European Union · updated 2026-06-15
Italy
Italy's Garante is the EU regulator most willing to act fast against technology itself — it temporarily banned ChatGPT in 2023 and fines telemarketing abuses heavily. AI products and outbound sales deserve extra care here.
- Law:
- GDPR + Codice Privacy (D.Lgs. 196/2003, as amended)
- Regulator:
- Garante per la Protezione dei Dati Personali
Cookie consent
Opt-in required
Breach deadline
72 hours
DPA with vendors
Required
Max fine
€20,000,000 or 4% of global annual revenue, whichever is higher
What Italy requires
Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.
-
Privacy policy (informativa privacy)
Art. 13–14 GDPRItalian-language informativa listing controller, purposes, legal bases, recipients, retention, transfers, and rights.
How to implement Italian users and the Garante expect the notice in Italian for consumer services. Name the Garante as the complaint authority.
Required -
Cookie consent banner
Garante Guidelines 2021 + Art. 122 CodiceOpt-in banner with an X or reject control at the first layer; analytics cookies need consent unless truly anonymised per Garante criteria.
How to implement Configure your CMP to the Garante profile: no scroll-consent, 6-month re-prompt limit, and prior blocking of all marketing tags.
Required -
Records of processing (ROPA)
Art. 30 GDPRStandard register of processing activities; the Garante recommends it for all businesses regardless of the Art. 30(5) exemption.
How to implement Use the Garante's published ROPA model for SMEs as your starting structure.
Required -
Data protection officer
Art. 37 GDPRGDPR-baseline thresholds; appointment must be communicated to the Garante through its dedicated procedure.
How to implement If appointed, file the notification on the Garante portal and publish contact details in your informativa.
Conditional -
Breach notification process
Art. 33–34 GDPR72-hour notification with the Garante's self-assessment form, plus an internal breach register.
How to implement The Garante provides an online self-assessment tool to decide whether a breach is notifiable — attach the outcome to your internal record.
Required -
Telemarketing opt-out compliance
Registro Pubblico delle OpposizioniIf you do outbound calling into Italy, numbers must be scrubbed against the public opt-out register, which since 2022 also covers mobile numbers.
How to implement Register with the RPO and scrub lists before every campaign. This is the single largest source of Italian privacy fines.
Conditional
The details
- Cookie consent
- The Garante's 2021 cookie guidelines require opt-in consent; scrolling and cookie walls are not valid consent. A reject path must exist at the first layer, and re-prompting users who declined is restricted to once every 6 months.
- Data Protection Officer
- GDPR baseline: mandatory for public bodies, large-scale systematic monitoring, or large-scale special-category data. The Garante maintains a DPO notification portal.
- Processing agreements
- Art. 28 GDPR agreements required with all processors. Italian sanctions frequently name missing vendor DPAs, especially in telemarketing supply chains.
- Breach notification
- Notify the Garante within 72 hours via its online procedure; high-risk breaches also require notifying individuals without undue delay.
- Enforcement in practice
- Enel Energia was fined €26.5M in 2022 over unlawful telemarketing; OpenAI received a €15M fine in 2024 following the ChatGPT investigation.
Data subject rights
What users can demand from you in Italy, and the engineering that satisfies each right.
Right to access
Art. 15 GDPRCopy of personal data and processing details within one month.
Respond within 30 days; the Garante orders compliance plus fines when access requests are ignored.
Right to erasure
Art. 17 GDPRDeletion when data is no longer necessary or consent is withdrawn.
Cover production, backups, and processors. Italian civil code requires 10-year retention of accounting records — document that exemption.
Right to data portability
Art. 20 GDPRMachine-readable export of user-provided data.
JSON/CSV export for consent- and contract-based processing.
Right to rectification
Art. 16 GDPRCorrection of inaccurate personal data.
Self-service edits plus a support path for inferred data.
Right to restrict processing & to object
Art. 18, 21 GDPRFreeze during disputes; absolute objection to direct marketing.
Honour objections immediately and scrub against the Registro delle Opposizioni for calls.
Automated decision-making
Art. 22 GDPRProtection against solely automated decisions with significant effects.
The Garante's food-delivery rulings (Foodinho/Deliveroo) require transparency and human review for algorithmic worker management — relevant to any gig or scoring platform.
Tools that cover Italy
Services we'd shortlist for this jurisdiction. Links may be affiliate links.
-
privacy policy
iubenda
Italian-founded policy generator — the natural fit for Garante-style informativa and cookie policies.
Visit iubenda → -
cookie consent
Cookiebot
CMP with a preset matching the Garante's 2021 guidelines, including the 6-month re-prompt rule.
Visit Cookiebot → -
compliance suite
OneTrust
Suite covering consent, ROPA, and breach workflows for teams selling across the EU.
Visit OneTrust →
Frequently asked questions
Why did Italy ban ChatGPT, and what does it mean for my AI product?
The Garante used its urgency powers in 2023 over legal basis, transparency, and minors' access — and later fined OpenAI €15M. If your product trains on or processes personal data with AI, document your legal basis and add age safeguards before launching in Italy.
Can I use Google Analytics in Italy?
The Garante ruled in 2022 that a default GA3 setup unlawfully transferred data to the US. With GA4, EU data settings, and the post-2023 EU-US Data Privacy Framework the risk is lower, but consent and a DPA with Google remain required.
Is scroll-to-consent valid for cookies in Italy?
No. The Garante's guidelines explicitly reject scrolling and continued browsing as consent. You need an affirmative click, a first-layer reject option, and prior blocking of tags.
What should cold-calling startups know about Italy?
Telemarketing is the Garante's top enforcement priority. Scrub against the public opt-out register (landlines and mobiles), verify your lead vendors' consent chains, and record legal bases — supply-chain liability lands on you.
Similar jurisdictions
Free download
Get GDPR updates for Italy
A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.
No spam. Unsubscribe anytime — we practice what we document.