Garante per la protezione dei dati personali (Italy) - 419/2026

Summary

Italy's Garante per la protezione dei dati personali issued a €55,000 fine to AgID (Agency for Digital Italy) for violations of GDPR Articles 5, 12, 14, and 25. AgID automatically transferred certified email addresses from the older INI-PEC index to the new INAD digital domicile index without proper notice to data subjects, allowing co-workers to access personal emails and preventing timely opt-outs. The DPA found the processing incompatible with original purposes and the delayed information campaign (2 years later) insufficient.

Full text

Help Garante per la protezione dei dati personali (Italy) - 419/2026: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 19:50, 22 June 2026 view source Carloc (talk | contribs)703 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 19:50, 22 June 2026 Garante per la protezione dei dati personali - 419/2026 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(2) GDPR Article 12 GDPR Article 14 GDPR Article 25 GDPR Type: Investigation Outcome: Violation Found Started: Decided: 28.05.2026 Published: Fine: 55,000 EUR Parties: AgID National Case Number/Name: 419/2026 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: carloc The DPA fined the government agency for digitalization €55,000 for failing to inform data subjects about the inclusion of their certified email addresses in a public index of digital domiciles. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The context of the case The data controller for the case is a government body called the Agency for Digital Italy (AgID). AgID is tasked with driving the adoption of digital technologies in both government and the private sector. Additionally, AgID is Italy’s soon-to-be notification authority for the AI Act. The case revolves around two public online indexes of certified email addresses: the INI-PEC and the INAD. INI-PEC is the older of the two indexes and includes, among others, the email addressess of professionals (the data subjects). INAD was created by AgID in 2023 as provided by Italian law. INAD functions as an index of “digital domiciles” for both professionals and other owners of a digital email address. Shortly after setting up the INAD index, AgID automatically included the addresses of professionals from the old INI-PEC index. As a result, the exported emails became the digital domicile for communications not related to the professional lives of the data subjects. Data subjects were given the option to opt-out of the inclusion in the INAD index. Some data subjects complained (1) that this processing severely infringed on their privacy. As the DPA’s decision explains, it is not uncommon for professionals to give co-workers access to their professional email addresses, on the assumption that it will only be used for strictly professional communications. In some cases, co-workers were able to view strictly personal emails after the email address was listed as a digital domicile for all communications. The data subjects also claimed that the controller had not informed them about the processing, which prevented them from opting out in a timely fashion. The investigation On the duty of information First of all, the DPA clarified that by including email addresses in the INAD index, the controller further processed personal data for a new purpose, incompatible with the original purpose of the processing (i.e.: the inclusion of email addresses in the older index). With regards to the duty of information, the controller pointed out that it contacted professional orders to inform them about the creation of the INAD index. In the context of these communications, the controller asked professional orders to inform the data subjects about this processing of personal data and about their right to opt out. The controller stated that it did not directly contact the data subjects via their email addresses, as it feared that its emails would have been mistaken as phishing or scams(1). The controller later launched a more effective information campaign with the help of other government bodies; however, this campaign only took place two years after the processing of personal data. On the controller’s identity The DPA’s investigation also focused on a second issue, relative to the authentication procedure for digital domiciles: for a long time, a company (InfoCamere S.c.p.a.) was erroneously listed as a service provider for the INAD index. During the investigation, the controller confirmed that InfoCamere had no role in the processing of personal data. The controller also stated that it had contacted the actual service provider in order to correct the error and that the provider had done so with great delay. Holding The DPA held that until 2025, the controller had failed to inform the data subjects about the inclusion of their email address in the INAD index, in violation of Articles 5(1)(a), 5(1)(b), 5(2), 12, 14 and 25 GDPR. On these grounds, the DPA fined the controller €55,000. With regards to the erroneous indication of the service provider in the authentication screen, the DPA found that the mistake was isolated and that overall, the information provided during the procedure was still sufficient to clarify that AgID was the controller. On these grounds, the DPA found that the mistake did not, in and of itself, constitute a violation of the GDPR. Comment On the DPA’s Opinion Before the creation of INAD, the DPA had specifically provided the controller with an opinion on the relative processing of personal data. In particular, the DPA’s guidance noted that the controller had not planned sufficient measures to inform the data subjects, which could practically undermine their option to opt out of the processing. In the decision, the controller noted that this guidance was entirely ignored. On the controller’s arguments on individual e-mails Notably, the decision does not contain an injunction to properly inform the data subjects. This implies that in the DPA’s eyes, the controller had remedied the violation with its broader 2025 information campaign. Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. [web doc. no. 10259701] Measure of May 28, 2026 Register of Measures No. 419 of May 28, 2026 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Member, and Dr. Luigi Montuori, Secretary General; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, General Data Protection Regulation (hereinafter, the Regulation); HAVING REGARD to Legislative Decree no. 196 of June 30, 2003 196 of 30 June 2003, containing the Personal Data Protection Code (hereinafter, the Code); CONSIDERING Regulation No. 1/2019 concerning internal procedures of external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Italian Data Protection Authority, approved by Resolution No. 98 of April 4, 2019, published in the Official Journal No. 106 of May 8, 2019 and on www.garanteprivacy.it, web doc. No. 9107633 (hereinafter "Regulation No. 1/2019"); CONSIDERING the documentation in the file; CONSIDERING the observations made by the Secretary General pursuant to Article 15 of Regulation No. 1/2000 on the organization and functioning of the Office of the Italian Data Protection Authority (web doc. No. 1098801); Speaker: Dr. Agostino Ghiglia; WHEREAS 1. Introduction Beginning June 6, 2023, any adult citizen with a certified email address has been allowed to elect their "digital domicile" in the National Index of Digital Addresses of Natural Persons, Professionals, and Other Private Law Entities Not Required to Be Registered in Professional Rolls, Lists, or Registers, or in the Business Register (hereinafter, INAD). From the same date, all certified email addresses

Entities