Garante per la protezione dei dati personali (Italy)

From GDPRhub
Garante per la protezione dei dati personali
Name: Garante per la protezione dei dati personali
Abbreviation : Garante
Jurisdiction: Italy
Head: Pasquale Stanzione
Deputy: n/a
Adress: Piazza Venezia 11

00187 Rome, Italy

Email: (Public relations) (official submissions)
Phone: +39 06 69677 1
Twitter: n/a
Procedural Law: n/a
Decision Database: n/a
Translated Decisions: Category:Garante per la protezione dei dati personali (Italy)
Head Count: 170 (Jan 2019)[1]
Budget: € 39,362,273.00 (2019)[2]

The Italian Data Protection Authority (Garante per la protezione dei dati personali) resides in Rome and is in charge of enforcing GDPR and Directive 2002/58/CE (e-Privacy Directive) in Italy.


The Garante is a collegiate body of four members who are elected by Parliament for a seven-year term. The authority has an office in Rome with a staff currently numbering about 125 people.

The Panel of the Italian DPA is currently composed of Pasquale Stanzione (President), Ginevra Cerrina Feroni (Vice-President), Agostino Ghiglia (Member) and Guido Scorza (Member). Fabio Mattei is currently Secretary General to the DPA.

The current Panel had been elected by the Italian Parliament on the 14 July 2020.

Procedural Information

Applicable Procedural Law

The Garante operates under the GDPR and the national Data Protection Act ("Codice per la protezione dei dati personali" or "Codice]").

For those aspects which are not regulated directly by the GDPR, or the Codice, the Garante adopts its own administrative regulations published in the Official Gazette of the Italian Republic (see, Articles 142 and 156(3)(a) of the Codice). On 4 April 2019 the DPA adopted two different administrative regulations.

The Regolamento n. 1/2019 ("Regolamento concernente le procedure interne aventi rilevanza esterna, finalizzate allo svolgimento dei compiti e all’esercizio dei poteri demandati al Garante per la protezione dei dati personali") regulates the procedure before the Garante. For example, Article 3 reiterates the general principles of fairness and transparency of the proceeding before the DPA. Article 12 ensures a right of the parties to access documents and file submissions.

The Regolamento n. 2/2019 ("Regolamento n. 2/2019, concernente l'individuazione dei termini e delle unità organizzative responsabili dei procedimenti amministrativi presso il Garante per la protezione dei dati personali") provides for specific time-limits with regard to the different types of proceedings the DPA is competent for. Particularly important are Tabella A and B attached to the Regolamento.

Complaints Procedure under Art 77 GDPR

Under Article 142 of the Code, all complaints shall provide an indication of the facts and circumstances on which it is based, the provisions that are assumed to have been violated and the corrective measures requested, as well as the identification of the data controller or data processor, where known. If possible, the complaint shall contain attached documents relevant to its assessment and shall indicate an address for sending communications, including by e-mail, fax or telephone.

The complaint shall be signed by the data subject or, on his or her behalf, by a third sector body which has been constituted in compliance with D.Lgs. 117/17.

In general terms, the Garante shall decide the matter within 9 months upon receipt of the complaint. During the proceeding, the DPA shall inform the data subject on the progress. If the investigation is particularly complex the term can be extended up to 12 months. However, in this case, the Garante must motivate the complexity and communicate it to the data subjects . In case of cooperation procedure, such terms are suspended until the procedure is completed (for reference, see Article 143 of the Code).

However, detailed time-limits can be found in Regolamento n. 2/2019 cited above.

Ex Officio Procedures under Art 57 GDPR

Under Article 154 of the Code, the Garante can run ex officio procedures out of its own motion.


Appeals against decisions by the Italian Garante can be taken by the parties concerned before the civil court (Article 152 of the Code, which makes a reference to Article 10, D.lgs. 150/11).

Practical Information

For most data protection claims against a controller and for complaints to the Garante standard forms (in Italian) are provided at

The Garante's decisions are accessible on in its website (in Italian). Most important decisions are also available in English (

Filing with the DPA

Using the official links below data subjects can:

Known Problems

You can help us by filling in this section!

Filing an Appeal

You can help us by filling in this section!

Decision Database

You can help us by filling in this section!



You can help us by filling in this section!


You can help us by filling in this section!


You can help us by filling in this section!


You can help us by filling in this section!

Annual Reports

Official page with Annual DPA reports in English and Italian (dating back to 2002 only)

EU/EEA/UK Data Protection Authorities
Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland (Åland) · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain (Basque Country · Catalonia · AndalusiaSweden
Iceland · Liechtenstein · Norway · United Kingdom EDPS · EDPB