Data Protection Lawyers in Italy 2026: Italian AI Act, GDPR Compliance & DPA Enforcement

Italy’s data protection landscape is shifting faster in 2026 than at any point since the GDPR took effect. Data protection lawyers in Italy are now advising organisations on a triple convergence of regulatory pressure: the operational roll-out of Law No. 132/2025, Italy’s national AI Act, the European Data Protection Board’s coordinated enforcement actions targeting transparency and impact assessments, and a newly assertive Garante per la Protezione dei Dati Personali testing the boundaries of AI-related enforcement. For DPOs, in-house counsel, compliance officers and technology vendors operating in the Italian market, understanding how these three regulatory streams interact is no longer optional, it is the single most urgent compliance priority for the year ahead.

This guide maps the obligations, provides actionable checklists and explains exactly when professional legal support becomes critical.

1. Key 2025–2026 Regulatory Timeline: Italy and the EU

Before diving into substance, a clear chronology helps compliance teams prioritise which obligations are already in force, which are imminent and which remain under judicial review. The timeline below captures the milestones that Italian data protection lawyers are tracking most closely in 2026.

This timeline answers a common question seen across Italian and EU compliance forums: when did the EDPB publish its 2026 reports and guidelines relevant to AI? The answer is that the critical outputs span January to April 2026, with the Joint Opinion arriving in January and enforcement-focused plenary reports following through the spring. Compliance teams should treat the January 2026 EDPB plenary outputs as the baseline for any gap analysis conducted this year.

2. How the Italian AI Act (Law No. 132/2025) Interacts with the GDPR

Law No. 132/2025, published in the Gazzetta Ufficiale on 23 September 2025, is Italy’s national implementing framework for the EU AI Act. It does not replace the GDPR, it adds to it. For controllers and processors deploying AI systems in Italy, the practical effect is a dual compliance obligation that demands parallel assessments, overlapping documentation and careful coordination between data protection and AI governance functions.

Scope and Definitions Under the Italian AI Act

The Italian AI Act applies to any entity that develops, deploys or makes available an AI system within Italian territory, regardless of where the entity is established. It mirrors the EU AI Act’s risk-based classification, minimal, limited, high and unacceptable risk, while introducing Italy-specific obligations in areas where the EU Regulation left room for national discretion. Critically, Law No. 132/2025 designates certain sectoral applications (including public administration decision-making and employment-related automated systems) as areas requiring enhanced national oversight, going beyond the baseline EU requirements.

From a GDPR compliance 2026 perspective, the most important interaction sits at the definitions level. The Italian AI Act’s concept of an “AI system” extends to any machine-based system that generates outputs, predictions, recommendations, decisions, that can influence environments. Where those outputs involve the processing of personal data, GDPR obligations are triggered simultaneously. The two regimes are cumulative, not alternative.

High-Risk AI: DPIA and FRIA Alignment

The question data protection lawyers in Italy hear most frequently is: how does the Italian AI Act affect GDPR obligations for controllers in 2026? The answer centres on the dual impact assessment requirement.

Under Article 35 of the GDPR, a Data Protection Impact Assessment (DPIA) is mandatory where processing is likely to result in a high risk to the rights and freedoms of natural persons. Under the EU AI Act and Law No. 132/2025, deployers of high-risk AI systems must also conduct a Fundamental Rights Impact Assessment (FRIA) before putting the system into use. These are distinct instruments with different scopes:

• DPIA (GDPR). Focuses on data protection risks, lawfulness, necessity, proportionality, security measures, data subject rights, and safeguards against automated decision-making under Article 22 GDPR.
• FRIA (AI Act / Law No. 132/2025). Assesses the broader impact on fundamental rights, non-discrimination, equality, freedom of expression, human dignity, extending beyond data protection into constitutional territory.

Where an AI system is classified as high-risk and processes personal data, both assessments must be completed. Early indications suggest that the Garante will expect to see documented evidence that organisations have run both exercises, with clear cross-referencing between the two. A practical approach is to produce a single integrated assessment document with separate DPIA and FRIA sections sharing a common factual description of the processing.

Practical trigger test for in-house teams:

1. Does the system meet the EU AI Act definition of an AI system? If yes, proceed to risk classification.
2. Is the system classified as high-risk under Annex III of the EU AI Act or designated as enhanced-oversight under Law No. 132/2025? If yes, FRIA is mandatory.
3. Does the system process personal data? If yes, assess whether a DPIA is required under Article 35 GDPR and the Garante’s published DPIA-required list.
4. If both FRIA and DPIA are triggered, prepare an integrated assessment with distinct sections and consult with both the DPO and the AI governance lead.

3. EDPB 2026 Guidance and Coordinated Enforcement: What Controllers Should Expect

The European Data Protection Board’s 2026 activity represents the most concentrated period of AI-related guidance since the GDPR’s enforcement era began. Two outputs are particularly significant for organisations with Italian operations.

Core EDPB Positions in 2026

The EDPB–EDPS Joint Opinion 1/2026 directly addresses the relationship between the AI Act and the GDPR. Its central message is that compliance with the AI Act does not substitute for GDPR obligations. Specifically, the Joint Opinion emphasises that:

• Lawful basis remains controller-specific. The AI Act’s risk classification does not create a lawful basis for personal data processing. Controllers must independently identify and document a valid lawful basis under Article 6 GDPR (and, where applicable, Article 9 for special categories).
• Transparency requirements are cumulative. AI Act transparency duties (disclosure that content is AI-generated, provider identification) add to, rather than replace, the GDPR’s information duties under Articles 13 and 14.
• DPIAs and FRIAs should cross-reference. The Joint Opinion encourages a coordinated approach to impact assessments, echoing the practical advice Italian data protection lawyers have been giving since Law No. 132/2025 was adopted.

Separately, the EDPB’s January 2026 plenary outputs confirmed that the Coordinated Enforcement Framework (CEF) for the current cycle focuses on three themes: transparency in AI-driven processing, the validity of lawful bases relied upon for training data, and the adequacy of DPIAs conducted for AI systems. National DPAs, including the Garante, have committed to using these themes as the basis for targeted audits and questionnaire campaigns throughout 2026.

Immediate Steps for GDPR Compliance 2026

Do organisations need to update privacy notices and DPIAs because of the EDPB guidelines 2026? The short answer is yes, and the updates are substantive, not cosmetic. Based on the EDPB’s stated enforcement priorities, the following actions should be treated as immediate:

1. Audit all privacy notices. Identify every notice that describes AI-assisted processing. Confirm it discloses the involvement of AI, the specific purpose, the lawful basis relied upon, and the logic involved in automated decision-making (Article 13(2)(f) / 14(2)(g) GDPR). Generic language such as “we may use automated tools” is insufficient.
2. Refresh existing DPIAs. Any DPIA completed before Law No. 132/2025 took effect likely does not address FRIA considerations or the EDPB’s latest guidance on training-data lawful bases. Update the risk mapping section to cover AI-specific risks: bias, opacity, disproportionate impact on vulnerable groups.
3. Map training data flows. For organisations that train or fine-tune AI models using personal data, document the origin of training datasets, the lawful basis for collection, and any data minimisation measures applied. This is the single area where the EDPB’s CEF questionnaires are the most likely to be focused on during Italian DPA enforcement actions in 2026.
4. Review and update records of processing activities (ROPA). Ensure ROPA entries for AI-driven processing include the AI system’s risk classification, the date of the last DPIA/FRIA, and the name of the responsible person or team.

4. Italian DPA (Garante) Enforcement Priorities and Recent Cases

The Garante per la Protezione dei Dati Personali has positioned itself as one of Europe’s most active supervisory authorities on AI-related enforcement. Its 2026 priorities reflect both its own institutional direction and the EDPB’s coordinated themes.

The OpenAI/ChatGPT Enforcement Saga: Lessons for Vendors

The Garante’s provisional measures against OpenAI regarding ChatGPT remain the most high-profile Italian DPA enforcement action in the AI space. The authority’s original intervention focused on transparency failures, the absence of adequate information to users, and concerns about the lawful basis for processing personal data to train the model. The case drew global attention and temporarily restricted ChatGPT’s availability in Italy.

Subsequent developments, including the Rome Court’s March 2026 decision that overturned aspects of the Garante’s fine, have introduced judicial uncertainty into the enforcement landscape. Industry observers expect this outcome to have two practical effects. First, the Garante is likely to invest more heavily in procedural rigour when issuing future corrective orders, building stronger evidentiary records to withstand judicial review. Second, respondent organisations may be more inclined to challenge DPA decisions in court, particularly where fines are substantial, creating a more adversarial enforcement dynamic than Italy has previously seen.

The practical lesson for tech vendors and controllers deploying AI in Italy is clear: enforcement is real, active and sometimes unpredictable. Even where a DPA decision is subsequently overturned, the reputational damage and operational disruption of a provisional ban or corrective order can be severe.

Risk Matrix and Rapid Response Steps

Based on the Garante’s published priorities and the EDPB’s coordinated enforcement themes, the following risk matrix helps in-house teams assess their exposure:

If the Garante opens a formal investigation, a rapid-response protocol should already be in place. At a minimum, designate a lead contact (typically the DPO supported by external Italian data protection lawyers), prepare template responses for standard information requests, and ensure that board-level reporting mechanisms can be activated within 48 hours.

5. Practical Compliance Checklist for In-House Teams and Vendors

Theory matters, but compliance officers and DPOs need a step-by-step framework they can execute against. The checklist below synthesises the obligations arising from the GDPR, Law No. 132/2025 and the EDPB guidelines 2026 into a single actionable sequence.

DPIA Update Checklist

1. Inventory all AI-enabled processing activities. Include pilot projects, beta products and third-party AI tools embedded in existing platforms.
2. Classify each system by risk level. Apply both the EU AI Act Annex III criteria and any additional categories designated under Law No. 132/2025.
3. For high-risk systems, prepare or update the integrated DPIA/FRIA document. Include sections on: necessity and proportionality; data minimisation measures; bias and fairness testing; fundamental rights impact; technical and organisational security measures; data subject rights facilitation; and residual risk acceptance rationale.
4. Consult the DPO formally. Under Article 35(2) GDPR, the controller must seek the DPO’s advice when carrying out a DPIA. Document the consultation and the DPO’s recommendations.
5. Set a review trigger. Establish that DPIAs for AI systems will be reviewed at least annually, or whenever the model is retrained, the input dataset changes materially, or a new use case is added.

Vendor Contract Minimum Clauses

Organisations procuring AI systems or SaaS tools that process personal data on their behalf must ensure data processing agreements (DPAs) meet GDPR Article 28 requirements and reflect AI-specific risks. The following clause elements should be present in every vendor contract:

• AI-specific processing description. The DPA must describe the AI processing in sufficient detail: model type, input data categories, output data categories, retention of inference data, and any model-training conducted on controller data.
• Sub-processor transparency. Require the vendor to disclose all sub-processors involved in AI model hosting, inference and training, with notice periods for changes.
• Audit rights. Include rights to audit AI governance and DPIAs, not just standard security audits, covering bias testing results, model performance logs and FRIA documentation where applicable.
• Data localisation and transfer clauses. Specify where personal data will be stored and processed; incorporate Standard Contractual Clauses (SCCs) where transfers outside the EEA occur; and require vendor cooperation on Transfer Impact Assessments (TIAs).
• Incident response. Define AI-specific incident categories (model compromise, training data poisoning, unintended bias in outputs) alongside standard personal data breach notification obligations.
• Termination and data return. Address what happens to controller data embedded in trained models upon contract termination, including deletion certification and technical limitations on model “unlearning.”

Data Transfer Quick-Start

For organisations transferring personal data from Italy to jurisdictions outside the EEA, the core framework remains the GDPR’s Chapter V provisions. However, EDPB guidance and Italian practice add layers of complexity:

1. Confirm whether the destination country has an EU adequacy decision. If yes, no additional safeguards are required (but monitor for adequacy decision reviews).
2. If no adequacy decision exists, implement SCCs (the current EU Commission-approved module sets) and conduct a TIA supplemented by any Garante-specific guidance.
3. For transfers to the United States, verify whether the EU–US Data Privacy Framework (DPF) applies to the specific recipient and monitor for ongoing judicial challenges to the DPF.
4. Document all transfers in ROPA and ensure the DPIA addresses cross-border data flows as a specific risk factor.

6. Data Transfers, Data Centre Rules and Cross-Border Operations from Italy

International data transfers from Italy remain one of the most operationally complex areas of GDPR compliance 2026. The legal framework is EU-wide, but Italian data protection lawyers must navigate national enforcement practice and emerging data-infrastructure rules that add a distinctly Italian dimension.

Transfers Checklist

• Map all data flows. Identify every instance where personal data leaves Italian/EEA territory, including through cloud services, remote access by non-EEA support teams, and backup replication to non-EEA data centres.
• Verify transfer mechanisms. For each non-EEA transfer, confirm the applicable mechanism: adequacy decision, SCCs (with supplementary measures if required by TIA), binding corporate rules (BCRs), or a GDPR Article 49 derogation.
• Supplement SCCs where necessary. The Garante has consistently aligned with EDPB guidance that SCCs alone may not be sufficient for transfers to jurisdictions with invasive government surveillance regimes. Conduct a TIA and implement technical supplementary measures (encryption, pseudonymisation, access controls) where required.
• Monitor adequacy decisions. The EU–US DPF and other adequacy decisions are subject to periodic review and potential judicial challenge. Build contractual fallback clauses that allow a rapid switch to SCCs if an adequacy decision is invalidated.

Data Centre Compliance and Regulatory Flags

Data centre regulations Italy is a developing area. While Italy does not impose a blanket data localisation requirement for private-sector personal data, certain sectoral rules (financial services, public administration, healthcare) require or strongly encourage data storage within Italian or EEA territory. Law No. 132/2025 reinforces this trend by linking data infrastructure decisions to the FRIA for high-risk AI systems: if an AI system relies on data processed or stored in a jurisdiction with weaker fundamental rights protections, that fact must be considered in the FRIA risk assessment.

For cloud providers and hosting companies, the likely practical effect will be increased demand from Italian clients for contractual guarantees of EEA-located processing, transparency on the physical location of inference servers, and cooperation on regulatory audits. Organisations should proactively review their cloud service agreements and obtain written confirmations of data residency from all material vendors.

7. Enforcement Outcomes, Sanctions and Remediation

Non-compliance with Italy’s data protection rules in 2026 carries consequences that extend well beyond regulatory fines. Understanding the full spectrum of risk helps boards make informed resourcing decisions.

The Sanctions Toolkit

• Administrative fines. Under the GDPR, fines can reach €20 million or 4% of global annual turnover, whichever is higher. The Garante has demonstrated willingness to impose multi-million euro fines, particularly in cases involving systemic transparency failures or large-scale processing without a valid lawful basis.
• Corrective orders. The Garante can order controllers to cease processing, restrict processing, or bring processing into compliance within a specified deadline. Provisional bans, as demonstrated in the ChatGPT case, can halt an entire product line overnight.
• Mandated publicity. Italian law permits the Garante to require publication of enforcement decisions, amplifying reputational damage.
• Civil liability. Under Articles 82 and 79 GDPR, data subjects can bring claims for material and non-material damages. Class-action mechanisms under Italian procedural law are expanding, and consumer organisations have shown increasing appetite for collective actions related to AI-driven processing.
• Contractual cascading. Non-compliance can trigger termination or indemnity clauses in commercial contracts, particularly where clients require ongoing regulatory compliance as a condition of engagement.

Typical Remedial Timeline

1. Week 1. Upon receipt of a Garante information request or corrective order: activate the rapid-response protocol, notify the DPO and external counsel, and prepare an initial response.
2. Weeks 2–4. Conduct an internal gap analysis against the specific issues raised. Prepare a detailed written submission addressing each allegation or concern.
3. Months 2–3. Implement agreed remedial measures (notice updates, DPIA revisions, technical changes). Document all actions taken and their completion dates.
4. Month 4 onward. If challenging the decision: file an administrative appeal or court application within the applicable deadline. If accepting: confirm compliance to the Garante and request closure of the investigation.

8. How Data Protection Lawyers in Italy Help: Services, Deliverables and Fee Models

The intersection of the Italian AI Act, GDPR enforcement and EDPB coordinated reviews creates a compliance environment where general counsel increasingly need specialist external support. Italian data protection lawyers deliver value across several core service lines.

Core Engagement Scope

• DPIA and FRIA preparation. Drafting integrated impact assessments for high-risk AI systems, including bias analysis frameworks and fundamental rights mapping.
• Contract drafting and negotiation. AI-specific DPAs, SCC implementation, vendor audit clauses and data localisation guarantees.
• Regulatory defence. Responding to Garante information requests, corrective orders and provisional bans; preparing administrative appeals; representing clients before Italian courts.
• Training and awareness programmes. Board-level AI governance briefings, DPO training on FRIA methodology, and compliance team workshops on EDPB guidelines 2026.
• M&A data protection due diligence. Privacy risk assessments for targets deploying AI, including valuation of regulatory exposure and remediation cost modelling.
• Ongoing retainer and compliance monitoring. Periodic compliance audits, regulatory tracking and horizon scanning for legislative changes affecting AI governance and DPIAs in Italy.

Fee models typically include fixed-fee project scoping for defined deliverables (DPIA packages, contract suites), hourly rates for regulatory defence work, and monthly retainers for ongoing advisory and monitoring mandates. Organisations should discuss fee structures upfront and agree on clear deliverables and timelines before engagement.

Conclusion

The regulatory environment facing organisations that process personal data in Italy has never been more complex or more actively enforced. The convergence of Law No. 132/2025, the EDPB’s coordinated enforcement actions and the Garante’s expanding focus on AI creates a compliance burden that DPOs and in-house teams cannot shoulder alone. For any organisation deploying AI systems, handling significant volumes of personal data, or transferring data out of the EEA, engaging experienced data protection lawyers in Italy is not a discretionary expense, it is a risk management imperative. The checklists, timelines and risk matrices in this guide provide a starting point, but every organisation’s compliance position is different.

A qualified Italian data protection lawyer can turn these frameworks into a tailored, defensible compliance programme calibrated to the specific risks of 2026 and beyond.

Sources

1. European Data Protection Board (EDPB), Plenary Meetings 2026
2. EDPB–EDPS Joint Opinion 1/2026 on AI & GDPR Harmonisation
3. Garante per la Protezione dei Dati Personali, OpenAI/ChatGPT Measures
4. Law No. 132/2025 (Italian AI Act), Summary and Registry
5. EDPB, GDPR Enforcement Reports and Documents