Skip to content
Privacy Regulations

Italian Data Protection Code

Overview of the Italian Data Protection Code 2018

(Codice in materia di protezione dei dati personali)

The Italian Data Protection Code of 2018 (the Code) is a comprehensive legal framework designed to safeguard personal and sensitive information. Protecting personal information is of great value in Italy and is considered a human right. To that end, the country has implemented the EU’s General Data Protection Regulation (GDPR) in addition to its own privacy laws, such as the Italian Personal Data Protection Code.

By elevating personal data protection to the level of other human rights, the Code aligns with the Italian Constitution, which upholds the right to privacy and autonomy, ensuring individuals have control over their personal information. The Code underscores the country’s dedication to maintaining robust data protection measures and emphasizes that safeguarding sensitive information is crucial to personal freedoms and dignity. Any Italian records database containing personal information must adhere to the Code’s rules.

The Italian Data Protection Authority (Garante) supervises the GDPR and the Code, which, among other things:

  • Provides data protection measures for data controllers and processes.
  • Manages data subject complaints.
  • Adopts guidelines that help organizations comply with personal data protection laws.

The Value of Data Protection

Today, we live in a digital world where information flows freely across borders and through technological channels. Data protection safeguards personal and sensitive information, ensuring it is not misused, exploited, or compromised. By protecting data, individuals and organizations maintain privacy, avoid identity theft, and minimize financial risks.

Data protection also helps organizations build stakeholder and customer trust, demonstrating a genuine commitment to security and transparency. It enables compliance with legal and regulatory frameworks, reducing the risk of hefty fines and legal consequences. And in a broader context, it contributes to societal stability, safeguarding information integrity, promoting ethical data usage, and maintaining consumer confidence, all of which are vital for functioning, fair markets and secure digital landscapes.

The European Influence: GDPR and the Data Protection Code

EU data protection laws recognize privacy as a fundamental human right that ensures personal dignity. While “privacy” in Italy is defined as a broader concept than data protection, it’s through Italy’s Code that citizens can exercise their rights over their personal information, including the “right to forget” and “right to know,” thereby protecting individuals and their families, private lives, honor, and reputation.

How the Italian Data Protection Law Differs From GDPR

Italian legislators drew extensively from the GDPR’s opening clauses when creating the country’s Code. While many of the Code’s provisions, including legal principles, e-marketing, automated decision-making, data security, data breaches, certification, and data transfer, do not deviate from the GDPR, others add or detract from it, including:

  • Substantive and territorial scope. The Code extends its scope to the deceased, unless forbidden by law.
  • Sensitive data. The Code specifies what GDPR’s “substantial public interest” means to Italian citizens. It sets out the adoption process for processing genetic, biometric, and health data and specifies the principles regarding processing data regarding criminal offenses and convictions.
  • Cookies. The Code distinguishes cookies between two groups: profiling and technical. Users must give their prior informed consent to the use of profiling cookies, and they must be informed as to how tech cookies will be used.
  • Rights of data subjects. The Code limits data subject rights in certain cases, including money laundering, activities carried out by a public entity, and whistleblowing.
  • Unsolicited job applications. The Code states that for CVs spontaneously submitted by applicants, Article 13’s informing requirement must be provided at the time of first useful contact.
  • Sanctions and penalties. Various Articles of the Code define violations for which imprisonment is possible, including unlawful processing or transfer of data outside the EU. It also permits imprisonment for unlawful communication and sharing of personal data undergoing large-scale processing and fraudulent acquisition of personal data subject to large-scale processing.

Data Protection in Italy

Data protection laws have been in existence in Italy since the late 1990s, when, like its EU member counterparts, the country passed a law to conform with European Parliament directives covering:

1. The protection of individuals with regard to the processing of personal data and in the free movement of such data; and

2. The processing of personal data and the protection of privacy in the telecommunications sector.

The Italian Code protects citizens from unauthorized data usage, breaches, and exploitation. It is designed to:

  • Reflect the nation’s view of data security as a societal priority.
  • Promote transparency, accountability, and trust between businesses, organizations, and consumers.
  • Further solidify Italy’s stance on data protection as a fundamental aspect of human rights and a critical component of modern society.

Italy’s privacy law has gradually evolved to acknowledge the need to preserve collective memory. For instance, various amendments backed by archivists and historians balanced the right to know and right to forget by adding a clause that allows the preservation of personal data for historical, scientific, and statistical research. The Code provides research rules for archivists and other users that require recognizing a data subject’s human rights, as well as legal sanctions for violations and breaches.

Key Provisions of the Italian Data Protection Code

The Code is largely based on and aligned with the General Data Protection Regulation (GDPR), the overarching data protection framework for the European Union. Key provisions include:

General Principles

The Code establishes principles for personal data processing, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

Rights of Data Subjects

Individuals or data subjects have the right to:

  • Access their personal data
  • Rectify their personal data
  • Erasure or “right to be forgotten”
  • Restriction of processing
  • Data portability
  • Object to processing


The Italian age of consent is 14 years. Children who have reached this age can validly express consent to data processing. Children under 14 must have a responsible parent provide consent.

Obligations of Data Controllers and Processors

The Code imposes various obligations on organizations processing personal data, referred to as data controllers and data processors, such as:

  • Implementing appropriate technical and organizational measures to ensure data security.
  • Maintaining records of processing activities.
  • Appointing a Data Protection Officer (DPO) in certain cases.
  • Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities.

Transfer of Personal Data

The transfer of personal data outside the European Union requires adequate safeguards and compliance with specific conditions.

Special Categories of Data

Additional restrictions and requirements are imposed for processing special categories of personal data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life and sexual orientation. The Code also contains specific language regarding the processing of personal data for journalistic purposes.

Data Breach Notification and Security Measures

Data controllers and processors must implement sufficient security measures that protect data subjects’ personal information and prevent it from being accessed or disclosed without authorization. In the event of a personal data breach, they must notify the relevant supervisory authority and affected data subjects, ensuring the privacy and security of personal information.

Supervisory Authority

The Garante, headquartered in Rome, is the independent supervisory authority responsible for monitoring the application of the data protection code and enforcing its provisions.

Sanctions and Penalties

The Code establishes a system of administrative fines and penalties for non-compliance with its provisions, ranging from warnings and reprimands to substantial fines, depending on the nature and severity of the violation.

Compliance with the Italian Data Protection Code

The Garante supervises data processing activities, ensuring adherence to data protection rules. Other duties and responsibilities include:

  • Acting on data subject complaints.
  • Implementing ethical rules for personal data processing carried out by public and private employers.
  • Reporting crimes detected during its activities.
  • Mandating data controller and processor measures for the proper processing of personal data.
  • Blocking or prohibiting data processing activities that might represent a risk to data subjects.
  • Adopting resolutions and draft opinions.
  • Raising public awareness about data protection and involving citizens in the drafting of general resolutions.
  • Adopting guidelines on technical and organizational measures implementing GDPR principles.

Penalties, fines, and other actions reflect Italy’s commitment to enforcing data privacy. For instance, in 2023, its privacy regulator briefly banned the use of Open AI’s ChatGPT over concerns about age verification controls and data collection legality. Administrative penalties for non-compliance can amount to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year. Criminal penalties can include imprisonment.