Back to Feed
PolicyJul 14, 2026

Garante per la protezione dei dati personali (Italy) - 487/2026

Italy's Garante fines company for GDPR violations related to LLM data processing and age verification.

Summary

The Italian Garante per la protezione dei dati personali has issued a decision (487/2026) against a company for multiple GDPR violations. The violations include failure to provide clear information on data processing for LLM training, inadequate age verification measures, and not conducting timely Data Protection Impact Assessments (DPIAs). The Garante asserted GDPR applicability even for controllers outside the EU if services are offered within, and found the company lacked an EU establishment, making the Italian DPA competent.

Full text

Help Garante per la protezione dei dati personali (Italy) - 487/2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 08:23, 14 July 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators735 edits Tag: submission [1.0] Latest revision as of 08:39, 14 July 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators735 editsmTag: Visual edit Line 7: Line 7: |DPA_With_Country=Garante per la protezione dei dati personali (Italy)|DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=487/2026|Case_Number_Name=Case number: 487/2026 Internal number (from the DPA): 10269571 |ECLI=|ECLI= Line 99: Line 100: The DPA first clarified that the GDPR is applicable even if the controller was established outside of the EU, in accordance with [[Article 3 GDPR#2|Article 3(2) GDPR]]. The DPA took into account the fact that the service was available in Italy and in Italian, as well as the privacy policy also applying to EEA residents. Given that the controller did not have an establishment in the EU, the one-stop-shop mechanism did not apply and the DPA was competent. The DPA first clarified that the GDPR is applicable even if the controller was established outside of the EU, in accordance with [[Article 3 GDPR#2|Article 3(2) GDPR]]. The DPA took into account the fact that the service was available in Italy and in Italian, as well as the privacy policy also applying to EEA residents. Given that the controller did not have an establishment in the EU, the one-stop-shop mechanism did not apply and the DPA was competent. The DPA found a violation of Articles 12(1), 13(1) and (2), and 14(1) and (2) GDPR. The DPA considered that the controller had failed to meet its information obligations. In terms of the controller’s privacy policy, the DPA considered that the controller had not provided data subjects’ with clear information regarding its processing activities, data transfers, or data subjects’ right to object and opt out. In addition, the controller failed to designate a representative in the EU, and included misleading and inaccurate statements on the processing of personal data for purposes of post-training LLMs for the service. (FOOTNOTE 1). However, the DPA also took into consideration that the controller had updated its privacy policy to make its language clearer and to remove its multi-legal basis approach. In terms of its pre-training activities, the DPA stated that the controller had failed to provide adequate information and therefore violated Articles 14(1) and (2) GDPR. The DPA dismissed the controller’s argument that it did not have the obligation to provide this information due to the data being collected by third parties from open sources. The DPA stated that the controller had the obligation to verify whether personal data was present. In addition, the exemption under [[Article 14 GDPR#5b|Article 14(5)(b) GDPR]] does not exempt the controller from having the obligation to implement appropriate measures to protect data subjects’ rights.The DPA found a violation of [[Article 12 GDPR|Articles 12(1)]], [[Article 13 GDPR|13(1) and (2)]], and [[Article 14 GDPR|14(1) and (2) GDPR]]. The DPA considered that the controller had failed to meet its information obligations. In terms of the controller’s privacy policy, the DPA considered that the controller had not provided data subjects’ with clear information regarding its processing activities, data transfers, or data subjects’ right to object and opt out. In addition, the controller failed to designate a representative in the EU, and included misleading and inaccurate statements on the processing of personal data for purposes of post-training LLMs for the service.<ref>See also WP Guidelines on Transparency under Regulation 2016/679, 11 April 2018 (WP260 rev.01), https://ec.europa.eu/newsroom/article29/items/622227</ref> However, the DPA also took into consideration that the controller had updated its privacy policy to make its language clearer. In terms of its pre-training activities, the DPA stated that the controller had failed to provide adequate information and therefore violated [[Article 14 GDPR|Articles 14(1) and (2) GDPR.]] The DPA dismissed the controller’s argument that it did not have the obligation to provide this information due to the data being collected by third parties from open sources. The DPA stated that the controller had the obligation to verify whether personal data was present. In addition, the exemption under [[Article 14 GDPR#5b|Article 14(5)(b) GDPR]] does not exempt the controller from having the obligation to implement appropriate measures to protect data subjects’ rights. However, the DPA did not find a violation of Articles 21(1) and (4). The DPA referred to the EDPB opinion on processing personal data in relation to AI systems (FOOTNOTE 2). The EDPB recommended controllers to adopt measures for data subjects to exercise their rights, including providing the option to provide data subjects with the option to object unconditionally before the processing takes place. The DPA considered that this opinion went beyond the literal wording of Articles 14 and 21 GDPR. This interpretation could not, in the DPA’s view, be interpreted retroactively to the controller’s processing activities.However, the DPA did not find a violation of [[Article 21 GDPR|Articles 21(1) and (4)]]. The DPA referred to the EDPB opinion on processing personal data in relation to AI systems. The EDPB recommended controllers to adopt measures for data subjects to exercise their rights, including providing the option to provide data subjects with the option to object unconditionally before the processing takes place.<ref>See EDPB Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models, 17 December 2024, margin 102, <nowiki>https://www.edpb.europa.eu/system/files/documents/2024-12/edpb_opinion_202428_ai-models_en.pdf</nowiki></ref> The DPA considered that this opinion went beyond the literal wording of [[Article 14 GDPR|Articles 14]] and [[Article 21 GDPR|21 GDPR]]. This interpretation could not, in the DPA’s view, be interpreted retroactively to the controller’s processing activities. The DPA found a violation of Articles 24(1) and 25(2) GDPR. The DPA considered that the controller had failed to implement adequate technical and organisational measures to verify data subjects’ age. During its investigations, the DPA found that the controller’s age verification systems were not effective, as they allowed data subjects’ to access the service even after self declaring to be younger than the minimum age limit set by the controller. The DPA also found that the accounts were set to public by default. Therefore, the controller had failed to implement appropriate measures to protect underage data subjects, even if the GDPR does not set a harmonised and binding standard in relation to age verification.The DPA found a violation of [[Article 24 GDPR|Articles 24(1)]] and [[Article 25 GDPR|25(2) GDPR]]. The DPA considered that the controller had failed to implement adequate technical and organisational measures to verify data subjects’ age. During its investigations, the DPA found that the controller’s age verification systems were not effective, as they allowed data subjects’ to access the service even after self declaring to be younger than the minimum age limit set by the controller. The DPA also found that the accounts were set to public by default. Therefore, the controller had failed to implement appropriate measures to protect underage data subjects, even if the GDPR does not set a harmonised and binding standard in relation to age verification. The DPA also found a violation of Articles 5(2) and 35 GDPR. Under [[Article 5 GDPR#2|Article 5(2) GDPR]], the controller has the obl

Entities

LLM (product)Garante per la protezione dei dati personali (vendor)