Skip to content
World Watch/Italy/Data & Privacy

Data & Privacy ยท Italy

Data protection & GDPR compliance in Italy (2026)

Comprehensive lawEU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR), as implemented nationally by the Personal Data Protection Code (Legislative Decree No. 196/2003) as amended by Legislative Decree No. 101/2018; supervised by the Garante per la protezione dei dati personali.Country index 93 ยท A+

Italy shaded by its data & privacy status

Data protection in Italy: comprehensive law, under EU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR), as implemented nationally by the Personal Data Protection Code (Legislative Decree No. 196/2003) as amended by Legislative Decree No. 101/2018; supervised by the Garante per la protezione dei dati personali..

Italy has a comprehensive, GDPR-style data-protection regime. The directly-applicable EU GDPR is the primary reference text, supplemented by the national Privacy Code (Legislative Decree 196/2003) as harmonized by Legislative Decree 101/2018, which adapts national rules where the GDPR left discretion to Member States. The independent supervisory authority is the Garante per la protezione dei dati personali, which actively enforces the law through complaints handling, inspections and fines.

GDPR & data protection in Italy

In Italy, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Garante per la protezione dei dati personali.

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the Garante per la protezione dei dati personali
Applies to
any organisation processing the personal data of people in Italy, wherever the organisation is based
Maximum fine
โ‚ฌ20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Italy supplements it with a national data-protection act and its own supervisory authority.

GDPR in Italy: FAQ

Does the GDPR apply in Italy?

Yes. As an EU/EEA member, Italy applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Garante per la protezione dei dati personali.

Who enforces data protection law in Italy?

The Garante per la protezione dei dati personali.

What are the GDPR fines in Italy?

Up to โ‚ฌ20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Italy?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Italy?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

Comprehensive GDPR-based regime

The EU GDPR (Regulation 2016/679) applies directly and is the reference text alongside the national Privacy Code. Italy did not create a separate standalone scheme but harmonized its pre-existing law to the GDPR.

National implementing law

Legislative Decree No. 101/2018 (effective 19 September 2018) amended the Privacy Code (Legislative Decree No. 196/2003), repealing rules incompatible with the GDPR and regulating matters left to Member-State discretion.

Supervisory authority (Garante)

The Garante per la protezione dei dati personali is the independent supervisory authority. It is a collegiate body of four members elected by Parliament for a seven-year term, based in Rome.

Powers and obligations

The Garante handles complaints, conducts inspections, can ban or restrict processing, advises Parliament/Government on legislation, and participates in EU/cross-border enforcement. Controllers face GDPR obligations (lawful basis, transparency, DPIAs, breach notification) and data subjects hold GDPR rights (access, rectification, erasure, portability, objection).

Active enforcement in 2026

In April 2026 the Garante imposed a combined fine exceeding โ‚ฌ12.5 million on Poste Italiane and Postepay for unlawful tracking of app users, and issued binding guidelines requiring consent for email tracking pixels (six-month compliance window). Its H1-2026 inspection plan targets 40+ inspections covering telemarketing, AI systems and workplace monitoring.

Interaction with national AI Law

Italy's national AI Law No. 132/2025 (in force 10 October 2025) preserves the Garante's full GDPR powers over AI-related data processing and permits secondary use of de-identified health data for AI research with prior 30-day notification to the Garante.

Timeline - major decisions & events

Jul 1, 2025enforcementofficial
Garante fines Autostrade per l'Italia โ‚ฌ420,000 over employee data

The Garante fined the motorway operator โ‚ฌ420,000 for using an employee's private Facebook, Messenger and WhatsApp content in disciplinary proceedings, breaching lawfulness, purpose-limitation and minimisation principles. It signals strict enforcement of workplace privacy limits.

EDPB โ†—
May 19, 2025enforcementofficial
Garante fines Replika maker Luka Inc. โ‚ฌ5 million

The Garante imposed a โ‚ฌ5M fine on Luka Inc. for lacking a legal basis, transparency and any age-verification for its AI companion chatbot, and opened a fresh probe into its generative-AI training. It cemented Italy's role as a leading AI-privacy enforcer.

EDPB โ†—
Jan 30, 2025decision
Garante blocks DeepSeek AI for Italian users

The Garante imposed an urgent, definitive limitation on processing Italian users' data by China's DeepSeek after finding its responses inadequate and noting data was stored in China contrary to GDPR safeguards. It was the first major EU action against the Chinese model.

Bird & Bird โ†—
Dec 20, 2024enforcementofficial
Garante fines OpenAI โ‚ฌ15 million over ChatGPT

Closing its ChatGPT inquiry, the Garante fined OpenAI โ‚ฌ15M for processing training data without an adequate legal basis, transparency failures, weak age verification and an unreported 2023 breach, and ordered a six-month public information campaign. It was the first GDPR penalty against a generative-AI provider.

Garante per la protezione dei dati personali โ†—
Apr 28, 2023decisionofficial
ChatGPT reinstated in Italy after compliance measures

OpenAI restored ChatGPT access in Italy after adopting transparency notices, an opt-out for training, age-gating and other measures demanded by the Garante. It set an early template for EU-wide AI compliance expectations.

Garante per la protezione dei dati personali โ†—
Mar 31, 2023decisionofficial
Garante orders temporary stop of ChatGPT

Italy became the first country to suspend ChatGPT, ordering OpenAI to halt processing of Italian users' data over the lack of a legal basis for training, missing transparency and absent age verification. It opened the global wave of AI data-protection scrutiny.

Garante per la protezione dei dati personali โ†—
Feb 2, 2023decision
Garante blocks AI chatbot Replika

The Garante issued an urgent order halting Replika's processing of Italian users' data, citing risks to minors and vulnerable people, no effective age checks and an invalid contract-based legal basis. It was an early marker of AI-specific enforcement.

Portolano Cavallo โ†—
Sep 19, 2018law
Legislative Decree 101/2018 harmonizes Italian law with GDPR

The decree amended the 2003 Privacy Code, repealing provisions incompatible with the GDPR and legislating in areas left to member states (public sector, health data, research, criminal sanctions, age-14 consent for online services). It defines today's national framework alongside the GDPR.

IAPP โ†—
Jun 30, 2003law
Personal Data Protection Code enacted (Legislative Decree 196/2003)

Italy consolidated its privacy rules into the 'Codice Privacy', which governed data protection for over two decades and re-grounded the Garante's powers. It remains the national vehicle now adapted to the GDPR.

privacy.it (Italian Privacy Code, English) โ†—
Dec 31, 1996law
Law 675/1996, Italy's first data protection law

Implementing EU Directive 95/46/EC, Law No. 675 introduced comprehensive personal-data rules and established the Garante per la protezione dei dati personali as an independent authority. It is the foundation of the modern Italian privacy framework.

privacy.it (Law 675/1996, English) โ†—

Italy - other topics

Data & Privacy in other countries

Last verified 5/23/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’