News

Privacy authority: role and functions

Discover who the Italian Data Protection Authority is, what it does, how it is appointed, and its responsibilities in protecting personal data in Italy.

EU General Data Protection Regulation

2 October 2025

Table of contents

  • Who is the Privacy Authority?
  • What is the Role of the Privacy Authority?
  • What does the Privacy Authority do?
  • The Authority and the EU General Data Protection Regulation (GDPR)
  • The Authority, citizens and businesses
  • The Authority in the global privacy ecosystem

The protection of personal data is a fundamental right, recognized at both European and national levels. With digital evolution, the growing volume of information exchanged online, and the widespread use of invasive technologies, privacy protection has become a crucial issue for citizens, businesses, and public administrations.

In Italy, the supervisory authority responsible for ensuring compliance with privacy laws is the Garante per la protezione dei dati personali, commonly known as the Privacy Authority. But who is the Privacy Authority? What does the Privacy Authority do? And above all: who appoints the Privacy Authority?

In this article, we will answer these questions, explaining the role of the Privacy Authority, how it operates within the context of the General Data Protection Regulation (GDPR) and the Italian Personal Data Protection Code, what powers it has, and what safeguards it offers against violations of rights.

Who is the Privacy Authority?

The Garante per la protezione dei dati personali is an independent administrative authority, established by Law No. 675 of 1996 and confirmed by the Personal Data Protection Code (Legislative Decree No. 196/2003), later updated and aligned with EU Regulation 2016/679 (known as the GDPR).

This authority is tasked with protecting the fundamental rights and freedoms of individuals with regard to the processing of personal data. In practice, the Garante ensures that those who collect, manage, and store data (i.e., data controllers and data processors) do so in accordance with existing regulations.

The Authority is made up of a board of four members: a president and three commissioners. Who appoints the Privacy Authority? Three members are elected by Parliament (two by the Chamber of Deputies and one by the Senate), while the fourth, the president, is elected by majority vote of the other three members.

What is the Role of the Privacy Authority?

The role of the Privacy Authority is central to data protection, both at the national level and in coordination with other European supervisory authorities.

Its function is primarily oversight, guidance, and supervision. It operates independently from the Government and other State bodies, and it can intervene in any matter involving the processing of personal data: from healthcare services to online advertising, from biometric data to video surveillance, from social media to artificial intelligence.

Among the tasks of the Authority are:

  • Ensuring compliance with the GDPR and other legal provisions;
  • Monitoring the data processing activities of public and private entities;
  • Receiving and evaluating reports and complaints from individuals;
  • Carrying out inspections and investigations;
  • Issuing sanctions in case of rights violations;
  • Providing legal opinions to the Government and Parliament on proposed legislation;
  • Informing the public about their rights regarding privacy;
  • Granting authorizations in special cases (e.g., genetic data, judicial data, international transfers);
  • Collaborating with supervisory authorities of other EU Member States;
  • Promoting the adoption of guidelines, codes of conduct, and best practices.

What does the Privacy Authority do?

In practical terms, what does the Privacy Authority do? Its work includes preventive, corrective, and advisory actions. One example of prior consultation is when the Authority must assess projects that present high risks for individuals’ rights, such as the implementation of facial recognition systems or continuous geolocation tools.

In addition, the Authority can:

  • Impose temporary or permanent restrictions on data processing;
  • Order a controller to rectify or erase personal data;
  • Impose fines up to €20 million or 4% of the global annual turnover for companies in cases of serious GDPR violations;
  • Initiate ex officio proceedings, even without a formal complaint;
  • Collaborate with law enforcement and the judiciary to prosecute data-related crimes;
  • Challenge laws or regulations deemed harmful to privacy rights.

The Privacy Authority also carries out extensive information and educational activities, publishing annual reports, newsletters, FAQs, guides for citizens and businesses, educational videos, and in-depth studies. All of these materials are available on the official website: www.garanteprivacy.it.

The Authority and the EU General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR), in force since May 25, 2018, reshaped the privacy legal framework across Europe. Like all EU Member States, Italy had to align its national legislation with the Regulation through Legislative Decree No. 101/2018, which amended the 2003 Privacy Code.

The Privacy Authority is the official supervisory authority designated by the GDPR in Italy. In this role, it performs tasks such as:

  • Receiving and evaluating complaints from individuals;
  • Cooperating with other European authorities (e.g., in cases of cross-border data processing);
  • Coordinating with the European Data Protection Board (EDPB);
  • Participating in the drafting of European privacy standards.

It is worth noting that citizens can contact the Authority directly to file a complaint or report an abuse, and the Authority’s decisions may be appealed in civil or administrative courts, depending on the case.

The Authority, citizens and businesses

Every individual has the right to control their personal data. This fundamental principle is reflected in a range of data subject rights, including:

  • Right of access to their data;
  • Right to rectification or erasure (“right to be forgotten”);
  • Right to restrict processing;
  • Right to data portability;
  • Right to object to processing;
  • Right not to be subject to automated decision-making, including profiling.

If any of these rights is denied or ignored, a complaint can be submitted to the Privacy Authority. This also applies in cases of unsolicited promotional emails, unauthorized newsletter subscriptions, unlawful video surveillance, misuse of biometric data, or data storage without consent.

Companies and public bodies also have a direct channel with the Authority to request opinions, clarifications, and report complex issues. They are also required to notify any data breaches (i.e., loss or theft of data) within 72 hours, under threat of severe penalties.

The Authority in the global privacy ecosystem

The Italian Privacy Authority operates within a global privacy framework and is an active member of organizations such as:

  • The European Data Protection Board (EDPB);
  • The Global Privacy Assembly (GPA);
  • The Council of Europe;
  • International networks for cross-border data protection.

This international role enables the Authority to harmonize guidelines and ensure that even global platforms (like Google, Meta, Amazon, etc.) respect the rights of European and Italian citizens. The Authority also collaborates with other independent administrative authorities in Italy, such as AGCOM and AGCM, in cases where privacy, competition, and freedom of expression intersect.

Conclusion

The Garante per la protezione dei dati personali is a central figure in the digital life of every citizen. It defends our rights, protects our identity, and shields us from abuse, exploitation, and discrimination stemming from the misuse of data.

Who is the Privacy Authority? The guardian of our digital freedom.


What does the Privacy Authority do? It monitors, informs, sanctions, guides, and defends.


What is its role? To serve citizens with transparency, legality, and accountability.

Questions and answers

  1. Who is the Privacy Authority in Italy?
    It is the independent authority that protects personal data and ensures compliance with privacy laws.
  2. What is the role of the Privacy Authority?
    To oversee the correct processing of personal data and safeguard the rights of data subjects.
  3. Who appoints the Privacy Authority?
    Three members are elected by Parliament, and the president is appointed by the other three.
  4. What does the Privacy Authority do?
    It monitors, sanctions, authorizes specific data processing, provides opinions, and promotes privacy awareness.
  5. What powers does the Privacy Authority have?
    It can impose fines, block processing activities, order data erasure, and act on its own initiative.
  6. Can the Authority fine a company?
    Yes, fines can reach up to 4% of the company’s global annual turnover.
  7. How can I submit a complaint to the Authority?
    Through the official website by completing an online form.
  8. What happens after a report is filed?
    The Authority may initiate an investigation, request clarifications, conduct inspections, and adopt measures.
  9. Does the Authority have value at the European level?
    Yes, it is part of the European Data Protection Board and collaborates with other EU authorities.
  10. Where is the Authority’s official website?
    At: www.garanteprivacy.it
3
To top