Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Data protection and privacy implications of the National Plan of Recovery and Resilience

Italy was among the first EU countries hit by the COVID-19 pandemic in February 2020. The impact of the pandemic led to a drop in gross domestic product close to 9%, compared to an average drop of 6% in the rest of the EU. The health crisis hit a country that was already facing significant challenges, from low investment rates to limited prospects for public administrations and small- and medium-sized enterprises ('SMEs') to seize the opportunities offered by the digital world.

In this Insight article, Giangiacomo Olivi, Partner at Dentons Group B.V., discusses the National Plan of Recovery and Resilience1 ('PNRR'), particularly focusing on the resulting data protection and privacy implications.

mammuth / Signature collection /

Scope and framework

In response to the pandemic and economic crisis, the EU adopted, in December 2020, Council Regulation (EU) 2020/2094 of 14 December 2020 establishing a European Union Recovery Instrument to support the recovery in the aftermath of the COVID-19 crisis2, known as the Next Generation EU ('NGEU'), a programme of unprecedented scope consisting of two main instruments: the Recovery and Resilience Facility3 ('RRF') and the Recovery Assistance for Cohesion and the Territories of Europe4 ('REACT-EU').

From an economic standpoint, Italy was the first beneficiary of the economic aids provided for by these two programmes. In particular, the RRF alone provided for over €190 billion, for the period between 2021 and 2026, to be used for various objectives, including bolstering the digital transition of the country.

In order to use these economic aids efficiently, Italy adopted, in May 2021, the PNRR, a vast programme of reforms and investments articulated in the following six 'missions':

  • digitalisation, innovation, competitiveness, culture, and tourism;
  • green revolution and ecological transition;
  • infrastructure for sustainable mobility;
  • education and research;
  • inclusion and cohesion; and
  • health.

Some commentators argued that the PNRR should be construed as a fundamental part of a broader framework of European regulations which includes, among others, the Regulation (EU) 2022/2065 of 19 October 2022 on a Single Market For Digital Services and Amending Directive 2000/31/EC (Digital Services Act)5 ('DSA'), Regulation (EU) 2022/1925 of 14 September 2022 on Contestable and Fair Markets in the Digital Sector and Amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act)6 ('DMA'), the Proposal for a Regulation on Harmonised Rules on Fair Access to and Use of Data (Data Act)7 ('the Draft Data Act'), and Regulation (EU) 2022/868 of 30 May 2022 on European Data Governance and Amending Regulation (EU) 2018/1724 (Data Governance Act)8 ('DGA'). This framework aims at stimulating a competitive data-driven market, establishing a level playing field for businesses, and creating a safer digital space where the fundamental rights of users are protected.

Comments from the Ministry for Economic Development and the Garante

In May 2022, for the 25th anniversary of the Italian data protection authority ('Garante'), the Italian Minister for Economic Development, Giancarlo Giorgetti, commented on the intersections between the PNRR and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Minister declared that the PNRR represents "a unique opportunity for the country to undertake a digital transformation; also it is important that large companies continue to look at Italy to install data centres and cloud services, thus helping the country bolstering its progress". According to the Minister, it is necessary "that the investments provided for by the PNRR aim at fostering the transition of companies to reliable and modern IT systems, capable of performing thousands of operations in a short time and leveraging the full potential of artificial intelligence". Therefore, in line with other global trends, the PNNR will lead to increased (local) data processing.

This will require an increased effort in terms of cybersecurity and resilience. The Garante emphasised that the only way to fulfil the six missions envisaged by the PNRR is working on the combination of data protection and cybersecurity. Indeed, only by merging these two aspects, the digitalisation and innovation process could be developed effectively without jeopardising security. This is particularly relevant, taking into account the fact that, as stated in its 2021 annual report9, the Garante warned that the number of data breaches notified in 2021, by both public and private entities, increased by 50% compared to 2020.

In this regard, the Garante stressed that 'the safeguards provided for by the GDPR have a twofold objective in the context of the reforms and projects envisaged by the PNRR'. On the one hand, they aim at building trust in citizens relating to the activities carried out by public entities in the performance of their functions; on the other hand, they aim at ensuring a secure innovation process, with a competitive market that also allows for the protection of the fundamental rights and freedoms.

Digitisation and cloud

Among the missions set forth by the PNRR, mission No. 1 'digitalisation, innovation, competitiveness, culture, and tourism' is considered as the most relevant for the realm of data protection. Besides the compliance with the fundamental GDPR principles (e.g. minimisation, security, transparency, accountability, etc.), this necessitates particular scrutiny in order to adequately monitor the sub-contractors and technology suppliers (including the large players offering cloud services and artificial intelligence ('AI') systems).

In this regard, the PNRR introduced the so-called 'cloud first strategy' whereby public administrations shall decide whether to opt for cutting-edge national cloud (i.e. the National Strategic Hub10) or purchase a commercial cloud solution available on the market. While making this choice, public administrations shall take due consideration of the categories of personal data being processed (common or special categories of personal data), the volume of such data, and the characteristics of the services provided. Cloud services clearly offer public administrations a great opportunity to modernise their internal and external procedures.

However, the infrastructure and functionalities of these services often leverage upon other 'sub-cloud service providers'. Therefore, data controllers - whether public or private - shall pay due attention to all the sub-providers involved in the supply chain. This will no doubt confirm a trend of strict data mapping and further scrutiny for data transfers, as already initiated following the well-known Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II').


The PNRR addresses another historical inefficiency of the Italian public administrations, i.e. the absence of interoperability between the respective databases. In this regard, the PNRR sets forth substantial investments to upgrade the architecture and the means of interconnection of public databases in order to reach full interoperability and access services more efficiently. More in detail, the so-called 'once only principle' will grant citizens and businesses the possibility to provide their data only once to the relevant public entity, without having to provide further data to other requesting public entities. All public entities potentially interested in the data concerned will in fact be able to obtain such data from the previous public entity which first received the data from the data subject/business, without any further communication being required from the same data subject/business.

To this end, the PNRR established the National Digital Data Platform ('PDND'), which is a central digital catalogue through which public administrations will be able to exchange data mutually. The PNRR also mandated the Agency for Digital Italy ('AGID') to adopt specific guidelines to define the criteria and technical standards for the management and use of the PDND. In July 2021, the Garante welcomed such reforms11, specifically stating the that AGID defined a framework of safeguards that ensure the integrity and confidentiality of citizens' personal data, in compliance with the GDPR obligations, including the Privacy by Design and by Default principles.


The NGEU represents a unique occasion for economic growth and welfare of the EU as a whole. Within this framework, the PNRR specifically addresses some historical weaknesses of Italy. The strong incentives for the digitalisation and innovation of public administrations and companies will certainly lead to a substantial increase of personal data being processed. A careful analysis of data protection implications will be necessary at each step of the implementation process. To this end, it will prove crucial to establish a constant and efficient dialogue between the Garante and all involved public entities.

Giangiacomo Olivi Partner
[email protected]
Dentons Group B.V., Milan

1. Available at: (only available in Italian)
2. Available at:
3. See at:
4. See at:
5. Available at:
6. Available at:
7. Available at:
8. Available at:
9. Available for download at: (only available in Italian)
10. See at:
11. See at: (only available in Italian)