GDPR compliance, data protection, cybersecurity, IT contracts and technology law.
Filter by specialisation
We're actively expanding our directory. In the meantime, use the lawyer wizard — it'll match you to the best available firm for your situation.
Use the Lawyer Wizard → Suggest a FirmInternational law firm with strong corporate and commercial practice, serving expats and international clients in Milan and Northern Italy
Full-service international law firm with extensive English-speaking team, listed in Chambers and Legal500
Global law firm with Milan office, comprehensive legal services for international clients
International firm with Milan office serving corporate and financial clients
Major international law firm with Milan office
GDPR applies to any organisation that processes personal data of EU residents, regardless of where the organisation is based. A data protection lawyer can advise on compliance.
Fines can reach €20 million or 4% of global annual turnover (whichever is higher). A data protection lawyer can help implement compliant processes to minimise risk.
Browse our verified directory of law firms across Italy's major cities. All listed firms offer English-language legal services to expats and foreign nationals.
Find My Lawyer in 60 SecondsItaly applies the GDPR alongside D.Lgs. 196/2003 (Codice della Privacy) as amended by D.Lgs. 101/2018. The national supervisory authority is the Garante per la protezione dei dati personali.
| Company | Fine | Issue | Year |
|---|---|---|---|
| Meta (Facebook) | €390 million (EU multi-authority) | Unlawful legal basis for behavioural advertising; GDPR art. 6 | 2023 |
| OpenAI (ChatGPT) | €15 million | Unlawful processing of personal data; no age verification; Italian ban then lifted | 2024 |
| TIM (Telecom Italia) | €27.8 million | Unlawful telemarketing; failure to honour opt-outs; D.Lgs. 196/2003 art. 130 | 2021 |
| Enel Energia | €26.5 million | Unauthorised telemarketing calls; Registro Pubblico Opposizioni (RPO) | 2021 |
| Clearview AI | €20 million | Unlawful biometric data collection; facial recognition database | 2022 |
| Regione Lazio | €120,000 | Ransomware breach — inadequate security measures; GDPR art. 32 | 2022 |
| Topic | Italian Rule | Legal Basis |
|---|---|---|
| Children's consent | Age 14 (Italy chose minimum under GDPR art. 8(1); GDPR allows 13–16) | D.Lgs. 196/2003 art. 2-quinquies |
| Employee monitoring | Controls sugli strumenti di lavoro permissible; internet/email monitoring requires trade union agreement or ITL authorisation | L. 300/1970 art. 4 (as amended by DL 151/2015) |
| Video surveillance at work | Requires trade union agreement or Ispettorato del Lavoro authorisation; must inform workers; Garante guidelines apply | L. 300/1970 art. 4; Garante Guidelines 2010 |
| Telemarketing — RPO | Registro Pubblico Opposizioni (DPR 178/2010 + DL 139/2021) covers mobile/email; opt-out must be honoured within 15 days | DPR 178/2010; DL 139/2021 (extended RPO) |
| Health data | Sensitive data (dati sulla salute) requires explicit consent + specific processing conditions; doctors/healthcare exempt from some requirements | D.Lgs. 196/2003 artt. 2-sexies, 2-septies |
| Fiscal code (codice fiscale) | Codice fiscale is personal data; cannot be used to cross-reference databases without legal basis | D.Lgs. 196/2003; Garante Guidance 2008 |
The DPO is mandatory under GDPR art. 37 for: (1) public authorities; (2) controllers/processors whose core activities involve large-scale systematic monitoring of individuals; (3) large-scale processing of special category data. Italy has no national employee threshold for DPO appointment (unlike Germany's BDSG § 38 which requires 20+ employees). However, the Garante recommends voluntary DPO appointment for SMEs processing significant volumes of personal data.
Sources: GDPR (EU 2016/679); D.Lgs. 196/2003 (Codice della Privacy) as amended by D.Lgs. 101/2018; L. 300/1970 art. 4 (Statuto dei Lavoratori); DPR 178/2010 + DL 139/2021 (RPO).
