Skip to content
GDPR by Law

European Union · updated 2026-06-15

Italy

Conditional

Italy's Garante is the EU regulator most willing to act fast against technology itself — it temporarily banned ChatGPT in 2023 and fines telemarketing abuses heavily. AI products and outbound sales deserve extra care here.

Law:
GDPR + Codice Privacy (D.Lgs. 196/2003, as amended)
Regulator:
Garante per la Protezione dei Dati Personali

Cookie consent

Opt-in required

Breach deadline

72 hours

DPA with vendors

Required

Max fine

€20,000,000 or 4% of global annual revenue, whichever is higher

What Italy requires

Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.

  1. Privacy policy (informativa privacy)

    Art. 13–14 GDPR

    Italian-language informativa listing controller, purposes, legal bases, recipients, retention, transfers, and rights.

    How to implement Italian users and the Garante expect the notice in Italian for consumer services. Name the Garante as the complaint authority.

    Required
  2. Cookie consent banner

    Garante Guidelines 2021 + Art. 122 Codice

    Opt-in banner with an X or reject control at the first layer; analytics cookies need consent unless truly anonymised per Garante criteria.

    How to implement Configure your CMP to the Garante profile: no scroll-consent, 6-month re-prompt limit, and prior blocking of all marketing tags.

    Required
  3. Records of processing (ROPA)

    Art. 30 GDPR

    Standard register of processing activities; the Garante recommends it for all businesses regardless of the Art. 30(5) exemption.

    How to implement Use the Garante's published ROPA model for SMEs as your starting structure.

    Required
  4. Data protection officer

    Art. 37 GDPR

    GDPR-baseline thresholds; appointment must be communicated to the Garante through its dedicated procedure.

    How to implement If appointed, file the notification on the Garante portal and publish contact details in your informativa.

    Conditional
  5. Breach notification process

    Art. 33–34 GDPR

    72-hour notification with the Garante's self-assessment form, plus an internal breach register.

    How to implement The Garante provides an online self-assessment tool to decide whether a breach is notifiable — attach the outcome to your internal record.

    Required
  6. Telemarketing opt-out compliance

    Registro Pubblico delle Opposizioni

    If you do outbound calling into Italy, numbers must be scrubbed against the public opt-out register, which since 2022 also covers mobile numbers.

    How to implement Register with the RPO and scrub lists before every campaign. This is the single largest source of Italian privacy fines.

    Conditional

The details

Cookie consent
The Garante's 2021 cookie guidelines require opt-in consent; scrolling and cookie walls are not valid consent. A reject path must exist at the first layer, and re-prompting users who declined is restricted to once every 6 months.
Data Protection Officer
GDPR baseline: mandatory for public bodies, large-scale systematic monitoring, or large-scale special-category data. The Garante maintains a DPO notification portal.
Processing agreements
Art. 28 GDPR agreements required with all processors. Italian sanctions frequently name missing vendor DPAs, especially in telemarketing supply chains.
Breach notification
Notify the Garante within 72 hours via its online procedure; high-risk breaches also require notifying individuals without undue delay.
Enforcement in practice
Enel Energia was fined €26.5M in 2022 over unlawful telemarketing; OpenAI received a €15M fine in 2024 following the ChatGPT investigation.

Data subject rights

What users can demand from you in Italy, and the engineering that satisfies each right.

Right to access

Art. 15 GDPR

Copy of personal data and processing details within one month.

Respond within 30 days; the Garante orders compliance plus fines when access requests are ignored.

Right to erasure

Art. 17 GDPR

Deletion when data is no longer necessary or consent is withdrawn.

Cover production, backups, and processors. Italian civil code requires 10-year retention of accounting records — document that exemption.

Right to data portability

Art. 20 GDPR

Machine-readable export of user-provided data.

JSON/CSV export for consent- and contract-based processing.

Right to rectification

Art. 16 GDPR

Correction of inaccurate personal data.

Self-service edits plus a support path for inferred data.

Right to restrict processing & to object

Art. 18, 21 GDPR

Freeze during disputes; absolute objection to direct marketing.

Honour objections immediately and scrub against the Registro delle Opposizioni for calls.

Automated decision-making

Art. 22 GDPR

Protection against solely automated decisions with significant effects.

The Garante's food-delivery rulings (Foodinho/Deliveroo) require transparency and human review for algorithmic worker management — relevant to any gig or scoring platform.

Tools that cover Italy

Services we'd shortlist for this jurisdiction. Links may be affiliate links.

  • privacy policy

    iubenda

    Italian-founded policy generator — the natural fit for Garante-style informativa and cookie policies.

    Visit iubenda →
  • cookie consent

    Cookiebot

    CMP with a preset matching the Garante's 2021 guidelines, including the 6-month re-prompt rule.

    Visit Cookiebot →
  • compliance suite

    OneTrust

    Suite covering consent, ROPA, and breach workflows for teams selling across the EU.

    Visit OneTrust →

Frequently asked questions

Why did Italy ban ChatGPT, and what does it mean for my AI product?

The Garante used its urgency powers in 2023 over legal basis, transparency, and minors' access — and later fined OpenAI €15M. If your product trains on or processes personal data with AI, document your legal basis and add age safeguards before launching in Italy.

Can I use Google Analytics in Italy?

The Garante ruled in 2022 that a default GA3 setup unlawfully transferred data to the US. With GA4, EU data settings, and the post-2023 EU-US Data Privacy Framework the risk is lower, but consent and a DPA with Google remain required.

Is scroll-to-consent valid for cookies in Italy?

No. The Garante's guidelines explicitly reject scrolling and continued browsing as consent. You need an affirmative click, a first-layer reject option, and prior blocking of tags.

What should cold-calling startups know about Italy?

Telemarketing is the Garante's top enforcement priority. Scrub against the public opt-out register (landlines and mobiles), verify your lead vendors' consent chains, and record legal bases — supply-chain liability lands on you.

Similar jurisdictions

Free download

Get GDPR updates for Italy

A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.

No spam. Unsubscribe anytime — we practice what we document.