GDPR Enforcement in 2026: What Record Fines Mean for Your Business (italy)

GDPR enforcement in 2026 has entered uncharted territory, with record fines reshaping how European supervisory authorities punish non-compliance and how businesses across Italy must respond. Cumulative penalties issued under the General Data Protection Regulation since 2018 have now surpassed the €7 billion mark, according to leading enforcement trackers, and the pace of high-value decisions accelerated sharply through 2025 and into the first half of 2026. The simultaneous enforcement of the EU Data Act, which entered into force in September 2025, has added a new layer of data-sharing and access obligations that regulators are scrutinising alongside GDPR compliance.
For in-house counsel, DPOs and compliance officers at Italian businesses, these developments demand immediate, structured action: the gap between regulatory expectation and operational reality has never been more consequential.

Executive Summary: What 2026 Record GDPR Fines Mean for Italian Businesses

The enforcement landscape for data privacy laws has shifted fundamentally. Regulators are no longer issuing symbolic penalties; they are deploying fines calibrated to global turnover, targeting systemic failures and holding both controllers and processors directly accountable. For businesses operating in or processing the personal data of individuals in Italy, three realities now define the compliance environment:

• Scale of financial exposure. Upper-tier fines under Article 83 GDPR reach up to €20 million or 4% of total worldwide annual turnover, whichever is higher. Multiple decisions in 2025–2026 have pushed individual penalties well into the hundreds of millions of euros, demonstrating that supervisory authorities will apply these ceilings to major infringements.
• Broadened enforcement scope. Regulators are pursuing not only consent failures and security breaches but also unlawful international transfers, inadequate Data Protection Impact Assessments (DPIAs), insufficient record-keeping under Article 30, and, increasingly, failures to comply with new EU Data Act obligations around data access and sharing.
• Immediate action required. Italian businesses should prioritise a comprehensive data-processing audit, a lawful-basis review across all processing activities, an overhaul of consent mechanisms and transfer safeguards, and an incident response plan aligned to the 72-hour breach notification rule under Article 33.

2026 GDPR Enforcement Snapshot: Numbers, Trends and Who Is Fining

The numbers tell a stark story. Data compiled by the GDPR Enforcement Tracker and analysed in the CMS GDPR Enforcement Tracker Report confirms that GDPR fines 2026 have continued the steep upward trajectory that began around 2021. Aggregate fines imposed since the GDPR took effect in May 2018 now exceed €7.1 billion, with a significant proportion of that total concentrated in decisions handed down during 2024, 2025 and the first half of 2026.

Several national supervisory authorities have driven this trend. The Irish Data Protection Commission (DPC), acting as lead supervisory authority for many of the world’s largest technology platforms under the One-Stop-Shop mechanism, has been responsible for some of the highest individual penalties. Authorities in Luxembourg, France (CNIL) and Italy’s own Garante per la protezione dei dati personali have also issued substantial fines targeting adtech, financial services and telecommunications companies.

The sectors most heavily affected reflect where large-scale personal data processing is most concentrated: technology platforms and social-media companies, advertising technology and real-time bidding ecosystems, financial institutions and payment processors, and healthcare providers handling sensitive data at scale.

Notable Recent Record GDPR Fines (2024–2026)

Regulator
Approximate Penalty
Primary Reason

Irish DPC
€1.2 billion+
Unlawful international transfers of personal data to the US without adequate safeguards

Irish DPC
€390 million+
Invalid legal basis for behavioural advertising and consent failures

Luxembourg (CNPD)
€746 million (issued 2021, overturned on appeal March 2026)
Non-compliant data processing practices at scale; fine set aside by the Court of Appeal and referred back to the CNPD for reassessment of proportionality and intent

French CNIL
€325 million
Cookies and advertising tracking violations

Italian Garante
€20 million+
Unlawful processing of user data, inadequate transparency and consent mechanisms

Industry observers expect this trajectory to continue, with DPC decisions in 2026 alone accounting for a disproportionate share of total enforcement value across the EU. For Italian businesses, particularly those with cross-border operations or that rely on third-party processors headquartered in other EU member states, these decisions are directly applicable and set binding precedents for how obligations are interpreted.

Why GDPR Fines Are Bigger Now: Legal and Policy Drivers

Understanding why record GDPR fines have escalated requires examining both the statutory framework and the evolving policy posture of European supervisory authorities.

Article 83 of the GDPR establishes two tiers of administrative fines. The lower tier, up to €10 million or 2% of global annual turnover, applies to infringements of obligations related to controllers and processors (Articles 8, 11, 25–39, 42 and 43). The upper tier, up to €20 million or 4% of global annual turnover, applies to infringements of the basic principles of processing, conditions for consent, data subject rights and rules governing international transfers.

Article 83(2) then lists the factors supervisory authorities must weigh when setting fine amounts. These include the nature, gravity and duration of the infringement; whether the infringement was intentional or negligent; actions taken to mitigate damage; the degree of responsibility and any previous infringements; the categories of personal data affected; how the authority learned of the infringement; and any aggravating or mitigating factors such as financial benefits gained. Crucially, regulators in 2025–2026 have given significant weight to the global turnover of the undertaking, meaning that companies with large market capitalisation face proportionally larger fines, even for infringements similar to those committed by smaller entities.

The European Data Protection Board (EDPB) has issued harmonisation guidelines encouraging consistent application of these factors across all EU supervisory authorities, and early indications suggest that these guidelines have emboldened smaller national DPAs, including the Garante, to align their penalty calculations more closely with the aggressive approach seen in Irish and French decisions.

The Role of the EU Data Act in GDPR Enforcement

The EU Data Act, which entered into force in September 2025, introduces new obligations around data sharing, data access and portability that sit alongside, and sometimes intersect with, GDPR requirements. While the Data Act is primarily concerned with non-personal and IoT-generated data, its provisions on data access rights and fair contractual terms apply in contexts where personal data is also processed. Industry observers expect supervisory authorities to treat compliance failures under the Data Act as an aggravating factor when assessing GDPR penalties, particularly in sectors such as connected devices, cloud services and platform economies where the two regulatory regimes overlap. For Italian businesses, this means that lawful basis assessments and data-sharing architectures must now account for both frameworks simultaneously.

Most Common GDPR Enforcement Triggers (Italy and EU)

Enforcement actions are not random. Across the decisions catalogued in the GDPR Enforcement Tracker, several recurring triggers account for the majority of fines and corrective orders issued in 2025–2026:

• Unlawful international transfers. Transferring personal data outside the EEA without adequate safeguards, particularly to the US, remains the single highest-value enforcement trigger. Despite the EU-US Data Privacy Framework adopted in 2023, transfers to processors or sub-processors that fall outside its scope, or transfers relying on outdated Standard Contractual Clauses (SCCs) without supplementary measures, continue to attract severe penalties.
• Consent failures. Supervisory authorities are scrutinising consent mechanisms with increasing granularity. Dark patterns, pre-ticked boxes, bundled consents and consent walls that force users to accept tracking as a condition of service have all resulted in enforcement. Consent under GDPR must be freely given, specific, informed and unambiguous, and regulators are now auditing the user experience (UX) implementation, not just the legal text.
• Inadequate security measures. Failures to implement appropriate technical and organisational measures under Article 32 remain a persistent trigger, particularly following data breaches that expose personal data. The Garante has been especially active in this area, issuing guidance and corrective orders where Italian organisations lacked encryption, access controls, pseudonymisation or regular security testing.
• Large-scale profiling without DPIAs. Processing operations that involve systematic monitoring of individuals or large-scale profiling, including behavioural advertising, credit scoring and employee surveillance, require a DPIA under Article 35. Failure to conduct or properly document a DPIA is treated as a standalone infringement and has featured in several high-value decisions.
• Insufficient record-keeping. Article 30 requires both controllers and processors to maintain records of processing activities. While this may appear administrative, regulators treat missing or incomplete records as evidence of broader governance failures and often use record-keeping deficiencies to widen the scope of investigations.

International Transfers: SCCs and Residual Schrems II Risk

The legacy of the Court of Justice’s Schrems II decision continues to shape international transfers under GDPR. Although the EU-US Data Privacy Framework provides a legal basis for transfers to certified US organisations, many Italian businesses transfer data to recipients in jurisdictions without an adequacy decision or to US entities not certified under the framework. In these cases, SCCs supplemented by Transfer Impact Assessments (TIAs) remain the primary mechanism, and regulators are now reviewing whether businesses have genuinely assessed the legal framework of the recipient country, implemented effective supplementary technical measures, and documented their reasoning. Failure to do so has been the basis of several record GDPR fines.

Legal Basis for the Largest 2026 GDPR Penalties

The penalty reasoning in the largest decisions of 2025–2026 reveals a consistent analytical framework that supervisory authorities are applying with increasing rigour. In the most significant DPC decisions, the authority cited infringements of Articles 44–49 (international transfers), Article 6 (lawful basis for processing), Article 5(1)(a) (lawfulness, fairness and transparency) and Article 7 (conditions for consent). In each case, the DPC applied the Article 83(2) factors methodically, giving particular weight to the duration of the infringement, in some cases spanning several years, and the number of data subjects affected, often running into hundreds of millions.

The CNIL’s decisions against adtech operators similarly focused on Article 5(1)(a) and Article 7, but additionally cited Article 25 (data protection by design and by default) where companies had built tracking architectures without adequate privacy safeguards from inception. The Italian Garante’s own enforcement decisions have cited Articles 5, 6, 13 and 14 (transparency obligations) and have placed emphasis on the inadequacy of privacy notices and the failure to provide data subjects with meaningful control over their data.

For Italian businesses, the practical effect of these decisions is that penalties are no longer limited to clear-cut breaches such as data leaks. Systemic governance failures, poorly drafted privacy policies, untested consent flows, legacy transfer mechanisms, and absent DPIAs, now expose organisations to upper-tier fines.

Practical Action Plan for Legal Teams: GDPR Enforcement 2026 Checklist and Timeline

Given the scale and velocity of GDPR enforcement in 2026, legal teams at Italian businesses should adopt a structured, time-bound remediation programme. The following 30/60/90-day plan provides a prioritised framework:
Days 1–30: Foundation audit and risk assessment

Days 31–60: Remediation and mechanism overhaul

Days 61–90: Incident response, training and governance

Reporting Obligations by Entity Type

Obligation
Controller
Processor

Breach notification to DPA
Must notify the supervisory authority within 72 hours of becoming aware (Article 33) and document the reasoning for the notification or for not notifying.
Must notify the controller without undue delay after becoming aware of a breach; the controller decides whether DPA notification is required.

Record-keeping (Article 30)
Must maintain full records of all processing activities, including purposes, categories of data subjects, recipients, transfers and retention periods.
Must maintain records of all categories of processing carried out on behalf of each controller.

Direct enforcement risk
Directly subject to fines under Article 83; fine quantum may reflect market power, turnover and the systemic nature of the infringement.
Can be fined directly under Article 83 depending on role, culpability and whether processing exceeded the controller’s instructions; must document compliance measures.

Incident Response and 72-Hour Breach Notification

Article 33 of the GDPR requires controllers to notify the competent supervisory authority, in Italy, the Garante, within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Processors must notify controllers without undue delay. Meeting this deadline requires a pre-built, tested response protocol:

Compliance Checklist for International Transfers and EU Data Act Interplay

Cross-border privacy compliance requires a dual-track approach in 2026. For international transfers under GDPR, legal teams should verify the following:

• All transfers are mapped and the legal basis for each is documented (adequacy decision, new-form SCCs, binding corporate rules, or a specific derogation under Article 49).
• Transfer Impact Assessments have been completed for every transfer relying on SCCs, evaluating the legal framework of the recipient country and the effectiveness of supplementary measures.
• Supplementary technical measures, such as encryption where the keys are retained within the EEA, pseudonymisation, or split processing, are implemented where the TIA identifies residual risk.
• Sub-processor chains are reviewed to ensure that all onward transfers by processors are covered by equivalent safeguards and documented in sub-processing agreements.

For the EU Data Act overlay, Italian businesses should additionally confirm that data-sharing architectures comply with new access-right obligations, that contracts with cloud and IoT service providers incorporate fair data-access terms as required by the Act, and that any refusal to share data can be justified under the Act’s exemptions. Failure to meet EU Data Act obligations is increasingly likely to compound GDPR enforcement risk where the same data-processing activities are involved.

What to Expect If Investigated: Process, Remedies and Mitigation

An investigation by the Garante, or, in cross-border cases, by a lead supervisory authority under the One-Stop-Shop mechanism, typically follows a structured lifecycle. The authority may act on the basis of a complaint, a notified breach, a media report, or its own monitoring and audit programme. The investigation stage involves information requests, on-site inspections and technical audits. The authority then issues a preliminary assessment, giving the organisation an opportunity to respond before a final decision.

Businesses under investigation should take immediate steps to cooperate fully and transparently with the authority, preserve all relevant records and communications, implement remedial measures as soon as deficiencies are identified (even before a final decision), and prepare detailed mitigation submissions demonstrating good-faith efforts, the scope and speed of remediation, and any investments in improved governance. Article 83(2) expressly lists cooperation with the supervisory authority and measures taken to mitigate damage as factors that can reduce fine amounts. Appeals against Garante decisions can be brought before the Italian courts, and in cross-border cases, the consistency mechanism under the EDPB provides an additional procedural layer.

Italy-Specific Considerations: Garante Practice and Enforcement Posture

The Garante per la protezione dei dati personali has established itself as one of the more active national supervisory authorities in the EU, with a particular focus on transparency, security and the lawful use of emerging technologies. Italian Garante fines have targeted organisations for insufficiently detailed privacy notices, the use of analytics tools that transfer data to the US without adequate safeguards, and the processing of biometric and location data without a valid DPIA.

The Garante has also issued specific guidance on the use of cookies and tracking technologies, aligning Italian practice with the EDPB’s recommendations, and has intervened in cases involving artificial intelligence and automated decision-making where transparency and lawful basis requirements were not met. For companies with a main establishment outside Italy but processing Italian residents’ data, coordinating with both the Garante and the lead supervisory authority under the One-Stop-Shop is essential to avoid parallel enforcement actions and inconsistent outcomes. Early engagement with the Garante, including voluntary compliance audits and proactive breach notifications, is widely recognised as a mitigating factor in Italian enforcement practice.

Conclusion: GDPR Enforcement 2026 Record Fines, Priority Actions and Final Checklist

The message from GDPR enforcement in 2026 is unambiguous: supervisory authorities have the tools, the mandate and the willingness to impose penalties that materially affect even the largest organisations. For Italian businesses, the path forward is structured compliance, not reactive firefighting. What record GDPR fines mean, in practical terms, is that organisations can no longer treat data protection as a secondary governance function.

The following seven-point checklist summarises the priority actions every Italian business should take immediately:

Need Legal Advice?
This article was produced by Global Law Experts. For specialist advice on this topic, contact Susanna Greggio at GTA Studio Legale, a member of the Global Law Experts network.

Sources