The Italian legislative decree no. 101 of August 10, 2018, amending and adapting the Italian Data Protection Code (Legislative decree no. 196/2003) to the GDPR, confirmed a hybrid punitive framework based on both administrative fines and criminal penalties.

The legislative decree no. 101/2018 has indeed implemented the right, granted by article 84 of the GDPR to the all the member states, to lay down rules on other penalties—including criminal penalties— for infringements of certain data protection obligations, in addition to the strict administrative fines provided for by the GDPR. Such implementation has taken into account the ne bis in idem principle, as provided for by Recital 149 of the GDPR, according to which the imposition of criminal penalties and of administrative penalties should not lead to a breach of the principle of ne bis in idem.

Here below you can find a FAQ list concerning the main provisions on penalties provided by the new Italian Data Protection Code.

1. Which provisions of the Italian Data Protection Code entail administrative fines?

In addition to the cases provided for by the GDPR, under Article 166 of the Italian Data Protection Code, administrative fines up to €10 million or up to two percent of the total worldwide annual turnover apply to the infringements of the certain provisions of Italian Data Protection Code, including the following:

  • Failure to use clear and plain language for the purpose of obtaining valid consent for processing minors' personal data in relation to the direct offer of services of the information society;
  • Failure to adopt the measures provided for by the Italian data protection authority (Garante per la protezione dei dati personali) in relation to processing activities carried out for the performance of a task of public interest that presents high risks;
  • Failure to provide information in accordance with Articles 13 and 14 of the GDPR in relation to traffic data processed by providers of public communication networks or publicly available electronic communications services;
  • Failure to carry out a DPIA (data protection impact assessment) in the context of medical, biomedical and epidemiological research.

Higher administrative fines, up to €20 million or four percent of the total worldwide annual turnover, also apply in case of infringement of certain provisions of the Italian Data Protection Code, including the following:

  • Failure to obtain a valid consent for processing minors' personal data in relation to the direct offer of services of the information society;
  • Dissemination of biometric, genetic and health-related data;
  • Infringements of the principles set forth in relation to the processing of judicial data;
  • Unlawful processing of personal data relating to deceased persons;
  • Infringements of certain provisions in the context of electronic communications services.

2. Which are the criminal offences under the new Italian Data Protection Code?

The legislative decree no. 101/2018 addresses certain criminal offences - already set forth by the Data Protection Code or newly introduced –while at the same time "decriminalizes" certain infringements in accordance with the principles of ne bis in idem and legal certainty. In particular, Article 169, providing for criminal penalties for the infringements in connection with the security measures, has been repealed, in consideration of the fact that there are no more minimum—but only appropriate—security measures. Here below you can find a table summarizing how the framework concerning criminal penalties has changed:

IItalian Data Protection Code before the Legislative Decree No. 101/2018 Italian Data Protection Code as amended by the Lesislative Decree No. 101/2018
Article 167
Unlawful Data Processing


1. Unless the fact constitutes a more serious offence, any person who, in order to obtain profit for himself/herself or for others or in order to cause damage to others, processes personal data in breach of Articles 18, 19, 23, 123, 126 and 130 or of the provision made further to Article 129, shall be punished, if the damage is caused, with imprisonment from six to eighteen months or, if the offence consists in data communication or dissemination, with imprisonment from six to twenty-four months.
2. Unless the fact constitutes a more serious offence, any person who, in order to obtain profit for himself/herself or for others or in order to cause damage to others, processes personal data in breach of Articles 17, 20, 21, 22 par. 8 and 11, 25, 26, 27, and 45, shall be punished, if the damage is caused, with imprisonment from one to three years.
Article 167
Unlawful Data Processing


1. Unless the fact constitutes a more serious offence, any person who, in order to obtain profit for himself/herself or for others or in order to cause damage to the data subject, causes damage to the data subject by processing personal data in breach of Articles 123, 126 and 130 or of the provision made further to Article 129 shall be punished with imprisonment from six to eighteen months.


2. Unless the fact constitutes a more serious offence, any person who, in order to obtain profit for himself/herself or for others or in order to cause damage to the data subject, causes damage to the data subject by processing special categories of personal data [editor's note: that provided by articles 9 and 10 of the GDPR; i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data or personal data related to criminal convictions and offences or related security measures] in breach of Articles 2-sexies, 2-septies, 2-octies and 2-quinquiesdecies of the Italian Data Protection Code, shall be punished with imprisonment from one to three years.

3.Unless the fact constitutes a more serious offence, any person who, in order to obtain profit for himself/herself or for others or in order to cause damage to the data subject, causes damage to the data subject by transferring personal data to a third country or an international organization in breach of Articles 45, 46 or 49 of the GDPR shall be punished with imprisonment from one to three years.
[editor's note: the others paragraphs refer to the procedural aspects]
Article 167 bis
This article did not exist
Article 167 bis
Unlawful communication and dissemination of personal data being processed on a large scale


1. Unless the fact constitutes a more serious offence, any person who, in order to obtain profit for himself/herself or for others or in order to cause damage, communicate or disseminate a database (or a consistent part of it) containing personal data processed on a large scale, in breach of Articles 2-ter, 2-sexies and 2-octies of the Italian Personal Data Protection Code shall be punished with imprisonment from one to six years.

2. Unless the fact constitutes a more serious offence, any person who, in order to obtain profit for himself/herself or for others or in order to cause damage, communicate or disseminate a database (or a consistent part of it) containing personal data processed on a large scale, without the consent of the interested subject, when that consent is necessary for the communication and dissemination, shall be punished with imprisonment from one to six years.

[editor's note: the other paragraph refers to the procedural aspects]

Article 167 ter
This article did not exist

Article 167 ter
Fraudulent acquisition of personal data being processed on a large scale


Unless the fact constitutes a more serious offence, any person who, in order to obtain profit for himself/herself or for others or in order to cause damage, acquires with fraud a database (or a consistent part of it) containing personal data processed on a large scale, shall be punished with imprisonment from one to four years.

[editor's note: the other paragraph refers to the procedural aspects]
Article 168
Untrue declarations and notifications to the Garante


1. Unless the fact constitutes a more serious offence, any person who, in the notice prescribed by article 32-bis or in the notification referred to Article 37 or in the communications, records, documents or statements which are produced in a proceeding before the Garante and/or in the course of inquiries, declares or attests untrue information or circumstances or produce false documents, shall be punished with imprisonment from six months to three years.
Article 168
Untrue declarations to the Garante and interruption of the execution of the tasks or the exercise of the powers of the Garante


1. Unless the fact constitutes a more serious offence, any person who declares or attests untrue information or circumstances, or produce false documents, in a proceeding before the Garante and/or in the course of inquiries, shall be punished with imprisonment from six months to three years.

2. Any person who, outside the cases abovementioned (par. 1), intentionally interrupts or disturbs the regularity of a proceeding before the Garante or of an investigation carried out by the Garante, shall be punished with imprisonment up to one year.
Article 169
Security Measures
[omissis]
Article 169
This article has been repealed

Article 170
Failure to Comply with the provisions of the Garante


Any person who does not comply with a provision issued by the Garante pursuant to Articles 26 par. 2, 90, 150 par. 1 and 2 and 143 par. 1, letter c), being legally bound to do so, shall be punished with imprisonment from three months to two years.
Article 170
Failure to Comply with the provisions of the Garante


Any person who does not comply with a provision issued by the Garante pursuant to Articles 58, par. 2 letter f) of the GDPR [editor's note: the Garante could impose a temporary or definitive limitation or a ban on processing], and Article 2-septies par. 1 [editor's note: related to the process of genetic, biometric and health data] and article 21 par. 1 of the Legislative Decree which implements article 13 of the Italian Law no. 163/2017 [editor's note:related to the general authorization of the Garante], being legally bound to do so, shall be punished with imprisonment from three months to two years.
Article 171
Other Offences


The breach of the provisions referred to Articles 113 and 4 par. 1 and 2 of the Italian Law no. 300/1970, shall be punished according to Article 38 of the Italian Law no. 300/1970 (fine or arrest up to one year).
Article 171
Violation of the provisions related to remote controls and employees' opinion surveys


The breach of the provisions referred to in Article 4 par. 1 [editor's note: provisions related to the remote controls of employees] and Article 8 [editor's note: which prohibits investigations on the employees' political, religious or trade union opinions] of the Italian Law no. 300/1970, shall be punished according to Article 38 of the Italian Law no. 300/1970 [editor's note: fine or arrest up to one year].

3. What is the proceeding for imposing administrative fines and criminal sanctions?

The Italian Data Protection Authority (Garante per la protezione dei dati personali) has the power to impose administrative fines, as well as the corrective powers provided for by Article 58 (2) of the GDPR. The relating proceeding is initiated by the Garante following a complaint by a data subject or in the context of the exercise of its investigative and inspection powers.
Where the Garante detects the commission of infringements, which are subject to administrative fines, it initiates the proceeding, by notifying the infringements to the data controller or processor, which may submit their written defenses and documents within 30 days or request to be heard by the Garante

In the event that the Garante becomes aware of possible criminal offences, it submits the documentation, along with a report, to the public prosecutor. 

Article 167 of the Data Protection Code also provides that criminal penalties shall be reduced in case an administrative fine has been imposed by the Garante.

Please do not hesitate to contact our team should you have any further query regarding data privacy sanctions, including relevant procedures and implications. Stay tuned and don't forget to sign up to Dentons TMT bites newsletter!

This article was co-authored by Sara Massalongo (sara.massalongo@dentons.com) and Matteo Danieli (matteo.danieli@dentons.com)

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.