Home

Internal

Global

Contact

de|en|it

Five new Associate Partners for Rödl & Partner Italy |

Worldwide

We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.

Privacy inspections in 2025: what's new and what's firm

published on 24 February 2025 | reading time approx. 3 minutes

On December 19, 2024, the Italian Data Protection Authority (the "Garante") announced its inspection plan for the period from January to June 2025. The plan includes at least 40 inspections (five more than the previous year) which will also be carried out by the Special Data Protection and Technological Fraud Unit of the Guardia di Finanza. The Garante retains the authority to conduct additional inspections ex officio or in response to reports and complaints. Furthermore, the monthly update to the College on the progress of inspections will continue, allowing for an assessment of their effectiveness.

New areas of focus in the Garante's inspection plan include:

data breaches that have affected public databases of particular importance and sensitivity in recent months;
statistics, with a focus on specific projects within the National Strategic Plan that involve the use of big data and aggregated data;
the use of biometric data for admission to driving license examinations;
e-mail marketing services;
data processing by companies operating call centers.

Regarding the first point, ensuring data security has become a top priority, particularly in light of recent data breaches in critical sectors. With cyberattacks on highly sensitive databases becoming more frequent, the Garante has introduced an interdepartmental task force. The focus will be on the technical security measures implemented by banking institutions to combat data theft and enhance protection.

Moving forward, the Garante will verify that statistical data used in specific projects is genuinely aggregated and not artificially generated data mimicking real-world information. If personal data is involved, it must comply with GDPR regulations.

With regard to biometric data, particular attention will be paid to how the Driver and Vehicle Licensing Agency processes such information. The aim is to ensure that the collection and handling of biometric data comply fully with privacy regulations.

Regarding e-mail marketing services, the Garante will assess the lawfulness of acquiring and using mailing lists and databases. This targeted investigation focuses on companies that send personalized messages to groups of recipients (whether existing or potential customers) for purposes such as information dissemination, customer loyalty building, or sales promotion.

The 2025 plan also reconfirms several control activities from the 2024 inspection plan, including:

Surveillance systems with remote audio/video functionality;
The unauthorized activation of contracts in the energy sector;
Data processing in educational institutions through electronic registers;
Compliance with the Guidelines on Cookies and Tracking Tools issued on June 10, 2021.

In particular, the activation of energy sector contracts without the explicit consent of the data subject constitutes unlawful processing of personal data. Educational institutions must also ensure compliance when processing data through electronic registers, as this involves handling personal, and in some cases, sensitive financial data related to students and families.

Lastly, organizations using cookies and tracking tools must align with the 2021 Guidelines by standardizing and updating their privacy policies, banners, and granular consent mechanisms.

The Garante's 2025 inspection plan represents a significant step toward strengthening personal data protection. It places a targeted focus on key risk areas and increases enforcement efforts to address emerging digital challenges. Organizations must prepare accordingly, conducting internal audits and simulations—particularly on the critical processes identified by the Garante—with the support of their Data Protection Officers (DPOs).