Reading Between the Lines of the Italian DPA’s 2026 Inspection Plan

With its Resolution of 30 December 2025, the Italian Data Protection Authority (Garante per la protezione dei dati personali) published its inspection plan for the period January to July 2026.  The plan sets out the Authority’s inspection focus for the first semester of the year and provides for at least 40 targeted inspections across the areas identified in the resolution, also to be carried out with the support of the Italian Guardia di Finanza.

Inspection plans are, by their nature, operational documents. Nonetheless, they are relevant for organisations operating in Italy, as they indicate where supervisory resources will be concentrated in the short term and which processing contexts will be subject to closer scrutiny.

For data controllers, the plan can therefore be read also as a useful reference point to prioritise internal reviews and compliance checks in areas that the Authority has identified as particularly sensitive or exposed.

Key Areas of Focus of the 2026 Inspection Plan

A first area concerns personal data breaches, with particular attention to incidents affecting public databases of special relevance and sensitivity. The resolution expressly refers to the verification of security systems and database accessibility profiles, with the aim of addressing unauthorised access and the unlawful circulation of reserved information.

In addition, the plan provides for technical checks and further analysis of personal data breaches notified to the Authority, with particular regard to the most extensive and delicate cases, both in the public and private sectors. In this context, inspections will not be limited to the breach event itself or to the formal correctness of notifications under Articles 33 and 34 GDPR but will also cover the technical and organisational safeguards in place.

A second key area relates to the use of applications for the acquisition and management of whistleblowing reports. Whistleblowing systems were already included in the 2025 inspection plan, and their reappearance confirms the Authority’s continued attention to this category of tools, especially where widely deployed solutions are used. For organisations that have not recently reviewed the GDPR compliance of their whistleblowing arrangements, the plan may serve as an opportunity to reassess existing configurations and governance choices (e.g. allocation of privacy roles, access segregation, encryption measures and compliance with the principle of data minimisation).

The plan also includes personal data processing for telemarketing purposes, with a specific reference to the energy sector. This area has already been subject to significant enforcement action in Italy in recent years.

Of particular relevance is the reference to anonymisation policies and techniques implemented by telecommunications operators for the sharing of big data, in light of the Court of Justice of the European Union judgment of 4 September 2025 in the EDPS v SRB case. As discussed in our dedicated article on this milestone decision, the judgment has important implications for the distinction between anonymised and pseudonymised data. The inclusion of this topic in the inspection plan confirms that anonymisation practices, especially in the context of large-scale data sharing, remain subject to supervisory scrutiny.

Further inspection areas include the use of artificial intelligence tools in the educational sector, personal data processing carried out within the customs information system, and processing operations concerning the so-called “dossier sanitario“. These contexts are sector-specific, but they reflect areas in which the processing of personal data is structurally sensitive due to scale, function, or the categories of data involved.

Finally, the plan provides for additional inspection activities to be carried out ex officio in situations of particular urgency or in response to complaints or reports submitted to the Authority.

An Indication of Future Priorities?

The January to July 2026 inspection plan can be used by organisations as a practical reference tool: it may support internal efforts to review processes, assess the robustness of security measures, and verify the adequacy of existing documentation in the specific areas listed by the Authority.

The inspection areas identified by the Garante largely correspond to topics that have attracted sustained attention from supervisory authorities across the EU and in discussions at European Data Protection Board level. Issues such as data security, large-scale data sharing and anonymisation, the use of AI in sensitive contexts, and compliance in highly regulated sectors are likely to be relevant focus areas across Europe in the near future.

For organisations operating in multiple member states, this reinforces the importance of maintaining a coherent and well-integrated approach to data protection compliance, capable of withstanding supervisory scrutiny across jurisdictions.