Stage of legislative progress 
Eg. pre-consultation, in consultation

The Legislative Decree no. 101 of 10 August 2018 (hereinafter, the "Decree") implementing the GDPR has been published in the Official Journal on September 4 2018.

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

The Decree did not repeal the current Data Protection Act (hereinafter, "IDPA") but solely amended any provisions of the IDPA conflicting with the GDPR. It now contains only residual provisions in addition to those of the GDPR which are directly applicable.

A small number of the provisions contained in the Decree are not included in the IDPA. Thus the new final legal framework is quite complex:

  • the GDPR,
  • the amended IDPA and,
  • residual standalone
Timescale for implementation 
Eg. pre-consultation, in consultation

In force. It is possible to read the consolidated text of the IDPA, as amended by the Decree, at the following link:

Areas where Member States must have local laws:

Personal data and freedom of expression 

IDPA title XII - sections 136-137-138-139. 

The code of practice on the processing of personal data & journalistic activities (Annex A.1 of IDPA) remains in force. The compatibility of this code with the GDPR will be reassessed by the Italian Data Protection Authority (hereinafter, the "Authority"). The Authority should review it before the end of the calendar


Sections 167, 167 bis and 167 ter of the IDPA provide sanctions (including criminal sanctions) for whoever, with the view of obtaining a personal gain, a gain for a third party or with the intent to cause harm to another: unlawfully processes, transfers, discloses, disseminates or fraudulently acquires personal data. 

Furthermore, Section 168 of the IDPA provides sanctions (including criminal sanctions) if you communicate or attest false information or if you intentionally try to interrupt or disrupt an ongoing procedure/investigation of the Authority. 

Section 170 IDPA provides sanctions (including criminal sanctions) for people who do not respect the measures adopted by the Authority under the articles 58 (2) (f) GDPR, 2-septies (1) IDPA as well as the general measures referred to in article 21(1), of the legislative decree implementing article 13 of law no. 163 of 25 October 2017

Section 171 IDPA, provides sanctions in the field of employment for employers breaching the guarantees on remote controls and monitoring of employee (Articles 4 and 8 of the Italian Workers' Statute). 

Lastly, it is to be noted that Section 172 IDPA provides that being convicted of any of the above criminal offences shall entail publication of the relevant judgment.


Areas where Member States may have local laws:

Professional secrecy 

On Journalistic sources, Section 138 IDPA restricts the data subject's right of access insofar that the data subject cannot request the source of the personal data.

Scientific, historical or statistical purposes 

IDPA Section 99, allows personal data to be processed; stored; & transferred to another controller after the normal period for processing and even after the termination of the main processing if carried out for scientific, historical or statistical purposes as well as archiving in the public interest.
Section 106 IDPA - the Authority will issue guidance for the processing of personal data for statistical or scientific research purposes.

 These rules will apply both to public and private bodies, scientific societies and professional associations. The aim of the guidance is to identify adequate guarantees for the rights and freedoms of the data subject in accordance with Article 89 GDPR. 
Section 110 IDPA: provides for the possibility to carry out scientific and medical research, using special categories of data, without consent in certain circumstances. 

Section 110-bis IDPA: ability for the Authority to authorize secondary uses of special category data for scientific and statistical research, in situations where it is impossible or would involve a disproportionate effort to inform all data subjects. It does not apply to genetic data.


Section 111 of IDPA states that the Authority promotes the adoption of ethical rules for public and private subjects interested in the processing of personal data carried out in the context of employment.

Section 111-bis IDPA provides that the information referred to in Article 13 of the GDPR, in cases of receipt of a direct application is provided at the time of the first contact. Within the limits of the purposes referred to in Article 6, paragraph 1, letter b) of the Regulations, consent to the processing of personal data contained in curricula CV is not required. 

Section 21 of the Decree states that the Authority is to identify, within 90 days following the entry into force of the Decree itself (before the end of the calendar year), which of the general regulatory measures will remain fully valid (e.g. guidelines on biometric data, processing of data at work).

Personal data of deceased persons 

Section 2-terdecies of the IDPA provides that the rights referred to in Sections 15 to 22 of the GDPR for deceased people can be activated by a data subject who has an interest in the protection, by his agent, or for family reasons worthy of protection ("Representative").

The exercise of the subject's rights by the Representative is not allowed in the cases set out by law or when, the data subject has expressly forbidden it with a written declaration provided or communicated to the data controller.

Children online

14 years

Special rules for special categories of data
IDPA Section 2-sexies, 2 specifies that a "substantial public interest" is a viable lawful basis for the processing of special categories of personal data.

Genetic, biometric or health data

IDPA Section 2-septies, 1. Guidance on the safeguards for the processing of genetic, biometric and health data processing should be issued every 2 years. 

In case of high risk processing of genetic data, consent can be a further safeguard, and/or others should be applied (Section 2-septies, (6)). Genetic, biometric and health data cannot be disseminated (Section 2-septies, (7)).
Within 90 days from the entry into force of the Decree (last term is on 18th December 2018) the Authority will identify the applicable safeguards. The existing authorization regime will remain applicable for the processing of genetic and health data until it is replaced by the upcoming safeguards.

Designation of a Data Protection Officer


National identification numbers/any other identifier of general application



Any other areas under discussion

The Authority has highlighted that:

  • Controllers and processors should use the icons and symbols suggested by the Authority on CCTV systems and banks, together with a complete and exhaustive privacy notice;
  • Decree foresees that for the first 8 months from the date of entry into force of the Decree itself (i.e. until 19 May 2019) the Authority takes into account, for the purposes of the application of administrative sanctions and to the extent that it is compatible with the provisions of GDPR, the phase of first application of the penalty provisions. This provision could be interpreted as an opportunity for the controllers to demonstrate, in case of inspection, that their approach to the GDPR has taken into account the focal points of the new legislation, assessing the need to apply any sanctions in a gradual manner and leaving the possibility to the controllers to remedy any shortcomings found during the inspection;
  • the provisions of the Authority adopted before  May 25 2018 are valid unless stated otherwise and to the extent that they are compatible with the GDPR and the IDPA; 
  • To terminate a penalty procedure for some specified violations of the IDPA, the Decree states that Controllers and Processor can directly pay two-fifths of the minimum relevant sanction within sixty days of the date from 19th September 2018.