provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) (only available in Italian here) ('the Decree') amended the former Code in order to implement the provisions of the GDPR. The Decree, which was published in the Italian Official Gazette on 4 September 2018 and came into effect on 19 September 2018, repealed those sections of the Code deriving from the implementation of the previous Data Protection Directive (Directive 95/46/EC) and directly conflicting with the GDPR. Furthermore, the Decree introduced new provisions in order to apply a number of rules introduced by the GDPR.

1.2. Guidelines

The Garante enacted a general guide on the application of the GDPR (only available in Italian here), which endorses all of the guidelines and opinions issued by the Article 29 Working Party.

The Garante also published a set of FAQs on various topics related to the application of the GDPR (only available in Italian here).

1.3. Case law

With regard to the right to be forgotten, the Italian Court of Cassation (Civil Section) ('the Court of Cassation'), in Judgment No. 9147 of 19 May 2020 (only available in Italian here), clarified that a person's right to privacy and reputation must be balanced with the public interest of being informed of relevant facts (i.e. freedom of information). The case focused on the complaint of a person for the presence on the web of information relating to past events, available to the public by typing the person's name and surname on the web. In particular, the Court of Cassation clarified that the right to privacy and reputation are complied with by deindexing the information.

Moreover, the Court of Cassation, in Judgment No. 26778 of 26 June 2019 (only available in Italian here), found an infringement of the principle of data minimisation (Article 5(1)(c) of the GDPR), in circumstances where, for the purpose of issuing of a bank account, the customer was forced to provide consent to the processing of special categories of personal data (which is not necessary for the execution of the contract). In light of this, the clause within the contract was considered null as contrary to mandatory rules, pursuant to Article 1418 of the Italian Civil Code (only available in Italian here).

Furthermore, the Court of Cassation, in Judgment No. 14381 of 24 March 2021, ruled that data subjects cannot be considered to express a free, specific, and informed consent when the logic behind the algorithm and the elements of which it is composed remain unknown to the data subjects. In other terms, algorithmic transparency is required for an informed and valid consent to the processing.

Finally, the Court of Cassation, in Judgment No. 11019 of 26 April 2021¸ ruled that a telephone communication aimed at obtaining consent for marketing purposes, from a data subject who had previously denied it, is itself a new commercial communication, as asking customers' consent for marketing purposes is a processing of personal data for marketing purposes.

2. SCOPE OF APPLICATION

2.1. Personal scope

There are no variations to the GDPR provided by Italian data protection laws.

2.2. Territorial scope

There are no variations to the GDPR provided by Italian data protection laws.

2.3. Material scope

There are no variations to the GDPR provided by Italian data protection laws.

3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY

3.1. Main regulator for data protection

The main regulator for data protection is the Garante, which is headquartered in Rome.

3.2. Main powers, duties and responsibilities

The Garante's main functions are:

  • to supervise data processing activities to ensure the respect of data protection rules;
  • to take action upon complaints lodged by data subjects;
  • to lay down ethical rules for personal data processing carried out both by public and private bodies in the employment context;
  • to report crimes that can be prosecuted ex officio and detected in the exercise of its powers and functions;
  • to mandate specific measures to data controllers and processors to correctly process personal data;
  • to prohibit or block data processing activities that may constitute a risk for data subjects;
  • to adopt resolutions and draft opinions;
  • to suggest to the Italian Government and the Italian Parliament the necessity to adopt specific legislative/regulatory measures;
  • to raise awareness among citizens about data protection and involve them in public consultations in relation to the drafting of general resolutions;
  • to control or assist in matters of data protection provided by national ratification laws, by international conventions, or by acts of the EU;
  • to cooperate with the other Italian independent administrative authorities assisting them in the performance of their duties; and
  • to adopt guidelines related to organisational and technical measures implementing the GDPR principles.

Furthermore, the Garante, duly represented by the State Advocacy, is also entitled to take legal action against any data controller or data processor that violates provisions concerning the protection of personal data.

According to Article 167(5) of the Code, the Garante is entitled to transmit documentation collected within its assessment's activities to the judicial authorities, if, from the activities, elements arise that lead to the presumption of the perpetration of a crime.

Furthermore, the Garante has been granted with the power of introducing simplified procedures/means for small and medium-sized companies to comply with the data controller's obligations under the GDPR.

Finally, pursuant to Article 144-bis of the Code, individuals of the age of 14 and above who have a well-founded reason to believe that explicit images or videos concerning them may be disseminated without their consent, may submit a report or complaint to the Garante. Within 48 hours of receipt of the request, the Garante is required to proceed in accordance with Article 58 of the GDPR and Articles 143 and 144 of the Code, initiating the appropriate investigations.

4. KEY DEFINITIONS

Data controller: There are no variations to the GDPR provided by Italian data protection laws.

Data processor: There are no variations to the GDPR provided by Italian data protection laws.

Personal data: There are no variations to the GDPR provided by Italian data protection laws.

Sensitive data: There are no variations to the GDPR provided by Italian data protection laws.

Health data: There are no variations to the GDPR provided by Italian data protection laws.

Biometric data: There are no variations to the GDPR provided by Italian data protection laws.

Pseudonymisation: There are no variations to the GDPR provided by Italian data protection laws.

5. LEGAL BASES

5.1. Consent

Children consent

Article 2-quinquies of the Code provides that children who have reached the age of 14 years can validly express their consent to data processing in relation to the offer of information society services. Where the child is below the age of 14 years, such consent must be provided by the holder of parental responsibility (see also section 7.9).

Special categories of personal data

Article 107 of the Code provides that the consent to the processing of special categories of personal data (when used as a legal basis) may also be given in accordance with simplified arrangements approved by the Garante.

Article 110 of the Code provides that the data subject's consent shall not be required for the processing of personal data relating to health for scientific research purposes in the medical, bio-medical, or epidemiological sectors (see section 7.9).

5.2. Contract with the data subject

There are no variations to the GDPR provided by Italian data protection laws.

5.3. Legal obligations

Article 2-ter of the Code provides that processing based on 'legal obligations' pursuant to Article 6(3)(b) of the GDPR shall only be permitted when required either by a law or, where so provided for by a law, or a regulation.

5.4. Interests of the data subject

There are no variations to the GDPR provided by Italian data protection laws.

5.5. Public interest

Article 2-ter of the Code provides that personal data may be communicated between controllers for the performance of a task carried out in the public interest or in the exercise of official authority only if either:

  • this is provided either by a law or, where so provided for by a law, or a regulation; or
  • this is necessary to carry out tasks in the public interest or to fulfil institutional duties and the Garante has been previously informed.

Furthermore, pursuant to Article 2-ter, 1-bis of the Code, introduced by Article 9 of Decree Law No. 139 of 8 October 2021 Urgent Provisions for Access to Cultural, Sporting and Recreational Activities, as well as for the Organization of Public Administrations and for the Protection of Personal Data (available only in Italian here), public administrations, independent authorities, as well as state-controlled companies are always allowed to process personal data if necessary for the performance of a task carried out in the public interest or for the exercise of public powers granted to the same. 

Where the purpose of the processing is provided neither by a law nor a regulation, the purpose of the processing is indicated by the same administration/the state-controlled company in line with the task performed or the powers exercised. Such authorities shall provide:

  • the identity of the data controller and the purposes of the processing; and 
  • any other information necessary to ensure correct and transparent processing with regard to the data subjects and their rights to obtain confirmation and communication of the processing of their personal data.

Moreover, pursuant to Article 2-quinquiesdecies of the Code, the Garante may lay down measures and arrangements to protect data subjects in case the processing carried out for the performance of a task in the public interest may entail a high risk.

5.6. Legitimate interests of the data controller

There are no variations to the GDPR provided by Italian data protection laws.

5.7. Legal bases in other instances

The Garante has been recognised as having the power to adopt general authorisations and ethical rules and approve codes of conduct (described below), which set forth further specifications on conditions of lawfulness on certain processing activities.

The Garante's general authorisations

The general authorisations issued by the Garante set forth the conditions for certain processing activities, by indicating the permitted purposes and modalities of the processing. Pursuant to Article 21(1) of the Decree, the Garante, by means of Resolution No. 497 of 13 December 2018 (only available in Italian here) and the Resolution No. 146 of 5 June 2019 (only available in Italian here), identified and updated the general authorisations that are compatible with the GDPR and with the Decree. The general authorisations currently effective are those regarding:

  • the processing of special categories of personal data in the employment context (former General Authorisation No. 1/2016) (only available in Italian here);
  • the processing of special categories of personal data by associations and foundations (former General Authorisation No. 3/2016) (only available in Italian here);
  • the processing of special categories of personal data by private investigators (former General Authorisation No. 6/2016) (only available in Italian here);
  • the processing of genetic data (former General Authorisation No. 8/2016) (only available in Italian here); and
  • the processing of personal data for scientific research purposes (former General Authorisation No. 9/2016) (only available in Italian here).

The previous general authorisations, considered incompatible, are no longer effective.

Ethical rules and codes of conduct

After the entry into force of the GDPR, the Garante amended the previously issued codes of ethics (renamed 'ethical rules') in order to align them to the new European provisions, and adopted new versions of codes of conduct. Pursuant to Article 2-quarter of the Code, ethical rules are issued directly by the Garante and their compliance constitutes an essential condition for the lawfulness and correctness of the processing of personal data to which they relate. In fact, any failure to comply with such provisions may lead to the application of sanctions as set out in Article 83(5) of the GDPR.

Codes of conduct, on the other hand, are drafted by associations or other entities representing the categories of data controllers or processors and are subject to the Garante's approval. Adherence to such codes of conduct is not compulsory.

The ethical rules and codes of conduct currently in force are the following:

  • ethical rules for the processing of personal data in the journalistic activity (only available in Italian here);
  • ethical rules for the processing of personal data for defensive investigations or to assert or defend a right in judicial proceedings (only available in Italian here);
  • ethical rules for processing for archiving purposes in the public interest or for historical research purposes (only available in Italian here);
  • ethical rules for the processing for statistical or scientific research purposes carried out within the National Statistical System (only available in Italian here);
  • ethical rules for processing for statistical or scientific research purposes (only available in Italian here);
  • code of conduct for the processing of personal data for business information purposes (only available in Italian here);
  • code of conduct for information systems managed by private entities on consumer credit, reliability and punctuality of payments (only available in Italian here); and 
  • code of conduct for the processing of personal data for commercial information purposes, drawn up by the National Association of Commercial Information and Credit Management Companies (only available in Italian here).

6. PRINCIPLES

There are no variations to the GDPR provided by Italian data protection laws.

7. CONTROLLER AND PROCESSOR OBLIGATIONS

7.1. Data processing notification

According to Article 110-bis of the Code, the Garante can authorise the processing of personal data, including of special categories of personal data listed under Article 9 GDPR, carried out by third parties for scientific and statistical purposes, when it is impossible for them to inform the data subject or when such notification implies a disproportionate effort or if it may hinder significantly the purposes of the research. In such cases, it is necessary to adopt appropriate measures for the protection of rights, freedoms, and legitimate interests of the data subjects.

7.2. Data transfers

There are no variations to the GDPR provided by Italian data protection laws.

7.3. Data processing records

There are no variations to the GDPR provided by Italian data protection laws.

7.4. Data protection impact assessment

Pursuant to Article 35 GDPR, on 11th October 2018, the Garante issued Resolution No. 467 (only available in Italian here) providing for a non-exhaustive list of processing operations subject to a Data Protection Impact Assessment ('DPIA').

7.5. Data protection officer appointment

All the information on the modalities of notification of the data protection officer's ('DPO') contact details to the Garante can be found in the Garante's frequently asked questions on the same (only available in Italian here). Moreover, Article 2-sexiesdecies of the Code requires judicial authorities to appoint a DPO when processing personal data for the exercise of their duties.

The Garante has also adopted an online procedure for DPO notification (only available in Italian here).

7.6. Data breach notification

There are no variations to the GDPR provided by Italian data protection laws.

In addition, the Garante adopted, on 30 July 2019, a new form to be used for data breach notifications (only available to access in Italian here).

7.7. Data retention

Article 99 of the Code provides that processing of personal data for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes may be carried out also for no longer than is necessary for achieving the purposes for which the data had been previously collected or processed.

7.8. Children's data

As indicated in section 5.1, Article 2-quinquies of the Code provides that children who have reached the age of 14 years can validly express their consent to data processing in relation to the offer of information society services. Where the child is below the age of 14 years, consent must be given by the holder of parental responsibility.

7.9. Special categories of personal data

Processing of special categories of personal data

Processing necessary for substantial public interest reasons

Article 2-sexies of the Code, by addressing the exceptions set forth by Article 9(1)(g) GDPR, provides that the processing of special categories of personal data for reasons of substantial public interest shall be carried out only if both pertaining to the areas indicated in Article 2-sexies(2) of the Code and it is provided under EU or Italian laws or, where so provided for by a law, or regulations. In this regard, the Garante issued a note clarifying how Italian data protection law regulates the processing of special categories of personal data for public interest reasons (see Garante's President's Note on Processing Special Categories of Personal Data for Significant Public Interest Reasons, only available in Italian here).

Processing for archiving in the public interest, scientific or historical research, or statistical purposes

Article 100 of the Code, by addressing the exception set forth by Article 9(1)(j) GDPR, permits public entities, such as universities and research institutions, to disclose and disseminate personal data to specified recipients to support science and technological research and strengthen collaboration in certain circumstances. However, this exception does not apply to the disclosure or dissemination of special categories of personal data or criminal conviction and offense data.

The Garante's updated General Authorisation No. 9/2016 on processing personal data for scientific research purposes sets out requirements for universities, research institutes, health professionals, health organisations, and other specified persons that process personal data for scientific research purposes (see section 5.7).

The Garante also adopted the following ethical rules for processing personal data for archiving in the public interest, scientific or historical research, or statistical purposes (see section 5.7):

  • ethical rules for processing for archiving purposes in the public interest or for historical research purposes;
  • ethical rules for the processing for statistical or scientific research purposes carried out within the National Statistical System; and
  • ethical rules for processing for statistical or scientific research purposes.

Processing health data

Article 110 of the Code permits the processing of health data in the medical, biomedical, and epidemiological fields without data subject consent for archiving in the public interest, scientific or historical research (including where research is part of a biomedical or health program under Article 12-bis of Legislative Decree No. 502/1992 (only available in Italian here)) and statistical purposes. Such processing is permitted if either EU or Italian law or, where so provided for by a law, regulation authorises the scientific research and the controller performs a DPIA which is made publicly available, or if informing data subjects involves disproportionate effort or is likely to render impossible or seriously impair the achievement of the research purposes (under the conditions set forth under the Code). Finally, Article 110(2) of the Code provides that controllers processing personal data in these circumstances that receive a data subject rectification or completion request pursuant to Article 16 GDPR must record the request without modifying the data if the rectified or completed data do not produce significant effects on the outcome of the research.

Processing of genetic, biometric, and health data

Article 2-septies of the Code provides that the processing of genetic, biometric, and health data shall be carried out only if both the processing complies with Article 9(2) GDPR and certain security measures (such as encryption, pseudonymisation, and minimisation) are implemented. Such security measures will be established by the Garante on, at least, a two-year basis. However, the Garante has not adopted new safeguards since the GDPR took effect. On the other hand, the Garante:

  • updated the General Authorisation No. 8/2016 on processing of genetic data (see section 5.7); and
  • issued further guidance on the requirements for processing health data (only available in Italian here).

Moreover, the Code prohibits the dissemination of genetic, biometric, and health data, while permits the processing of biometric data with regard to the procedures for physical and logical access to data by authorised persons, provided that all processing security requirements pursuant to the Code and Article 32 GDPR are met.

Garante's General Authorisations

The Garante updated the general authorisations (see section 5.7) regarding:

  • the processing of special categories of personal data in the employment context;
  • the processing of special categories of personal data by associations and foundations;
  • the processing of special categories of personal data by private investigators; and
  • the processing of genetic data.

Processing of criminal conviction and offence data

Article 2-octies of the Code provides that the processing of personal data relating to criminal convictions or offences may be carried out if an Italian law or, where so provided for by a law, a regulation authorises the processing and provides appropriate measures to safeguard data subjects' rights and freedoms. Where such provisions are not enacted, requirements for the lawful processing of judicial data shall be determined through a decree of the Ministry of Justice.

Moreover, in this regard, the Garante:

  • updated General Authorisation No. 7/2016 on processing judicial data by private individuals, public economic bodies, and public entities (see section 5.7); and
  • published ethical rules on the processing of personal data carried out in order to carry out defensive investigations or to assert or defend a right in judicial proceedings (see section 5.7).

Such provisions must be applied also in the employment context.

7.10. Controller and processor contracts

There are no variations to the GDPR provided by Italian data protection laws.

8. DATA SUBJECT RIGHTS

The cases in which data subjects' rights may be restricted are listed by Articles 2-undecies and 2-duodecies of the Code. The controller shall explain without undue delay to the data subject the reason for the limitation, while no communication is due in case it jeopardises the aim for which the controller can limit the data subjects' rights.

Pursuant to Article 2-undecies of the Code, data subjects' requests for the exercise of their rights granted by the GDPR can be withheld, postponed, or rejected when they are likely to result in a concrete and actual prejudice to:

  • interests protected by anti-money laundering legislation;
  • interests protected by legislation supporting victims of extortion;
  • activities of Parliamentary Committees of enquiry, established by the Italian Constitution (only available in Italian here);
  • activities carried out by a public entity, different from public economic entities, according to an explicit law provision, for exclusive purposes relating to economic and monetary policy, payment system, brokers control, credits and financial markets control, and protection of their stability;
  • the performance of defence investigations or the exercise of a legal claim; or
  • confidentiality of the identity of the whistleblower.

Pursuant to Article 2-duodecies of the Code, data subjects' requests for the exercise of their rights granted by the GDPR can be withheld, postponed, or rejected also when it is necessary and proportionate, taking into account fundamental rights and legitimate interests of the data subject, to protect the independence of judicial authorities and judicial proceedings.

Moreover, pursuant to Article 138 of the Code the exercise of such rights may also be limited when the professional secret applies in the context of journalism.

Data subject rights of deceased persons

Article 2-terdecies of the Code permits third parties to exercise the data subject rights in Articles 15 to 22 GDPR on behalf of deceased persons, including:

  • any individual with a direct interest in the deceased's personal data; and
  • a representative of the deceased data subject acting to protect the deceased data subject or family interests.

Data subject rights when processing for scientific and technological research

Article 100 of the Code provides that processing for scientific or technological research does not affect data subjects' rectification, erasure, processing restriction, and objection rights under GDPR; however, data subjects must exercise these rights in accordance with the Garante's related ethical rules.

Data subject rights when processing for statistical purposes

Articles 105 and 106 of the Code permit controllers to limit data subjects' information rights, when processing personal data originally collected for a different purpose, for statistical or scientific research purposes if providing the information requires a disproportionate effort compared to the protected right and the controller uses another suitable form of notification as provided by the ethical rules (see section 5.7) regarding:

  • processing for statistical or scientific research purpose; and
  • processing for statistical or scientific research purposes carried out within the National Statistical System.

8.1. Right to be informed

See introductory paragraph of section 8.

8.2. Right to access

Pursuant to Article 59 of the Code, the disclosure of official documents is governed by the following laws:

  • Law No. 241/1990 (Law on Administrative Proceedings) (only available in Italian here);
  • Legislative Decree No. 33/2013 (reorganisation of Laws and Regulations Concerning the Duties of Publicity, Transparency, and Dissemination of Information by Public Entities) (only available in Italian here).

Moreover, Article 60 of the Code permits processing of genetic data, health data, or data concerning a data subject's sex life or sexual orientation if the legally relevant situation that has to be protected by the access's request to the administrative documents is at least equal to the rights of the data subjects, or consists of a personality or another fundamental right or freedom.

8.3. Right to rectification

See introductory paragraph of section 8.

8.4. Right to erasure

See introductory paragraph of section 8.

8.5. Right to object/opt-out

See introductory paragraph of section 8.

8.6. Right to data portability

See introductory paragraph of section 8.

8.7. Right not to be subject to automated decision-making

See introductory paragraph of section 8.

8.8. Other rights

There are no variations to the GDPR provided by Italian data protection laws.

9. PENALTIES

With regard to sanctions, the Italian legislator has consistently modified the previous legislative framework on the basis of the so-called opening clause of the GDPR, which grants to all Member States the possibility of providing for criminal sanctions for certain violations of privacy legislation. Such sanctions have been added to the administrative sanctions already provided under the GDPR and certain criminal offences under the previous draft of the Code have been modified. In this respect, the main purpose is to avoid any possible violation of the 'ne bis in idem' principle, according to which no one shall be prosecuted twice for the same criminal behaviour.

Administrative sanctions

Article 166 of the Code refers to the following administrative sanctions established by the GDPR, specifically:

  • Article 83(4) GDPR for violations of specific provisions of the Code, e.g.:
    • Article 2-quinquies(2) on children's consent for information society services, namely in cases where the information notice does not meet the relevant requirements;
    • Article 123(4) on traffic data, namely in cases where the information notice given by providers of a public communication network or publicly available electronic communications service does not comply with the relevant GDPR provisions; and
    • Article 110(1), namely in cases of failing to carry out the DPIA in the context of medical, biomedical, and epidemiological research; and 
  • Article 83(5) GDPR, imposing administrative fines up to €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year if higher, for most serious violations of the Code, e.g.:
    • Article 2-ter on the legal basis for personal data processing pursuant to a public interest;
    • Article 2-quinquies(1) on children's consent for information society services, where the child's consent is not properly collected;
    • Article 2-septies(8) on safeguards for processing of biometric, genetic, and health-related data; or
    • Article 2-octies on the processing of judicial data.

Criminal offences

New crimes introduced by the Decree are:

  • unlawful communication and dissemination of personal data where large-scale processing takes place with the aim of making profit or causing damage in violation of specific provisions of the Code (Article 167-bis of the Code), for which the sanction is imprisonment from one to six years (but it may be lowered in case administrative sanctions also apply); and
  • fraudulent acquisition of personal data where large-scale processing takes place with the aim of making profit or causing damage (Article 167-ter of the Code), which is sanctioned with imprisonment from one to four years.

The Italian legislator has also made a few changes to the existing criminal offences, specifically:

  • misrepresentation/false statements given to the Garante and intentional interruption of the Garante's exercise of powers (Article 168 of the Code), for example the performance of proceedings or investigations;
  • non-compliance with the Garante's decisions (Article 170 of the Code); and
  • violation of provisions on employees' remote monitoring and the prohibition of opinion surveys, making reference to the sanctions established by the Workers' Statute, Law No. 300/1970 (only available in Italian here).

9.1 Enforcement decisions

The Garante adopted several decisions and opinions on various topics during 2017, 2018, 2019, and 2020. Some of the most relevant topics are summarised below:

  • With regard to unsolicited communications, the Garante enacted a significant number of injunctions in order to combat the phenomenon of 'wild telemarketing'. This led to very high sanctions issued against providers of electronic communications and consumer services.
  • With regard to the incorrect definition of the privacy roles of the subjects involved in processing activities. By way of example, the Garante fined an advertising company and a hospital for a total of €280,000.
  • In order to enable compliance with national vaccine obligations, in accordance with the tight schedule envisaged in the law, the Garante issued a decision to authorise schools to directly communicate children's non-sensitive personal data to public and private health authorities.
  • As part of an investigation carried out by the Rome Public Prosecutor's Office, the Garante imposed fines for a total amount of over €11 million on five money transfer companies that had processed personal data of over one thousand individuals unlawfully and without their knowledge (the so-called 'money transfer case', only available in Italian here)).
  • The Garante has underlined issues in the ways in which the Revenue Agency has decided to implement the new generalised billing obligation related to electronic invoicing introduced by the 2018 Italian Budget Law (only available in Italian here). The Garante warned the Revenue Agency that the new obligation relating to electronic invoicing could seriously affect the data protection and the safeguards granted to the data subjects (citizens) involved.
  • On several occasions the Garante has been requested to provide indications and clarifications on the application of the GDPR, with particular reference to the DPIAs to be carried out in the health sector and on the procedures to be followed in the case of requests of exercise of rights by data subjects concerning health data.
  • The Garante sanctioned an Italian political association with a fine of €50,000 for the violation of Articles 32 and 83(4)(a) GDPR. In its decision (only available in Italian here), the Garante declared that the sharing of login credentials among several data subjects for the management of the same online platform violates the obligation for data controllers to adopt adequate technical and organisational measures.
  • The Garante sanctioned a major telecommunications company €12.2 million for having unlawfully processed the personal data of millions of users for telemarketing purposes. In its decision (only available in Italian here), the Garante found violations with respect to consent requirements and key principles for data processing such as accountability and Data Protection by Design as set forth in the GDPR.
  • The Garante sanctioned a major energy company €8.5 million for unlawful processing of personal data for marketing purposes in the context of unsolicited telemarketing practices. Among other things, the Garante highlighted in its decision (only available in Italian here) that telemarketing calls were made without the consent or despite the data subject’s objection to receiving promotional calls and the data controller acquired the personal data of potential customers from providers that had not collected valid consent.
  • The Garante sanctioned a food delivery company €2.5 million for unlawful processing of riders' personal data also through the use of algorithms. In its decision (only available in Italian here), the Garante noted, among other things, that the company had not adequately informed the riders of the existence of automated decision-making and had not guaranteed procedures to protect the right to obtain human intervention, express one's opinion, and object to the decisions made through the use of the algorithm.