Data & Privacy - Italy

The EU GDPR (Regulation 2016/679) applies directly and is the reference text alongside the national Privacy Code. Italy did not create a separate standalone scheme but harmonized its pre-existing law to the GDPR.

Legislative Decree No. 101/2018 (effective 19 September 2018) amended the Privacy Code (Legislative Decree No. 196/2003), repealing rules incompatible with the GDPR and regulating matters left to Member-State discretion.

The Garante per la protezione dei dati personali is the independent supervisory authority. It is a collegiate body of four members elected by Parliament for a seven-year term, based in Rome.

The Garante handles complaints, conducts inspections, can ban or restrict processing, advises Parliament/Government on legislation, and participates in EU/cross-border enforcement. Controllers face GDPR obligations (lawful basis, transparency, DPIAs, breach notification) and data subjects hold GDPR rights (access, rectification, erasure, portability, objection).

In April 2026 the Garante imposed a combined fine exceeding €12.5 million on Poste Italiane and Postepay for unlawful tracking of app users, and issued binding guidelines requiring consent for email tracking pixels (six-month compliance window). Its H1-2026 inspection plan targets 40+ inspections covering telemarketing, AI systems and workplace monitoring.

Italy's national AI Law No. 132/2025 (in force 10 October 2025) preserves the Garante's full GDPR powers over AI-related data processing and permits secondary use of de-identified health data for AI research with prior 30-day notification to the Garante.