On 26 March 2026, the Italian data protection authority (Garante per la protezione dei dati personali, „Garante“) fined Intesa Sanpaolo S.p.A. €31,800,000. This is one of the largest fines the Garante has ever imposed, and it carries clear lessons for any organisation that processes personal data at scale – not just banks. What Happened Between […]
Garante
Unlawful Profiling and Poor Transparency: Key Takeaways from the Garante’s Fine Against Intesa Sanpaolo
The Italian Data Protection Authority (Garante) has imposed a €17.6 million fine on Intesa Sanpaolo, one of the largest banking groups in Italy, for unlawful processing of personal data affecting approximately 2.4 million customers in the context of their transfer to the digital bank Isybank. What makes this case particularly relevant is not only its […]
Italian DPA Orders Amazon Entity to Stop Unlawful Employee Data Processing
The Italian Data Protection Authority (Garante per la protezione dei dati personali) has issued an urgent order with immediate effect requiring Amazon Italia Logistica S.r.l. to stop processing personal data relating to more than 1,800 employees at one of its logistics facilities. The investigation revealed multiple violations from a data protection perspective. In particular, the […]
Digital Accessibility and Data Protection: Insights from the Italian Data Protection Authority
Digital accessibility is becoming a central compliance topic across Europe. With the entry into application of the European Accessibility Act (Directive (EU) 2019/882, EAA), EU Member States must ensure that a wide range of digital products and services meet accessibility requirements so that people with disabilities can access them without barriers. These requirements apply to […]
Reading Between the Lines of the Italian DPA’s 2026 Inspection Plan
With its Resolution of 30 December 2025, the Italian Data Protection Authority (Garante per la protezione dei dati personali) published its inspection plan for the period January to July 2026. The plan sets out the Authority’s inspection focus for the first semester of the year and provides for at least 40 targeted inspections across the […]
The Italian Data Protection Authority Orders an Immediate Stop to Deepfake App Clothoff
The Italian Data Protection Authority (Garante) has taken urgent action against Clothoff, an AI-powered app capable of generating hyper-realistic “deep nude” images based on pictures of real people. On 3 October the regulator has issued an immediate order blocking the app – developed by a company based in the British Virgin Islands – from processing […]
DPO Independence Is Not Optional: Key Takeaways from the Italian DPA
In a decision dated December 2024, the Italian Data Protection Authority (Garante) imposed a fine of 70,000 euros on a credit rehabilitation company for multiple violations of the General Data Protection Regulation (GDPR). While the monetary penalty addressed several issues—such as unlawful data retention and the absence of processor contracts—the most significant takeaway is the […]
Garante Fine for Employee Monitoring and GPS Tracking
The Italian Data Protection Authority (Garante) recently issued a significant decision, imposing a fine of 50,000 euros on a company for unlawful employee monitoring through GPS tracking systems. The sanction followed an investigation into the company’s failure to comply with both national labour law and the EU General Data Protection Regulation (GDPR)—despite having received prior […]
Italian Data Protection Authority bans DeepSeek for Italian market
In the past years, the Italian Data Protection Authority (Garante per la Protezione dei dati personali) has made clear statements towards big technology companies introducing their services in Italy, prior to the verification of GDPR and Italian Data Protection Act compliance. We are referring to the Clearview case of 2022, that caused a fine of […]
Navigating Employee Email Privacy: Lessons from a recent Fine by Italy’s DPA
The Italian Data Protection Authority (Garante) recently imposed a significant fine of 80,000 euros on a company, for mishandling a sales agent’s email data, highlighting once again the challenges and complexities of managing employee data, in particular when access to employees’ emails is required. The issue arose when the company used a backup of the […]
How to protect data from web scraping? Guidelines from The Italian DPA
The Italian Data Protection Authority (Garante per la protezione dei dati personali, or short Garante) has released in May 2024 guidelines aimed to protect personal data published online by public and private entities (in a role of data controller) from web scraping performed by third parties. While the purposes to perform data scraping or web […]
Retention of Metadata – legal and business impacts of the Italian DPA guideline – UPDATED
A few months ago, we delved into a new decision of the Italian data protection authority (Garante) on this blog, which recommended that employers set retention periods for their employees‘ email metadata not exceeding 7 days. This guideline created some confusion, leading the Garante to suspend its applicability and open it up for public consultation […]
Italian Data Protection Authority imposed the highest fine so far on electricity provider
Telemarketing activities and aggressive practices against the consumers are again in the spotlight of the Italian Data Protection Authority (Garante), that imposed the highest fine ever on the Italian electricity provider Enel Energia. It is unfortunately very common that Italian consumers are harassed by unwanted telephone calls from marketing agencies proposing contracts for different services […]
Seven days to retain metadata – legal and business impacts of the Italian DPA decision
Indiscriminate and unrestricted retention of employee data (especially their emails) is a common yet dangerous violation of the GDPR that undermines workers‘ rights from multiple perspectives. But how far can GDPR compliance go without excessively hindering business needs and interests? This is the question behind one of the most recent (and discussed) decisions of the […]
Access to employee emails: A delicate balance between business needs and privacy rights
In the landscape of corporate operations, accessing employee emails may sometimes feel like a necessity for companies. Whether to investigate suspected misconduct of current employees, facilitate operational management during an employee’s prolonged absence, or streamline the transition after an employee departs, the reasons can be varied. However, this task is not straightforward as there are […]
1 2