GDPR Enforcement in Italy

Trend: Have the national data protection authorities in Italy focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees – possibly also due to – Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

To date, the main fines have been imposed for reasons related to there being an insufficient legal basis for data processing, as well as non-compliance with general data processing principles. The focus to date has been on telemarketing activities, especially in the telecommunications and electricity sectors.

In the second half of 2024, the inspection activity of the Italian Data Protection Authority (“Garante per la protezione dei dati personali” - “Garante”, “DPA”) has focused mainly on: commercial information and creditworthiness investigations, assessing how commercial information providers and creditworthiness evaluation companies handle personal data; telemarketing data processing, inspecting compliance with data protection regulations in the telemarketing sector; unauthorised contracts in the energy sector, investigating cases of unauthorised contract activations in the energy industry to prevent unfair commercial practices; connected vehicles and data management, examining how connected vehicles collect and process personal data, ensuring compliance with privacy laws; cookie compliance, auditing the use of cookies and tracking technologies by major digital service providers, following the Italian DPA’s guidelines issued on June 10, 2021; remote audio/video surveillance systems, continuing investigations into companies managing alarm systems that include remote audio/video connection capabilities; Digital Identity Management (SPID) and trust services, inspecting digital identity providers (SPID) and associated trust services, such as electronic signatures; educational institutions and digital platforms, conducting further inspections in schools regarding the use of electronic registers and digital platforms for student data management.

The DPA has also released the inspection plan for the first half of 2025, focusing on: data breaches and security of public databases (the inspection activity will focus on verifying the security systems and the correct management of the accessibility profiles of the databases, with the aim of guaranteeing that effective measures are in place for the protection of personal data); checks in the databases of credit institutions (the systems used to detect violations as well as the measures adopted to prevent them in a timely manner will be examined); call centres and email marketing (the DPA will continue monitoring companies managing call centres and email marketing services, particularly regarding the unlawful use of email lists and databases; despite previous inspections and sanctions, illegal data processing persists, making this a priority area for oversight); unauthorised contracts in the energy sector (inspections will also target unauthorised contract activations in the energy sector, ensuring consumer consent is obtained before contract activation and preventing aggressive marketing practices); video surveillance systems (investigations will continue into companies managing video surveillance systems to ensure compliance with GDPR principles); profiling cookies and online tracking (Checks on profiling cookie usage will continue, with particular attention to non-compliant tracking practices, following the guidelines issued on June 10, 2021); Digital Identity Management (SPID) (by mid-2025, inspections of digital identity providers (SPID) and related trust services, such as digital signatures, will be completed); data processing in schools (school inspections will focus on ensuring the secure and lawful processing of student data through electronic registers).

From 2025, new sectors will be monitored due to technological advancements and market practices such as: the National Statistical Program (PSN) (inspections will assess specific statistical projects involving big data and synthetic data to ensure compliance with data minimisation, privacy by design and accountability principles); use of biometric data in driving exams (investigations will be conducted into the use of biometric data for driving exam admissions at the Department of Motor Vehicles to ensure full compliance with data protection regulations); general inspections (beyond these specific areas, the DPA will conduct general inspections of public and private entities to verify compliance with data protection laws. Organisations must be prepared to respond to formal complaints and reports that may trigger inspections).

Overall, what was the most significant fine in Italy to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

The highest GDPR fines in Italy to date have been imposed on:

1. Enel Energia SpA on 29 February 2024 was fined EUR 79.1 million due to its lack of compliance with technical and organisational measures aimed at limiting the potential abuses by agencies that unlawfully performed telemarketing activities. According to the DPA, Enel Energia acquired as many as 978 contracts from four different previously sanctioned companies, even though they did not belong to the energy company’s sales network. Moreover, following subsequent inspections at Enel Energia, the DPA ascertained that the information systems used for customer management and service activation by the company showed the abovementioned serious security shortcomings. Enel failed to put in place all the necessary measures to prevent the unlawful activities of unauthorised agents who for years fuelled an illicit business carried out through nuisance calls, service promotions and the signing of contracts with no real economic benefits for customers by identifying easy ‘front doors’ in the company’s information systems. This dispute emerged after a fine of EUR 26.5 million against the same entity was cancelled by the Court of Rome because it was issued too late (see point 3) after the expiry of the procedural terms and currently provides for the highest fine the DPA has ever issued. 
    
2. OpenAI, the company behind the AI tool ChatGPT, was fined EUR 15 million by the Italian Data Protection Authority in December 2024. The fine was imposed for processing users' personal data without proper consent, especially in relation to the use of data for training its AI model. The DPA found that OpenAI violated transparency and information obligations under GDPR, as users were not fully informed about the data collection process. Furthermore, OpenAI lacked sufficient age verification measures, potentially exposing children under 13 to inappropriate content. The fine was based on a breach of the principle of transparency, with the company failing to provide clear information to users about how their data was being used. OpenAI has expressed its intent to challenge the fine, deeming it disproportionate, and the appeal process is currently ongoing.
    
3. On 1 February 2020, Tim SpA was fined EUR 27.8 million due to there being an insufficient legal basis for data processing. According to the DPA, TIM SpA – a leading Italian telecommunications company – had carried out illegal data processing operations related to marketing activities. From January 2017 to early 2019, the DPA received numerous complaints concerning, in particular, the receipt of unsolicited promotional calls made without consent or despite the fact that the telephone users had been entered in the public objections register, or despite the fact that the persons contacted had expressed to the company their wish not to receive promotional calls. Complaints as to irregularities in the processing of data were also made in connection with prize competitions and forms submitted to users by TIM.
    
4. On 19 January 2022, Enel Energia was fined EUR 26.5 million due to its unlawfully processing users’ personal data for telemarketing purposes. The decision was issued following complex inquiries the DPA had started due to hundreds of complaints being made by users who had received unsolicited calls made on behalf of Enel Energia, some of them using pre-recorded messages, or who had found it difficult to exercise their data protection rights and had encountered problems more generally relating to the handling of their data in relation to the supply of utility services – including the processing of data performed in the dedicated area on the company’s website and/or through the app provided to manage power consumption. The DPA has observed that telemarketing issues in the utilities sector are clearly and worryingly on the rise with the upcoming switch to an unregulated market regime for electricity and gas suppliers. The inquiries made by the DPA showed pervasive, unrelenting as well as increasingly invasive reliance on unsolicited promotional calls without the required consent, addressed to off-directory users or to users listed in the opt-out register; additionally, responses to user requests to access their own personal data or object to processing for marketing purposes is increasingly delayed or is missing altogether. On 16 February 2023, the Court of Rome overturned the decision of the DPA. To date, the grounds of the ruling have not been published yet.
    
5. Clearview AI (a US-based company), on 10 February 2022, was fined EUR 20 million for illegitimately using over 10 billion facial images from all over the world, which were extracted from public web sources (media outlets, social media, online videos) through web scraping. The company offers a sophisticated search service, which allows, through AI systems, for the creation of profiles on the basis of the biometric data extracted from the images. The profiles can be augmented with information linked to these images, such as image tags and geolocation or source web pages. The DPA’s inquiries were started on the basis of complaints and alerts and found that Clearview AI – contrary toits assertions – allows the tracking of Italian nationals and persons located in Italy. The findings showed that the personal data held by the company, including biometric and geolocation information, were processed unlawfully without an appropriate legal basis, as the legitimate interest of the US-based company does not qualify as such. Additionally, the company infringed several fundamental principles of the GDPR including transparency (because it failed to adequately inform users), purpose limitation (because it processed users’ data for purposes other than those for which they had been made available online) and storage limitation (because it did not set out any data storage period). Thus, Clearview AI was violating data subjects’ freedoms, including the protection of privacy and non-discrimination.
    
6. The Italian Data Protection Authority fined Postel Spa EUR 900,000 for failing to address a known vulnerability in their systems for nearly a year, which led to a data breach. In August 2023, Postel was hit by a ransomware attack that blocked servers and workstations. The attack resulted in the exfiltration and, in some cases, loss of availability of files containing personal data of about 25,000 individuals, including employees, former employees, relatives, company officers, job applicants and business representatives. The stolen information, later published on the dark web, included personal and contact details, access and identification data, payment information, criminal records and sensitive data such as union membership and health information.
   
   Despite the vulnerability being reported by the software producer in September 2022 and the National Cybersecurity Agency in November 2022, Postel did not update their systems as recommended. This failure to comply with data protection regulations, which require adequate security measures, led to the fine. Additionally, Postel's breach notification to the Authority lacked comprehensive information, delaying the investigation.
   
   The Authority has ordered Postel to pay the fine and conduct a thorough vulnerability analysis, create a plan to detect and manage vulnerabilities and establish appropriate detection and response times.

How is the data protection authority organised in Italy? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

The DPA is a collegial body, composed of four members elected by the Parliament, who remain in office for a non-renewable term of seven years. The members elect a President whose vote prevails in the event of a tie (article 153 of the Italian Privacy Code - Legislative Decree 196/2003).

The DPA is structured as follows:

A.    SERVICES

• Legal and institutional affairs
• Management control
• External relations and media
• International and European relations
• Studies and documentation

B.    DEPARTMENTS

• Justice and legal affairs
• Administration, assets and accounting
• Inspections
• Freedom of expression and cyberbullying 
• Economic and productive activities
• Public administrations
• Marketing and telematics networks
• Human Resources and contractual activities
• Health and research
• Digital technologies and cyber security

The operating expenses of the DPA are charged to a fund allocated in the state budget, within a specific expenditure programme under the Ministry of Economics and Finance. Currently, the budget allocated to the DPA amounts to EUR 47,367,934 for 2023, EUR 47,685,528 for 2024 and EUR 48,012,394 for 2025. In addition to the dedicated budget, 50% of the annual fines imposed by the DPA is allocated to the DPA to be used to support three activities: GDPR awareness, inspections and implementation.

How does a fine procedure work in Italy? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

Pursuant to section 166 of the Italian Privacy Code, proceedings may be brought against both private and public bodies or public authorities following a complaint being lodged in accordance with Article 77 of the Regulation or after inquiries are carried out by the DPA at its own initiative, within the framework of the investigative powers referred to in Article 58(1) of the Regulation as well as in connection with access, inspections and audits carried out on the basis of either autonomous powers to carry out controls or powers delegated by the DPA. If the DPA considers that the findings of the investigations indicate that a violation of data protection laws has been committed, it will notify the controller or the processor as to the alleged violations, except where prior notification as to such alleged violations proves incompatible with the nature and objective of the measures to be adopted. Within thirty days from receipt of the above-mentioned notification, the relevant company/public authority may send pleadings or documents to the DPA and may request to be heard. The DPA itself is entitled to impose fines and sanctions, which may be challenged before the ordinary courts.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

50% of the fines are allocated to the state treasury and 50% of the annual fines are allocated to the DPA to be used to support three activities, namely: awareness, inspections and implementation of the GDPR.

Is there a common, official calculation methodology for fines in Italy (such as the fining models in the Netherlands or Germany)?

While the calculation of the amount of the fine is at the discretion of the single supervisory authority, the DPA aligns with the Guidelines 04/2022 issued by the European Data Protection Board on the calculation of administrative fines under the GDPR, supplementing (but not excluding) the previous Guidelines concerning the application and provision of administrative pecuniary sanctions for the purposes of the Regulation (EU) No 2016/679 adopted by the Article 29 Data Protection Working Party (now, EDPB).

Can public authorities be fined in Italy? If they can: Where does this money go?

Yes, pursuant to section 166 par. 4 of the Italian Privacy Code. Please refer to letter c) as regards the allocation of fines.

In Italy, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

The publishing of fines imposed by the DPA on its website is an ancillary sanction (section 166 par. 7 of the Italian Privacy Code). The publication may include the whole decision or an excerpt thereof. Fined companies are not anonymised.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?

Considering that the publishing of fines is an ancillary sanction, there is no information on all individual fine cases. Nevertheless, through the annual summary concerning the DPA’s activities, aggregated information on the total number of cases and the total amount of fines are provided by the DPA. The main annual figures from 2019 are as follows:

• 2019: (i) 232 decisions; (ii) EUR 3,017,363 in collected fines; (iii) 147 inspections.
• 2020: (i) 278 decisions; (ii) EUR 38,448,895 in collected fines; (iii) 21 inspections.
• 2021: (i) 252 decisions; (ii) EUR 13,465,148 in collected fines; (iii) 49 inspections.
• 2022: (i) 231 decisions; (ii) EUR 9,459,457 in collected fines; (iii) 140 inspections. 
• 2023: (i) 263 decisions; (ii) EUR 7,977,343 in collected fines; (iii) 144 inspections;
• 2024: no public information so far.

Does Italy have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

Under the new legislation, the scope of the new class action regime has been significantly broadened and now aims at protecting a wide range of contractual or noncontractual rights across different sectors, including with regard to environmental law and financial services. As a result, wider access to the class action regime is expected. Please note that Directive 1828/2020 (“on representative actions for the protection of the collective interests of consumers”) is currently being transposed into national law in Italy. The new legislation will extend the power of certain entities enabled by national law to take legal action to protect the collective interests of consumers (including “data subjects” under the GDPR) and to obtain compensation for damages even across borders.

What is more relevant in Italy: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

For the time being, the fines issued by the DPA are much more relevant than claims for damages arising from court proceedings concerned with data protection infringements. However, litigation with ordinary courts for data protection breaches is increasing as a consequence of the growing public awareness regarding data protection issues triggered by the GDPR’s entry into force in May 2018. The expectation is that this trend will continue and in the coming years there will be a significant growth in cases brought before civil courts making claims for compensation for damages, often in connection with matters discovered through investigations by the DPA. It should be noted that a growing trend of case law concerns the right to be forgotten and damages for publication of a personal image without consent.