Italian Garante GDPR Fines, Enforcement Record & AI Cases

PROFILE

Mandate and constitution

The Garante per la Protezione dei Dati Personali was established by the Codice della Privacy (Legislative Decree 196/2003) and operates under that statute as amended by Legislative Decree 101/2018 to give effect to the GDPR. The Garante is an independent administrative authority headquartered in Rome, with statutory independence from the executive branch and reporting obligations to the Italian Parliament.

Governance is collegial: a four-member College, of which one acts as President, adopts decisions and sanctions. Members are appointed by Parliament for a seven-year non-renewable term, with the chamber of deputies and the senate each appointing two members. The collegial structure means major decisions reflect consensus among the four College members rather than a single Commissioner's discretion, which has been credited with the Garante's willingness to take aggressive provisional measures on novel issues like generative AI.

Fining philosophy

The Garante's defining characteristic is its willingness to act first on emerging technology areas. It was the first EU DPA to take formal action against a generative-AI provider (ChatGPT, March 2023), the first to ban a generative-AI chatbot for absence of age verification (Replika, February 2023), and the first of the parallel EU Clearview decisions (February 2022). The Garante's provisional measures under Article 58(2)(f) GDPR (temporary processing suspensions) are used more readily than by most other DPAs, on the rationale that urgent measures are appropriate where ongoing processing presents fundamental- rights risks that cannot wait for a full investigation.

Fine sizes are typically in the low-millions range, with the €20M Clearview fine and the €15M OpenAI fine as the high-end outliers. The Garante's jurisprudence emphasises specific corrective orders (cease processing, delete data, implement specific controls) alongside fines, on the view that the corrective action is the operationally important outcome.

The ChatGPT case in detail

On 30 March 2023, the Garante adopted Provvedimento 9870832, an urgent provisional measure under Article 58(2)(f) GDPR ordering OpenAI L.L.C. to suspend processing of personal data of users in Italy on the ChatGPT service. The measure cited four substantive concerns. First, the absence of an age-verification mechanism notwithstanding ChatGPT's terms requiring users to be 13 or older. Second, the absence of a documented lawful basis under Article 6 for processing personal data in the training corpus, particularly where the corpus included personal data of European individuals scraped from publicly accessible sources. Third, the absence of adequate transparency to data subjects under Articles 13 and 14, particularly for individuals whose data appeared in training without their knowledge. Fourth, the absence of any mechanism for data subjects to exercise their Article 15-22 rights in relation to model outputs referencing them.

OpenAI restored service on 28 April 2023 after implementing requested remediations: an age-verification step in the signup flow, an expanded privacy notice describing the use of personal data in training, a contact form for data-subject requests, and a public-facing description of the lawful basis claimed for training processing (legitimate interests under Article 6(1)(f), with documented balancing). The formal investigation continued throughout 2023 and 2024, and on 20 December 2024 the Garante adopted Provvedimento 9978020 imposing a €15 million fine on OpenAI for the original substantive infringements plus a separate procedural sanction for failure to notify a data breach (involving exposure of payment information for a small percentage of ChatGPT Plus subscribers in March 2023).

Other notable decisions

Replika (Provvedimento 9852214, February 2023): the Garante ordered Luka Inc to cease processing personal data of Italian users on the Replika chatbot service, citing the absence of age-verification, the absence of lawful basis for child processing, the inadequacy of the privacy notice, and the affective-companion design that posed risks to minors. The decision was the first EU DPA action against a consumer-facing generative-AI chatbot.

Clearview AI (Provvedimento 9751362, February 2022): the Garante imposed a €20 million fine on Clearview AI Inc, ordered deletion of data relating to Italian residents, prohibited further processing of biometric data of Italian residents, and required the designation of an EU representative under Article 27. The decision applied Article 3 extraterritoriality to a US-only company on the basis that scraping and indexing facial images of Italian residents constitutes monitoring of behaviour within the EU.

Other significant Garante decisions include Enel Energia (€26.5M, 2022) for telemarketing-related infringements; Tim S.p.A. (€27.8M, 2020) for telemarketing and consent failures; Foodinho (€2.6M, 2021) for algorithmic management of delivery riders without adequate transparency or worker-rights protections; and a sequence of decisions on health-data processing in the Italian regional health systems addressing security and lawful-basis questions.

AI Act intersection

With the entry into force of the EU AI Act (Regulation (EU) 2024/1689) in 2024 and phased application through 2027, the Garante's AI-specialism positions it as a likely national competent authority for AI Act enforcement in Italy. The Garante has issued public guidance on the AI Act × GDPR intersection, addressing how Article 25 by-design obligations interact with the high-risk-AI requirements of the AI Act, and how the prohibition on certain AI practices (Article 5 AI Act) overlaps with existing Article 9 GDPR prohibitions on biometric processing.