At the moment we have no news regarding fines issued by the Italian DPA (‘Garante Privacy’) based on the GDPR. Debate was wide-ranging over the past year and the DPA issued guidelines and information; however, there have been few investigations or actual breach procedures. This is due to a number of factors. By way of example we can list:
The legislator decided not to repeal the previously applicable privacy legislation (Legislative Decree no. 196/2003, the so-called ‘Privacy Code’) and rules but to amend them and make them compliant with the GDPR to create a new legal framework. Decree no. 101 August 10 2018 modified the Privacy Code and required a series of actions from the Italian DPA (e.g. the amendment of the previous general authorisations or the introduction of specific codes of conduct and guidelines).
The current initial situation of legal review is expected to change in the near future: the period of ‘first application’ of the GDPR recently ended and it is possible that the DPA will begin new initiatives, including inspections. In addition, two relevant regulations regarding the Italian DPA were recently published and came into force: these regulations give the DPA itself a new structure and define new administrative procedures to be observed, related deadlines and areas of expertise. The system may now be ready for the next step.