[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ff6nZXqoT4rnz8zcyDmqrL2hbn_bnUuujOc_mfYQ3LV0":3},{"article":4,"iocs":52},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":29,"category":30,"article_tags":34},"8ce3e7f1-4e0c-4349-a7a5-4c9f8938f94f","Garante per la protezione dei dati personali (Italy) - 487\u002F2026","garante-per-la-protezione-dei-dati-personali-italy-487-2026-7da216","← Older revision Revision as of 07:48, 15 July 2026 Line 93: Line 93: === Facts === === Facts === Character Technologies, Inc (the controller) is a company that operates the site Character.AI. Character.AI is a generative AI service that allows users to create and interact through chat with virtual characters that already exist or are created at the moment. The controller made this available to data subjects in Italian, and had a specific version for children. Character Technologies, Inc (the controller) is a company established in the US that operates the site Character.AI. Character.AI is a generative AI service that allows users to create and interact through chat with virtual characters that already exist or are created at the moment. The controller made this available to data subjects in Italian, and had a specific version for children. The DPA initiated an ex-officio investigation in 2024. The DPA requested information related to the LLM models used by the controller, the provision of the service, and data transfers. The controller provided a DPIA, and stated that it introduced an age verification system that required data subjects to register their date of birth. In 2025, the controller announced it would prevent underage data subjects from accessing open chat rooms, and would begin processing personal data of data subjects in the EEA to post-train its generative AI systems. The DPA initiated an ex-officio investigation in 2024. The DPA requested information related to the LLM models used by the controller, the provision of the service, and data transfers. The controller provided a DPIA, and stated that it introduced an age verification system that required data subjects to register their date of birth. In 2025, the controller announced it would prevent underage data subjects from accessing open chat rooms, and would begin processing personal data of data subjects in the EEA to post-train its generative AI systems.","Italy's data protection authority, the Garante, has fined Character Technologies, Inc. €158,000 for violating GDPR. The company, which operates the generative AI service Character.AI, was found to have failed in adequately informing users about its data processing activities and lacked effective age verification for underage users. The investigation, initiated in 2024, also looked into data transfers and the LLM models used by the service.","Italy's Garante fines Character Technologies €158,000 for GDPR violations.","Help Garante per la protezione dei dati personali (Italy) - 487\u002F2026: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 08:39, 14 July 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators738 editsmTag: Visual edit← Older edit Latest revision as of 07:48, 15 July 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators738 editsmTag: Visual edit Line 93: Line 93: === Facts ====== Facts === Character Technologies, Inc (the controller) is a company that operates the site Character.AI. Character.AI is a generative AI service that allows users to create and interact through chat with virtual characters that already exist or are created at the moment. The controller made this available to data subjects in Italian, and had a specific version for children.Character Technologies, Inc (the controller) is a company established in the US that operates the site Character.AI. Character.AI is a generative AI service that allows users to create and interact through chat with virtual characters that already exist or are created at the moment. The controller made this available to data subjects in Italian, and had a specific version for children. The DPA initiated an ex-officio investigation in 2024. The DPA requested information related to the LLM models used by the controller, the provision of the service, and data transfers. The controller provided a DPIA, and stated that it introduced an age verification system that required data subjects to register their date of birth. In 2025, the controller announced it would prevent underage data subjects from accessing open chat rooms, and would begin processing personal data of data subjects in the EEA to post-train its generative AI systems.The DPA initiated an ex-officio investigation in 2024. The DPA requested information related to the LLM models used by the controller, the provision of the service, and data transfers. The controller provided a DPIA, and stated that it introduced an age verification system that required data subjects to register their date of birth. In 2025, the controller announced it would prevent underage data subjects from accessing open chat rooms, and would begin processing personal data of data subjects in the EEA to post-train its generative AI systems. Latest revision as of 07:48, 15 July 2026 Garante per la protezione dei dati personali - Case number: 487\u002F2026 Internal number (from the DPA): 10269571 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 3(2) GDPR Article 5(2) GDPR Article 12(1) GDPR Article 13(1) GDPR Article 14(1) GDPR Article 14(2) GDPR Article 14(5)(b) GDPR Article 21(1) GDPR Article 21(4) GDPR Article 24(1) GDPR Article 25(2) GDPR Article 27(1) GDPR Article 27(2) GDPR Article 35 GDPR Type: Investigation Outcome: Violation Found Started: 04.11.2024 Decided: 03.07.2026 Published: Fine: 158,000 EUR Parties: Character Technologies, Inc National Case Number\u002FName: Case number: 487\u002F2026 Internal number (from the DPA): 10269571 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: ap The DPA fined a company providing a virtual character chatbot €158,000 for failing to sufficiently inform data subjects of its processing activities through its privacy policy, and for failing to implement effective age verification measures for underage data subjects using the service. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Character Technologies, Inc (the controller) is a company established in the US that operates the site Character.AI. Character.AI is a generative AI service that allows users to create and interact through chat with virtual characters that already exist or are created at the moment. The controller made this available to data subjects in Italian, and had a specific version for children. The DPA initiated an ex-officio investigation in 2024. The DPA requested information related to the LLM models used by the controller, the provision of the service, and data transfers. The controller provided a DPIA, and stated that it introduced an age verification system that required data subjects to register their date of birth. In 2025, the controller announced it would prevent underage data subjects from accessing open chat rooms, and would begin processing personal data of data subjects in the EEA to post-train its generative AI systems. Holding The DPA first clarified that the GDPR is applicable even if the controller was established outside of the EU, in accordance with Article 3(2) GDPR. The DPA took into account the fact that the service was available in Italy and in Italian, as well as the privacy policy also applying to EEA residents. Given that the controller did not have an establishment in the EU, the one-stop-shop mechanism did not apply and the DPA was competent. The DPA found a violation of Articles 12(1), 13(1) and (2), and 14(1) and (2) GDPR. The DPA considered that the controller had failed to meet its information obligations. In terms of the controller’s privacy policy, the DPA considered that the controller had not provided data subjects’ with clear information regarding its processing activities, data transfers, or data subjects’ right to object and opt out. In addition, the controller failed to designate a representative in the EU, and included misleading and inaccurate statements on the processing of personal data for purposes of post-training LLMs for the service.[1] However, the DPA also took into consideration that the controller had updated its privacy policy to make its language clearer. In terms of its pre-training activities, the DPA stated that the controller had failed to provide adequate information and therefore violated Articles 14(1) and (2) GDPR. The DPA dismissed the controller’s argument that it did not have the obligation to provide this information due to the data being collected by third parties from open sources. The DPA stated that the controller had the obligation to verify whether personal data was present. In addition, the exemption under Article 14(5)(b) GDPR does not exempt the controller from having the obligation to implement appropriate measures to protect data subjects’ rights. However, the DPA did not find a violation of Articles 21(1) and (4). The DPA referred to the EDPB opinion on processing personal data in relation to AI systems. The EDPB recommended controllers to adopt measures for data subjects to exercise their rights, including providing the option to provide data subjects with the option to object unconditionally before the processing takes place.[2] The DPA considered that this opinion went beyond the literal wording of Articles 14 and 21 GDPR. This interpretation could not, in the DPA’s view, be interpreted retroactively to the controller’s processing activities. The DPA found a violation of Articles 24(1) and 25(2) GDPR. The DPA considered that the controller had failed to implement adequate technical and organisational measures to verify data subjects’ age. During its investigations, the DPA found that the controller’s age verification systems were not effective, as they allowed data subjects’ to access the service even after self declaring to be younger than the minimum age limit set by the controller. The DPA also found that the accounts were set to public by default. Therefore, the controller had failed to implement appropriate measures to protect underage data subjects, even if the GDPR does not set a harmonised and binding standard in relation to age verification. The DPA also found a violation of Articles 5(2) and 35 GDPR. Under Article 5(2) GDPR, the controller has the obligation to proactively demonstrate complian","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_487\u002F2026&diff=52218&oldid=52204","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002Fe\u002Fec\u002FLogoIT.png","2026-07-15T07:48:52+00:00","2026-07-15T08:00:28.180575+00:00",8,[18,21,24,27],{"name":19,"type":20},"Character Technologies, Inc","vendor",{"name":22,"type":23},"Character.AI","product",{"name":25,"type":26},"generative AI","technology",{"name":28,"type":26},"LLM","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":29,"icon":31,"name":32,"slug":33},null,"Policy","policy",[35,40,45,47],{"category":36},{"id":37,"icon":31,"name":38,"slug":39},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":41},{"id":42,"icon":31,"name":43,"slug":44},"839da5c1-3c34-47e2-9499-f7201640e3ac","AI Security","ai-security",{"category":46},{"id":29,"icon":31,"name":32,"slug":33},{"category":48},{"id":49,"icon":31,"name":50,"slug":51},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]