GDPR Enforcement in Italy

Trend: Have the national data protection authorities in [Country] focused on certain types of non-compliance... Do you see a focus on certain industries/sectors? If so, which ones?

To date, the main fines have been imposed for reasons related to there being an insufficient legal basis for data processing, as well as non-compliance with general data processing principles.

In the second half of 2025, the inspection activity of the Italian Data Protection Authority (“Garante per la protezione dei dati personali” - “Garante”, “DPA”) has focused mainly on data breaches involving public databases, with particular attention to security measures and access controls; personal data processing in the insurance sector for quotation purposes; whistleblowing platforms and related data management; data processing within local public transport services; biometric recognition systems used by banks for customer identification; statistical data processing, with specific focus on disease registries; electronic health records (health dossiers); and unlawful telemarketing practices in the energy sector.

The DPA has also released the inspection plan for the January–July 2026 period, focusing on: data breaches involving public databases (inspection activities will continue within the interdepartmental task force, with particular attention to security systems and access management in order to prevent unauthorised access and unlawful resale of personal data); whistleblowing platforms (the Authority will continue verifying the most widely used applications for collecting and managing whistleblowing reports, ensuring proper safeguards for personal data); artificial intelligence in schools (inspections will assess the use of AI tools in educational environments and the related processing of students’ personal data); electronic health records (the Authority will continue inspections on the processing of personal data within health dossiers, with particular attention to access controls and data protection measures); unlawful telemarketing in the energy sector (monitoring activities will continue with a focus on improper use of personal data and aggressive marketing practices); Customs Information System (inspections will cover personal data processing carried out within the customs information framework); telecoms anonymisation and big data sharing (the Authority will conduct checks on anonymisation techniques implemented by telecoms operators, particularly in light of the CJEU judgment of 4 September 2025); major personal data breaches (technical investigations will be conducted on significant data breach notifications affecting both public and private sectors); and ad-hoc inspections (additional inspections may be carried out in response to complaints, reports or urgent situations).

Overall, what was the most significant fine in [Country] to date (recipient, amount, violation, sector, short summary)? Has it been challenged in court?

The highest GDPR fines in Italy to date have been imposed on:

1. Intesa Sanpaolo was fined EUR 31.8 million following a data breach caused by serious shortcomings in technical and organisational security measures. The investigation, launched by the DPA after the bank reported the breach in July 2024, found that an employee accessed the banking information of 3,573 customers without justification, performing over 6,600 unauthorised queries between February 2022 and April 2024. This improper access went undetected for more than two years, highlighting significant weaknesses in monitoring and prevention controls. The breach also involved high-risk customers, including individuals holding public positions, for whom enhanced safeguards should have been implemented. The DPA found violations of the integrity, confidentiality and accountability principles under the GDPR, noting that the bank’s operating model allowed broad access to customer data without adequate controls to detect unjustified access. Additional deficiencies were identified in the data breach management, including late and incomplete notification to the Authority and delayed communication to affected individuals. When determining the fine, the DPA considered the severity and duration of the breach, the number of customers affected and the corrective measures implemented by the bank after the incident.
   In addition, Intesa Sanpaolo was fined EUR 17.6 million in relation to its digital subsidiary Isybank for the unlawful processing of personal data of approximately 2.4 million customers. The Authority found that the bank conducted profiling without an adequate legal basis to select customers for transfer, using criteria such as age, use of digital channels and financial assets. This operation significantly affected customers, as it involved transferring their accounts to a different data controller, resulting in unilateral changes to contractual conditions and account management features, including the assignment of a new IBAN, the absence of physical branches and access exclusively via a mobile app. Shortcomings were also identified in the communications to customers, which were mainly delivered during the summer period through the app’s archive section without sufficient visibility or additional notifications despite the exceptional nature of the operation.
2. Acea Energia was fined EUR 2 million by the Italian Data Protection Authority for serious violations in the processing of personal data of over 1,200 customers in the electricity and gas supply sector. The Authority intervened following multiple complaints regarding the use of inaccurate or outdated customer data to activate contracts without consent. Many customers reported learning about the contracts only after receiving activation notices or payment requests, claiming they had no contact with the company. Inspections revealed that Acea Energia relied on agents and partner companies to acquire potential customers without adequate oversight. Agents could collect personal data, including photos of documents via mobile devices, and activate contracts without the customers’ knowledge, sometimes using forged signatures. The monitoring system, including follow-up calls to verify customer consent, was also inadequate. The Authority ordered Acea to adopt corrective measures, including implementing alerts to monitor agents’ compliance with procedures, regular verification of acquired data and defining specific retention periods for customer information.
3. Luka Inc., the US-based company operating the chatbot “Replika”, was fined EUR 5 million by the Italian Data Protection Authority, which also launched a separate investigation into the processing of personal data by the generative AI system underlying the service. The fine is currently subject to ongoing appeal proceedings. The chatbot allows users to create a “virtual friend” acting as a confidant, therapist, romantic partner or mentor through text and voice interactions. The Authority found that, as of 2 February 2023, Luka had not established a legal basis for the processing activities conducted via Replika and had provided an inadequate privacy policy. Additionally, no age verification mechanisms were in place to prevent minors from accessing the service, either at registration or during use, despite the company claiming that minors were excluded. Technical checks revealed that the current age verification system remains insufficient. The Authority ordered Luka to align its data processing with GDPR requirements and requested detailed information regarding the processing of personal data across the entire lifecycle of the generative AI system, including risk assessments, protective measures during model development and training, types and categories of data used and any anonymisation or pseudonymisation measures implemented.
4. ITA Airways and Alitalia in extraordinary administration were fined EUR 1.25 million by the Italian Data Protection Authority for unlawful processing of employee data during the transition between the two companies. Shared digital folders containing personal records, including salary, family status and labour disputes, were accessed by ITA Airways before employees applied for new positions. The Authority found the processing lacked a legal basis, violating GDPR principles of lawfulness, fairness and accountability. The case, triggered by a July 2023 union complaint, highlights the need for careful management of employee data in corporate restructurings, ensuring compliance with GDPR and a proper legal basis when sharing information between distinct legal entities.
5. The Administrative Court of Rome annulled the EUR 15 million fine previously imposed by the Italian Data Protection Authority on OpenAI, developer of ChatGPT. The sanction, issued in 2024, concerned alleged GDPR violations, including the legal basis for personal data processing, transparency with users and safeguards for minors. Following an appeal by OpenAI, the Court had initially suspended the fine and, in March 2026, ruled to annul it. The reasoning behind the judgment has not yet been published.

How is the data protection authority organised in Italy? Budget, staff, assignment to a ministry?

The DPA is a collegial body, composed of four members elected by the Parliament, who remain in office for a non-renewable term of seven years. The members elect a President whose vote prevails in the event of a tie (article 153 of the Italian Privacy Code - Legislative Decree 196/2003).

The DPA is structured as follows:

1. SERVICES
   • Legal and institutional affairs
   • Management control
   • External relations and media
   • International and European relations
   • Studies and documentation
      
2. DEPARTMENTS
   • Justice and legal affairs
   • Administration, assets and accounting
   • Inspections
   • Freedom of expression and cyberbullying
   • Economic and productive activities
   • Public administrations
   • Marketing and telematics networks
   • Human Resources and contractual activities
   • Health and research
   • Digital technologies and cyber security

The operating expenses of the DPA are charged to a fund allocated in the state budget, within a specific expenditure programme under the Ministry of Economics and Finance.The budget allocated to the DPA amounts to EUR 47,367,934 for 2023, EUR 47,685,528 for 2024, EUR 48,012,394 for 2025 and EUR 48,523,745 for 2026. In addition to the dedicated budget, 50% of the annual fines imposed by the DPA is allocated to the DPA to be used to support three activities: GDPR awareness, inspections and implementation.

How does a fine procedure work in Italy? Can the authority impose fines itself? Procedural steps? Legal remedies?

Pursuant to section 166 of the Italian Privacy Code, proceedings may be brought against both private and public bodies or public authorities following a complaint being lodged in accordance with Article 77 of the Regulation or after inquiries are carried out by the DPA at its own initiative, within the framework of the investigative powers referred to in Article 58(1) of the Regulation as well as in connection with access, inspections and audits carried out on the basis of either autonomous powers to carry out controls or powers delegated by the DPA. If the DPA considers that the findings of the investigations indicate that a violation of data protection laws has been committed, it will notify the controller or the processor as to the alleged violations, except where prior notification as to such alleged violations proves incompatible with the nature and objective of the measures to be adopted. Within thirty days from receipt of the above-mentioned notification, the relevant company/public authority may send pleadings or documents to the DPA and may request that its case be heard. The DPA itself is entitled to impose fines and sanctions, which may be challenged before the ordinary courts.

When fines are imposed: Where does the money go? (state treasury / authority budget / other)

50% of the fines is allocated to the state treasury and 50% of the annual fines is allocated to the DPA to be used to support three activities, namely: awareness, inspections and implementation of the GDPR.

Is there an official calculation methodology for fines in Italy?

While the calculation of the amount of the fine is at the discretion of the single supervisory authority, the DPA aligns with the Guidelines 04/2022 issued by the European Data Protection Board on the calculation of administrative fines under the GDPR, supplementing (but not excluding) the previous Guidelines concerning the application and provision of administrative pecuniary sanctions for the purposes of the Regulation (EU) No 2016/679 adopted by the Article 29 Data Protection Working Party (now, EDPB).

Can public authorities be fined in Italy? If yes: Where does this money go?

Yes, pursuant to section 166 (4) of the Italian Privacy Code. Please refer to letter c) as regards the allocation of fines.

Does the authority publish information on individual fine cases (website/annual report)? Are companies identifiable?

The publishing of fines imposed by the DPA on its website is an ancillary sanction (section 166 (7) of the Italian Privacy Code). The publication may include the whole decision or an excerpt of it. Fined companies are not anonymised.

If no individual publication: aggregated figures? Provide annual figures from 2019 onwards (if available).

Considering that the publishing of fines is an ancillary sanction, there is no information on all individual fine cases. Nevertheless, through the annual summary concerning the DPA’s activities, aggregated information on the total number of cases and the total amount of fines is provided by the DPA. The main annual figures from 2019 are as follows:

• 2019: (i) 232 decisions; (ii) EUR 3,017,363 in collected fines; (iii) 147 inspections.
• 2020: (i) 278 decisions; (ii) EUR 38,448,895 in collected fines; (iii) 21 inspections.
• 2021: (i) 252 decisions; (ii) EUR 13,465,148 in collected fines; (iii) 49 inspections.
• 2022: (i) 231 decisions; (ii) EUR 9,459,457 in collected fines; (iii) 140 inspections.
• 2023: (i) 263 decisions; (ii) EUR 7,977,343 in collected fines; (iii) 144 inspections;
• 2024: (i) 835 decisions; (ii) EUR 24,000,000 in collected fines; (iii) 130 inspections;
• 2025: no public information so far.

Does Italy have model declaratory proceedings/class actions in data protection law?

Under the new legislation, the scope of the new class action regime has been significantly broadened and now aims at protecting a wide range of contractual and non-contractual rights across different sectors, including with regard to environmental law and financial services. As a result, wider access to the class action regime is expected. Please note that Directive 1828/2020 (“on representative actions for the protection of the collective interests of consumers”) is currently being transposed into national law in Italy. The new legislation will extend the power of certain entities enabled by national law to take legal action to protect the collective interests of consumers (including “data subjects” under the GDPR) and to obtain compensation for damages even across borders.

What is more relevant: fines from authorities or court proceedings (damages/injunctions)? Outlook for the coming 12 months?

For the time being, the fines issued by the DPA are much more relevant than claims for damages arising from court proceedings concerned with data protection infringements. However, litigation with ordinary courts for data protection breaches is increasing as a consequence of the growing public awareness regarding data protection issues triggered by the GDPR’s entry into force in May 2018. The expectation is that this trend will continue and in the coming years there will be a significant growth in cases brought before civil courts making claims for compensation for damages, often in connection with matters discovered through investigations by the DPA. It should be noted that a growing trend of case law concerns the right to be forgotten and damages for publication of a personal image without consent.