• Insights

Italy – The GDPR one year on

Written by
Toffoletto de Luca Tamajo, working in employment law since 1925.
Since the entry into force of the GDPR on 25 May 2018, Italy has amended its pre-existing data protection laws and introduced new regulations relating to the organisational structure and procedures of the Italian data protection authority.

At the moment we have no news regarding fines issued by the Italian DPA (‘Garante Privacy’) based on the GDPR. Debate was wide-ranging over the past year and the DPA issued guidelines and information; however, there have been few investigations or actual breach procedures. This is due to a number of factors. By way of example we can list:

  • the need to reorganise the structure and procedures of the DPA;
  • the Italian legislator’s request for a ‘first application’ period of the GDPR to be observed (eight months following the amendment of Italian Privacy Code, published in August 2018);
  • follow up activity performed by the DPA after the law was passed to make sure all the regulations and indications were in line with the legal position.


The legislator decided not to repeal the previously applicable privacy legislation (Legislative Decree no. 196/2003, the so-called ‘Privacy Code’) and rules but to amend them and make them compliant with the GDPR to create a new legal framework.  Decree no. 101 August 10 2018 modified the Privacy Code and required a series of actions from the Italian DPA (e.g. the amendment of the previous general authorisations or the introduction of specific codes of conduct and guidelines).

The current initial situation of legal review is expected to change in the near future: the period of ‘first application’ of the GDPR recently ended and it is possible that the DPA will begin new initiatives, including inspections. In addition, two relevant regulations regarding the Italian DPA were recently published and came into force: these regulations give the DPA itself a new structure and define new administrative procedures to be observed, related deadlines and areas of expertise. The system may now be ready for the next step.