Data & Privacy · Italy
Data protection & privacy laws in Italy (2026)
Italy shaded by its data & privacy status
Italy has a comprehensive, GDPR-style data-protection regime. The directly-applicable EU GDPR is the primary reference text, supplemented by the national Privacy Code (Legislative Decree 196/2003) as harmonized by Legislative Decree 101/2018, which adapts national rules where the GDPR left discretion to Member States. The independent supervisory authority is the Garante per la protezione dei dati personali, which actively enforces the law through complaints handling, inspections and fines.
Key points
The EU GDPR (Regulation 2016/679) applies directly and is the reference text alongside the national Privacy Code. Italy did not create a separate standalone scheme but harmonized its pre-existing law to the GDPR.
Legislative Decree No. 101/2018 (effective 19 September 2018) amended the Privacy Code (Legislative Decree No. 196/2003), repealing rules incompatible with the GDPR and regulating matters left to Member-State discretion.
The Garante per la protezione dei dati personali is the independent supervisory authority. It is a collegiate body of four members elected by Parliament for a seven-year term, based in Rome.
The Garante handles complaints, conducts inspections, can ban or restrict processing, advises Parliament/Government on legislation, and participates in EU/cross-border enforcement. Controllers face GDPR obligations (lawful basis, transparency, DPIAs, breach notification) and data subjects hold GDPR rights (access, rectification, erasure, portability, objection).
In April 2026 the Garante imposed a combined fine exceeding €12.5 million on Poste Italiane and Postepay for unlawful tracking of app users, and issued binding guidelines requiring consent for email tracking pixels (six-month compliance window). Its H1-2026 inspection plan targets 40+ inspections covering telemarketing, AI systems and workplace monitoring.
Italy's national AI Law No. 132/2025 (in force 10 October 2025) preserves the Garante's full GDPR powers over AI-related data processing and permits secondary use of de-identified health data for AI research with prior 30-day notification to the Garante.
Timeline - major decisions & events
The Garante fined the motorway operator €420,000 for using an employee's private Facebook, Messenger and WhatsApp content in disciplinary proceedings, breaching lawfulness, purpose-limitation and minimisation principles. It signals strict enforcement of workplace privacy limits.
EDPB ↗The Garante imposed a €5M fine on Luka Inc. for lacking a legal basis, transparency and any age-verification for its AI companion chatbot, and opened a fresh probe into its generative-AI training. It cemented Italy's role as a leading AI-privacy enforcer.
EDPB ↗The Garante imposed an urgent, definitive limitation on processing Italian users' data by China's DeepSeek after finding its responses inadequate and noting data was stored in China contrary to GDPR safeguards. It was the first major EU action against the Chinese model.
Bird & Bird ↗Closing its ChatGPT inquiry, the Garante fined OpenAI €15M for processing training data without an adequate legal basis, transparency failures, weak age verification and an unreported 2023 breach, and ordered a six-month public information campaign. It was the first GDPR penalty against a generative-AI provider.
Garante per la protezione dei dati personali ↗OpenAI restored ChatGPT access in Italy after adopting transparency notices, an opt-out for training, age-gating and other measures demanded by the Garante. It set an early template for EU-wide AI compliance expectations.
Garante per la protezione dei dati personali ↗Italy became the first country to suspend ChatGPT, ordering OpenAI to halt processing of Italian users' data over the lack of a legal basis for training, missing transparency and absent age verification. It opened the global wave of AI data-protection scrutiny.
Garante per la protezione dei dati personali ↗The Garante issued an urgent order halting Replika's processing of Italian users' data, citing risks to minors and vulnerable people, no effective age checks and an invalid contract-based legal basis. It was an early marker of AI-specific enforcement.
Portolano Cavallo ↗The decree amended the 2003 Privacy Code, repealing provisions incompatible with the GDPR and legislating in areas left to member states (public sector, health data, research, criminal sanctions, age-14 consent for online services). It defines today's national framework alongside the GDPR.
IAPP ↗Italy consolidated its privacy rules into the 'Codice Privacy', which governed data protection for over two decades and re-grounded the Garante's powers. It remains the national vehicle now adapted to the GDPR.
privacy.it (Italian Privacy Code, English) ↗Implementing EU Directive 95/46/EC, Law No. 675 introduced comprehensive personal-data rules and established the Garante per la protezione dei dati personali as an independent authority. It is the foundation of the modern Italian privacy framework.
privacy.it (Law 675/1996, English) ↗Italy - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →