Our Expert in Italy
Knowing how to respond to a Garante investigation in Italy is now a frontline compliance priority for every company that processes the personal data of individuals located in the country. The Garante per la protezione dei dati personali, Italy’s independent data protection authority, has intensified its enforcement activity throughout early 2026, issuing a series of provvedimenti and publishing a detailed inspection plan for the first half of the year that targets data breaches, whistleblowing systems, telemarketing, and the use of artificial intelligence in schools.
This guide sets out the complete, time-bound procedure a company should follow from the moment it receives a Garante notice through to a final decision and any appeal, covering the documents needed, the deadlines that apply, the costs to budget for, and the procedural changes that make the 2026 investigation timeline materially faster than in previous years.
The Garante is committed to ensuring that personal data are processed as required by law and that the rights of individuals are respected in both the public and private sectors. Its investigative powers derive from Article 58 of the GDPR and the Italian Privacy Code (d.lgs. 196/2003, as amended by Legislative Decree 101/2018). Under these provisions, the Garante may conduct investigations on its own initiative (systemic audits), in response to a complaint (reclamo) or report (segnalazione) from an individual, following a data breach notification under Article 33 GDPR, or as part of a thematic inspection plan.
Investigations can take several forms: a written request for information sent via PEC (posta elettronica certificata, Italy’s certified email system), a formal notice opening an investigation proceeding, or an on-site inspection conducted by Garante officials, often supported by the Guardia di Finanza under a long-standing cooperation protocol. The procedure applies to any data controller or data processor within the Garante’s jurisdiction, including foreign organisations that process data relating to individuals in Italy or that target goods or services to the Italian market.
The Garante investigation procedure applies to your business if it is established in Italy or if it processes personal data of individuals located in Italy in connection with offering goods or services, or monitoring behaviour that takes place in Italy. This jurisdictional reach mirrors Article 3 of the GDPR. A company without an establishment in Italy that falls within scope must designate a representative in the EU under Article 27 GDPR and ensure it has a local contact point capable of receiving and responding to Garante communications.
Before any substantive response is prepared, three internal prerequisites must be in place. First, the Data Protection Officer (if appointed) must be notified immediately. Second, the legal function, whether in-house or external counsel, must conduct a rapid intake assessment of the notice. Third, IT must receive a formal preservation order instructing them to freeze automated deletion schedules and to snapshot all relevant systems and logs. These steps create the evidentiary foundation for every action that follows.
The following sequence applies regardless of whether the Garante’s initial contact is a written information request, a notice of investigation, or an on-site inspection order. Each step assigns responsibility to a specific function and provides the typical duration that companies should plan for in 2026.
| Step | Who Does It | Typical Duration |
|---|---|---|
| Receive notice / preserve evidence | DPO, IT, Legal | Immediate, 0–24 hours |
| Legal intake & scope clarification | Legal + DPO | 24–72 hours |
| Request clarification / extension (if necessary) | Outside counsel / Legal | 1–3 days to send request |
| Collect & index documents | Records owners, IT, DPO | 3–14 days (depends on scope) |
| Produce documents / deliver to Garante | Legal / Compliance | Typically within notice deadline (varies) |
| On-site inspection (if scheduled) | Compliance + legal counsel present | 1–3 days (on-site) |
| Respond to follow-up requests / submit remediation | Legal + IT + Ops | 7–30 days (varies) |
| Garante decision / sanction notice | Garante | 1–6 months (varies by complexity) |
| Appeal to TAR (Regional Administrative Court) | External counsel | 60 days from notification of the decision |
Activate your incident response protocol the moment a Garante notice is received. Preserve all logs, access records, and system snapshots relevant to the scope of the investigation. Issue a written preservation order to IT instructing that automated deletion policies be suspended for all data potentially in scope. Record the chain of custody for every piece of evidence from this point forward. Acknowledge receipt of the Garante’s communication, ideally via PEC within 24 hours, confirming that the matter is being reviewed internally. This immediate response to the data protection authority demonstrates cooperation, which is a factor the Garante considers when determining sanctions.
Within 72 hours, the legal team, supported by the DPO, must complete a structured triage of the Garante’s notice. Identify the specific processing activities, time periods, and categories of data referenced. Determine whether the notice relates to a complaint, a systemic audit under the H1 2026 inspection plan, a data breach follow-up, or a thematic investigation. Assess whether the deadline stated in the notice is achievable; if not, prepare a reasoned request for an extension and submit it via PEC.
A sample opening line for such a request might read: “With reference to your request dated [date], reference [number], we write to confirm receipt and to respectfully request an extension of [number] working days in order to compile the documentation specified, given the volume of records involved. ” Engage external counsel immediately if the matter involves potential fines, cross-border processing, or on-site inspection.
Map each item in the Garante’s request to an internal document owner. Prepare a production index, a numbered list of every document to be submitted, with a brief description, date, and source. The Garante typically expects formal correspondence to be delivered via PEC; larger document sets may be transferred via secure encrypted file-sharing platforms, provided the Garante is notified in advance and agrees to the method. Every document should be reviewed for privileged material before production. If any item is subject to legal professional privilege, it should be withheld with a privilege log submitted in its place, explaining the basis for the claim. Redact personal data of third parties that are not relevant to the investigation scope.
If the Garante orders an on-site inspection, which in 2026 may be conducted jointly with officers of the Guardia di Finanza, the company must follow a strict protocol. Designate an internal reception team comprising the DPO, a senior legal representative, and an IT lead. Verify the identity and authorisation credentials of all inspectors upon arrival. Escort inspectors at all times; do not allow unaccompanied access to systems or premises. Inspectors may request copies of documents, system demonstrations, and interviews with relevant personnel. Record every document copied or accessed by the inspection team. If inspectors request access to privileged material, assert privilege verbally and in writing on the spot, and request that the material be sealed pending resolution.
External counsel should be physically present throughout the DPA inspection in Italy wherever possible.
Following the initial production or inspection, the Garante may issue further requests or invite the company to submit observations. This is the critical window for presenting remediation evidence. Document every corrective measure already taken, software patches, policy updates, staff training, revised consent mechanisms, with implementation dates and supporting evidence. A well-prepared remediation plan that shows prompt, genuine corrective action is one of the most effective tools for reducing the risk and quantum of any subsequent fine. The Garante investigation procedure explicitly allows the authority to consider cooperation and remediation when deciding on corrective measures under Article 83(2) GDPR.
Depending on the complexity and seriousness of the matter, the Garante may schedule a formal hearing, request further written representations, or proceed directly to a decision. During this phase, submit technical evidence, expert reports, independent audit findings, benchmarking data, that supports the adequacy of your data protection framework. Where appropriate, propose specific undertakings or commitments that the Garante can incorporate into a binding order, which may result in a reduced sanction or the avoidance of a fine altogether.
The Garante’s decision (provvedimento) will be formally notified and published on its docweb register. It may impose corrective measures (orders to cease processing, to rectify or erase data, to bring processing into compliance), administrative fines, or warnings. The sanctions appeal process runs through the TAR (Tribunale Amministrativo Regionale), the Regional Administrative Court, with a subsequent appeal to the Consiglio di Stato. The deadline for filing an appeal before the TAR is typically 60 days from notification of the decision. Deciding whether to appeal or accept the decision requires a careful analysis of the legal merits, the financial exposure, and the reputational implications. Industry observers expect that 2026’s higher-profile enforcement decisions will generate a larger volume of appeals than previous years.
The following table lists the documents most commonly requested by the Garante during an investigation. Companies should maintain these records in an accessible, indexed format so that production can begin within days of receiving a notice.
| Document | Notes |
|---|---|
| Data processing register (Art. 30 GDPR) | Export as CSV or PDF. The DPO or Compliance function should certify its accuracy. Provide only the sections relevant to the investigation scope. |
| Data breach incident report / chronology | Internal incident report with a detailed timeline and supporting forensic logs, signed by the IT lead and DPO. |
| Data protection impact assessment (DPIA) | If applicable to the processing under investigation. Provide an executive summary initially; the full DPIA on request. |
| Subject access request / complaint records | Copies of all SARs, complaint correspondence, and records of the remediation steps taken. |
| Contracts and data processing agreements (DPAs) | Agreements with processors and sub-processors. Redact purely commercial terms where they are not relevant to the data protection issues. |
| Policies and procedures | Privacy policy, data retention schedules, access control policies, and internal data handling procedures. |
| IT logs and system snapshots | Forensic exports with hash values to prove integrity. Maintain full chain-of-custody documentation. |
| Employee communications (where relevant) | HR records, internal privacy policies communicated to staff, and consent forms. Redact personal information not relevant to the investigation. |
| Whistleblowing reports (if implicated) | Provide a non-identifying summary unless the Garante specifically requests the identity of the reporter. |
| Evidence of remediation actions | Patch notes, updated policies, training records with attendance logs, and precise implementation dates. |
All formal correspondence with the Garante should be transmitted via PEC. Where document volumes are large, agree with the Garante in advance on the use of a secure encrypted file-transfer platform. Whenever privileged communications are among the documents in scope, assert privilege formally in writing and prepare a privilege log that identifies each withheld document by date, author, recipient, and the basis of the privilege claim.
There is no single statutory deadline that governs every phase of a Garante investigation; timelines vary depending on the type and complexity of the matter. However, the following table sets out the deadlines most commonly encountered and the internal service-level agreements companies should adopt to stay ahead of the process.
| Event | Garante / Statutory Deadline | Recommended Company SLA |
|---|---|---|
| Response to written information request | No uniform statutory day-limit; notice typically specifies 15–30 days | Acknowledge within 48 hours; substantive response within 7–14 days |
| On-site inspection attendance | Date specified on the notice (often short lead time) | Prepare inspection team and documents within 48 hours of notice |
| Submission of remediation plan | As requested by Garante during the investigation | Submit draft within 7 days; final version within 30 days |
| Sanction notice appeal period | Typically 60 days from notification of the decision | Engage counsel immediately on receipt; file appeal within statutory window |
| Data breach notification to Garante (Art. 33 GDPR) | Without undue delay; within 72 hours where feasible | Internal escalation and notification preparation within 72 hours |
The practical reality in 2026 is that Garante enforcement practice, shaped by the updated inspection plan and coordination with the Guardia di Finanza, has compressed the effective response windows. Companies that treat internal SLAs as their true deadlines, rather than waiting for the outer limit specified in a notice, are materially better positioned to demonstrate cooperation and avoid procedural penalties.
Responding to a Garante investigation generates both direct and indirect costs. The table below provides indicative ranges; actual figures will vary by company size, investigation scope, and the complexity of the data processing activities involved.
| Item | Typical Amount (Indicative) | Notes |
|---|---|---|
| Emergency counsel retainer | €5,000–€25,000 | Varies by firm size and urgency; larger corporate matters cost more |
| Forensic investigation (initial) | €3,000–€50,000 | Depends on the scope of logs and systems to be examined |
| Data breach notification and remediation | €1,000–€100,000+ | Notifications, call centres, credit-monitoring services, remediation measures |
| Administrative fines (GDPR / Garante) | Several thousands to millions of euros | Case-dependent; the Garante imposed a €12.5 million fine on a major Italian company in April 2026 |
| Cost mitigation (technical fixes, compliance plan) | €2,000–€200,000 | Investment in remediation that can demonstrably reduce sanction likelihood and amount |
Remediation and legal costs incurred in connection with a Garante investigation are generally deductible as business expenses under Italian tax rules, though companies should confirm the specific treatment with tax counsel. Administrative fines imposed by the Garante are not deductible.
Three developments make the 2026 enforcement landscape materially different from previous years. First, the Garante published its inspection plan for the first half of 2026, identifying data breach response, whistleblowing frameworks, telemarketing practices, and the use of AI in educational settings as priority enforcement areas. Inspections under this plan are being conducted with the operational support of the Guardia di Finanza under a cooperation protocol established in 2021.
Second, the Garante issued a series of provvedimenti in early-to-mid 2026, including decisions dated 26 February, 26 March, and 17 April 2026, that signal a more assertive posture on enforcement timing and the quantum of fines. The likely practical effect is that companies should expect faster-moving investigations and larger penalties for non-cooperation or inadequate remediation.
Third, the EDPB’s Common Enforcement Framework continues to drive harmonisation of supervisory authority practices across the EU, meaning that cross-border investigations are increasingly coordinated. For companies with multi-country processing operations, a Garante investigation in 2026 may involve parallel engagement with other EU supervisory authorities. Early indications suggest this coordination is shortening overall investigation timelines while increasing the consistency and severity of outcomes.
Responding to a Garante investigation in Italy demands speed, precision, and documented cooperation at every stage. The 2026 enforcement environment, shaped by the Garante’s expanded inspection plan, higher-profile fines, and EDPB-driven cross-border coordination, leaves no margin for delay or procedural error. Companies that implement the step-by-step process set out in this playbook, maintain investigation-ready documentation, and engage experienced data protection counsel early will be best positioned to manage the investigation effectively and minimise their exposure. For tailored guidance on a specific Garante notice or inspection, find a data protection lawyer in Italy through the Global Law Experts directory.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Susanna Greggio at GTA Studio Legale, a member of the Global Law Experts network.
posted 10 minutes ago
posted 34 minutes ago
posted 60 minutes ago
posted 2 hours ago
posted 2 hours ago
posted 3 hours ago
posted 3 hours ago
posted 3 hours ago
posted 4 hours ago
posted 4 hours ago
posted 4 hours ago
posted 5 hours ago
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message