Italy

Fining practice

Trend: Have the national data protection authorities in Italy focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees – possibly also due to – Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

To date, the main fines have been imposed for reasons related to there being an insufficient legal basis for data processing, as well as non-compliance with general data processing principles. The focus to date has been on telemarketing activities, especially in the telecommunications and electricity sectors.

In the second half of 2023, the Italian Data Protection Authority (“Garante per la protezione dei dati personali” - “Garante”,  “DPA”) inspection activity has focused mainly on: investigations in the field of statistics and scientific research with specific reference to the measures referred to in Article 89 of the Regulation and, in particular, to the issue of pseudonymisation; investigations on the processing of personal data by operators in the energy sector with specific reference to the activation of unsolicited contracts and the performance of telemarketing activities; inspections with reference to the processing of biometric data by means of facial recognition, (also) in the context of the employment relationship; continuation of inspections on digital identity providers (SPID) and on the entities they use for the issuance of trust services (SPID and digital signature) as well as on service providers using SPID and CIE in the context of online services (also offered through APPs); other inspections of public and private entities in order to verify compliance with the provisions on the protection of personal data, including investigations relating to formal complaints and reports submitted to the DPA and being investigated by the relevant Departments and Services.

The DPA has also released the inspection plan for the first half of 2024, focusing on: investigations concerning the processing of personal data carried out at educational institutions through the 'electronic register platforms and digital suites'; continuation, through on-site inspections, of investigative activities concerning abusive access to public databases (with specific regard to the tax registry and the INPS database); inspections of data controllers processing employees' personal data, also for assessment purposes, through information systems and telematic devices installed on company vehicles or at logistic centres; continuation of inspections of digital identity managers (SPID) and the chain of entities they use to issue trust services (SPID and digital signature); continuation of inspections regarding the correct implementation of the Guidelines on cookies and other tracking tools of 10 June 2021, also through the instrument of online inspections; investigations against data controllers operating in the energy sector, with particular regard to the activation of unsolicited contracts and to the assessment of customer reliability; investigations against companies operating alarm systems with the possibility of remote audio/video connection; continuation of investigations into processing operations carried out for statistical and scientific research purposes both at statistical offices belonging to SISTAN and at IRCCSs; planning, as provided for in Regulation (EC) 767/2008, of the new cycle of supervisory activities on the processing of personal data in the VIS (Visa Information System); investigations against data controllers in relation to issues concerning consent to marketing and profiling, as well as in relation to the conduct of telemarketing campaigns; other investigations against public and private entities to verify compliance with the provisions on personal data protection, including investigations relating to formal complaints and reports submitted to the DPA and being investigated by the relevant Departments and Services.

Overall, what was the most significant fine in Italy to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

The highest GDPR fines in Italy to date have been imposed on:

1. Enel Energia SpA on 29 February 2024 was fined EUR 79.1 million due to its lack of compliance with technical and organisational measures aimed at limiting the potential abuses by agencies that unlawfully performed telemarketing activities. According to the DPA, Enel Energia acquired as many as 978 contracts from four different previously sanctioned companies, even though they did not belong to the energy company’s sales network. Moreover, following subsequent inspections at Enel Energia, the DPA ascertained that the information systems used for customer management and service activation by the company showed the abovementioned serious security shortcomings. Enel failed to put in place all the necessary measures to prevent the unlawful activities of unauthorised agents who fuelled for years an illicit business carried out through nuisance calls, service promotions, and the signing of contracts with no real economic benefits for customers by identifying easy ‘front doors’ in the company’s information systems. This dispute emerges after a fine of EUR 26.5 million against the same entity was canceled by the Court of Rome because it was issued too late (see point 3) after the expiry of the procedural terms and currently provides for the highest fine the DPA has ever issued. 
2. Tim SpA on 1 February 2020 was fined the amount of EUR 27.8 million due to there being an insufficient legal basis for data processing. According to the DPA, TIM SpA – a leading Italian telecommunications company - had carried out illegal data processing operations related to marketing activities. From January 2017 to early 2019, the DPA received numerous complaints concerning, in particular, the receipt of unsolicited promotional calls made without consent or despite the fact that the telephone users had been entered in the public objections register, or despite the fact that the persons contacted had expressed to the company their wish not to receive promotional calls. Complaints as to irregularities in the processing of data were also made in connection with prize competitions and forms submitted to users by TIM.
3. Enel Energia, on 19 January 2022, was fined EUR 26.5 million due to its unlawfully processing users’ personal data for telemarketing purposes. The decision was issued following complex inquiries the DPA had started due to hundreds of complaints being made by users who had received unsolicited calls made on behalf of Enel Energia, some of them using pre-recorded messages, or who had found it difficult to exercise their data protection rights and had encountered problems more generally relating to the handling of their data in relation to the supply of utility services – including the processing of data performed in the dedicated area on the company’s website and/or through the app provided to manage power consumption. The DPA has observed that telemarketing issues in the utilities sector are clearly and worryingly on the rise with the upcoming switch to an unregulated market regime for electricity and gas suppliers. The inquiries made by the DPA showed pervasive, unrelenting as well as increasingly invasive reliance on unsolicited promotional calls without the required consent, addressed to off-directory users or to users listed in the opt-out register; additionally, responses to user requests to access their own personal data or object to processing for marketing purposes is increasingly delayed or is missing altogether. On 16 February 2023, the Court of Rome overturned the decision of the DPA. To date, the grounds of the ruling have not been published yet.
4. Clearview AI (a US-based company), on 10 February 2022, was fined EUR 20 million for illegitimately using over 10 billion facial images from all over the world, which were extracted from public web sources (media outlets, social media, online videos) through web scraping. The company offers a sophisticated search service which allows, through AI systems, for the creation of profiles on the basis of the biometric data extracted from the images. The profiles can be enriched by information linked to these images, such as image tags and geolocation or source web pages. The DPA’s inquiries were started on the basis of complaints and alerts and found that Clearview AI – contrary to what was alleged – allows the tracking of Italian nationals and persons located in Italy. The findings showed that the personal data held by the company, including biometric and geolocation information, were processed unlawfully without an appropriate legal basis, as the legitimate interest of the US-based company does not qualify as such. Additionally, the company infringed several fundamental principles of the GDPR including transparency – because it failed to adequately inform users -, purpose limitation – because it processed users’ data for purposes other than those for which they had been made available online -, and storage limitation – because it did not set out any data storage period. Thus, Clearview AI was violating data subjects’ freedoms, including the protection of privacy and non-discrimination.
5. Douglas Italia Spa, a perfumery chain, on 20 October 2022, was fined EUR 1.4 million for failing to comply with Italian and European legislation concerning, specifically, data retention periods and processing for marketing and profiling purposes. The Italian Data Protection DPA identified several issues in relation to the company's fidelity program, for which personal data are also collected through a specific mobile App. The DPA specifically identified the following issues: (i) lack of distinction – in Douglas' mobile app – between T&Cs, privacy policy and cookie policy; (ii) mentioning in its policies processing activities that were not actually carried out and purposes that were not actually pursued; (iii) collecting a single consent for different activities (e.g., company marketing, third party marketing and profiling). Such consent, according to the DPA, couldn’t have been deemed either free or specific. Therefore, the relevant processing activities were deemed as having no legal basis; (iv) breach of the principle of accountability for failing to prove how the personal data were collected by former companies (later merged into Douglas), and whether and how the information and consent obligations were fulfilled by those companies; (v) breach of the principles of purpose limitation and of data retention limitation for failing to delete the personal data collected more than 10 years earlier and related to customers who did not renew their fidelity card. With regards to more recently collected personal data, the DPA ordered the company to delete or pseudonymize them. The DPA also specified in its decision that if the company decides to pseudonymize the data of customers owning a fidelity card, it shall publish this on its website and send a notice to customers informing them that, in the event of non-renewal of the fidelity card, their data will be deleted within six months. Therefore, the DPA ordered Douglas to adopt appropriate organizational and technical solutions to ensure the proper storage of its customers’ data in compliance with the purpose and minimization principles of the GDPR.
6. Areti s.p.a., a company that distributes electricity in the city of Rome, on 24 November 2022, was fined EUR 1 million for having erroneously classified thousands of users as “defaulting debtor“, thus preventing them from switching to another electricity supplier and losing the potential savings resulting from changing supplier. The DPA declared the data processing carried out by the company to be unlawful because it was impossible for users to change suppliers and benefit from such a change due to the processing of inaccurate and outdated data. In fact, the sector regulations allow a potential succeeding supplier to assess whether it would be convenient or not to acquire a new customer by consulting the so-called "Integrated Information System", which is also fed by the information communicated by the original supplier (i.e., Areti) and which records, inter alia, the solvency of a specific customer. The DPA fined Areti for its inadequate data retention timeframes, inaccurate data migration within its systems, and inadequate response to the request with which data subjects had exercised their rights. Therefore, Areti was fined for infringing the principle of accuracy of personal data and the principle of accountability, since the technical and organizational measures adopted to comply with the GDPR were not adequate to the processing carried out.

Organisation of authorities and course of fine proceedings in Italy

How is the data protection authority organised in Italy? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

The DPA is a collegial body, composed of four members elected by the Parliament, who remain in office for a non-renewable term of seven years. The members elect a President whose vote prevails in the event of a tie (article 153 of the Italian Privacy Code - Legislative Decree 196/2003). 

The DPA is structured as follows:

A.    SERVICES

• Legal and Institutional Affairs
• Management control
• External relations and media
• International and European relations
• Studies and documentation

B.    DEPARTMENTS

• Justice and legal affairs
• Administration, assets and accounting
• Inspections
• Freedom of expression and cyberbullying 
• Economic and productive activities
• Public administrations
• Marketing and telematics networks
• Human Resources and contractual activities
• Health and research
• Digital technologies and cyber security

The operating expenses of the DPA are charged to a fund allocated in the State budget, within a specific expenditure programme under the Ministry of Economics and Finance. Currently, the budget allocated to the DPA amounts to EUR 47,367,934 for 2023, EUR 47,685,528 for 2024 and EUR 48,012,394 for 2025. In addition to the dedicated budget, 50% of the annual fines imposed by the DPA is allocated to the DPA to be used to support three activities: GDPR awareness, inspections, and implementation.

How does a fine procedure work in Italy? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

Pursuant to section 166 of the Italian Privacy Code, proceedings may be brought against both private and public bodies or public authorities following a complaint being lodged in accordance with Article 77 of the Regulation or after inquiries are carried out by the DPA at its own initiative, within the framework of the investigative powers referred to in Article 58(1) of the Regulation as well as in connection with access, inspections and audits carried out on the basis of either autonomous powers to carry out controls or powers delegated by the DPA. If the DPA considers that the findings of the investigations indicate that a violation of data protection laws has been committed, it shall notify the controller or the processor as to the alleged violations, except where prior notification as to such alleged violations proves incompatible with the nature and objective of the measures to be adopted. Within thirty days from receipt of the above-mentioned notification, the relevant company/public authority may send pleadings or documents to the DPA and may request to be heard. The DPA itself is entitled to impose fines and sanctions, which may be challenged before the ordinary courts.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

50% of fines are allocated to the state treasury and 50% of the annual fines are allocated to the DPA to be used to support three activities, namely: awareness, inspections, and implementation of the GDPR.

Is there a common, official calculation methodology for fines in Italy (such as the fining models in the Netherlands or Germany)?

While the calculation of the amount of the fine is at the discretion of the single supervisory authority, the DPA aligns with the Guidelines 04/2022 issued by the European Data Protection Board on the calculation of administrative fines under the GDPR supplementing (but not excluding) the previous Guidelines concerning the application and provision of administrative pecuniary sanctions for the purposes of the Regulation (EU) No 2016/679 adopted by the Article 29 Data Protection Working Party (now, EDPB).

Can public authorities be fined in Italy? If they can: Where does this money go?

Yes, pursuant to section 166 par. 4 of the Italian Privacy Code. Please refer to letter c) as regards the allocation of fines.

In Italy, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

The publishing of fines imposed by the DPA on its website is an ancillary sanction (section 166 par. 7 of the Italian Privacy Code). The publication may include the whole decision or an excerpt thereof. Fined companies are not anonymised.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines?

Considering that the publishing of fines is an ancillary sanction, there is no information on all individual fine cases. Nevertheless, through the annual summary concerning the DPA’s activities, aggregated information on the total number of cases and the total amount of fines are provided by the DPA. The main annual figures from 2019 are as follows:

• 2019: (i) 232 decisions; (ii) EUR 3,017,363 in collected fines; (iii) 147 inspections.
• 2020: (i) 278 decisions; (ii) EUR 38,448,895 in collected fines; (iii) 21 inspections.
• 2021: (i) 252 decisions; (ii) EUR 13,465,148 in collected fines; (iii) 49 inspections.
• 2022: (i) 231 decisions; (ii) EUR 9,459,457 in collected fines; (iii) 140 inspections. 
• 2023: no public information so far. 

Other legal consequences of non-compliance in Italy

Does Italy have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

Under the new legislation, the scope of the new class action regime has been significantly broadened and now aims at protecting a wide range of contractual or noncontractual rights across different sectors, including with regard to environmental law and financial services. As a result, wider access to the class action regime is expected. Please note that Directive 1828/2020 (“on representative actions for the protection of the collective interests of consumers”) is currently being transposed into national law in Italy. The new legislation will extend the power of certain entities enabled by national law to take legal action to protect the collective interests of consumers (including “data subjects” under the GDPR) and to obtain compensation for damages also across borders between several countries.

What is more relevant in Italy: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

For the time being, the fines issued by the DPA are much more relevant than claims for damages arising from court proceedings concerned with data protection infringements. However, litigation with ordinary courts for data protection breaches is increasing as a consequence of the growing sensitivity of public opinion regarding data protection issues triggered by the GDPR’s entry into force in May 2018.  The expectation is that this trend will continue and in coming years there will be a significant growth in cases brought before civil courts making claims for compensation for damages, often in connection with matters discovered through investigations by the DPA. It should be noted that a growing trend of case law concerns the right to be forgotten and damages for publication of a personal image without consent.