Italy's Garante per la protezione dei dati personali (Garante) is the EU's most aggressive AI privacy regulator. In March 2023, the Garante became the first data protection authority globally to temporarily ban ChatGPT from Italy — forcing OpenAI to implement explicit age verification and transparency measures before the service was restored. In December 2024, the Garante fined OpenAI €15 million for unlawful processing of Italian user data.
For organizations using AI tools in Italy — or deploying AI systems that may process Italian personal data — the Garante's enforcement pattern sets the most demanding technical expectations in the EU.
The OpenAI/ChatGPT Case: What the Garante Found
The Garante's €15 million fine against OpenAI in December 2024 was based on multiple violations:
Age verification failure: ChatGPT was accessible to Italian minors without adequate age verification. The Garante found that OpenAI failed to implement reasonable measures to prevent under-13 use.
Unlawful training data processing: The Garante found that OpenAI's use of Italian user data for training ChatGPT 3.5/4 lacked adequate legal basis. The "legitimate interest" claim was rejected — the Garante found that using personal data to train commercial AI models requires either consent or a clearer legal basis than LLM training providers typically invoke.
Lack of transparency: OpenAI did not adequately inform Italian users how their data was used for training, or provide accessible opt-out mechanisms.
Practical implications: Any AI system processing Italian personal data — whether training, fine-tuning, or inferencing on Italian user inputs — must have a documented GDPR legal basis under Garante standards that goes beyond simple "legitimate interest" claims. Consent or specific contract performance is typically required.
Italian National Identifiers
Codice fiscale: Italy's 16-character alphanumeric tax code — one of the most information-rich national identifiers in the EU. Structure:
- Characters 1-3: Consonants from surname (specific extraction rules)
- Characters 4-6: Consonants and vowels from first name (specific extraction rules)
- Characters 7-8: Last two digits of birth year
- Character 9: Letter representing birth month (A=January, B=February, C=March, D=April, E=May, H=June, L=July, M=August, P=September, R=October, S=November, T=December)
- Characters 10-11: Birth day (males: day number; females: day + 40)
- Characters 12-15: Belfiore code (4 characters) of birth municipality or country
- Character 16: Check character (letter, calculated using specific algorithm)
The codice fiscale encodes surname initial sounds, first name initial sounds, birth date, gender (via birth day encoding), and birth location. It is arguably the EU's most personally identifying national identifier by information content.
Detection accuracy: Generic NLP tools detect codice fiscale with only 67% accuracy (Garante 2024 technical analysis). The failures: tools that match 16-character alphanumeric patterns without implementing the check character algorithm cannot distinguish valid codici fiscali from false positives; tools that don't implement the surname/name extraction rules cannot validate existing numbers.
Partita IVA: Italy's 11-digit business VAT number, with a check digit calculated using a weighted sum modulus-10 algorithm. The last digit is the check digit. Partita IVA appears in all Italian commercial documents — invoices, contracts, and business correspondence.
Tessera sanitaria: Italy's health card — combines codice fiscale with additional health-specific data. Format includes the codice fiscale as a component.
Garante's AI Tool Requirements
The Garante's guidance on "technical and organizational measures" for AI systems that process Italian personal data:
Before AI processing: PII must be identified and either removed or pseudonymized before input to AI systems. The Garante's Chrome Extension/AI integration context: any AI tool receiving Italian personal data (names, codici fiscali, health data) in prompts must have those identifiers removed before transmission.
For AI training: Explicit documented legal basis is required. Consent is the Garante's preferred basis for training on Italian user-generated content. "Legitimate interest" requires a documented balancing test demonstrating that the training purpose does not override Italian users' data protection interests.
For AI outputs: Systems generating outputs about Italian individuals must implement safeguards against hallucination of personal data (generating false information attributed to real individuals) — the Garante has flagged this as a specific risk requiring technical mitigation.
63% of Italian enterprises lack GDPR-compliant AI data governance policies (Garante 2024). For organizations deploying AI tools in Italy: codice fiscale and partita IVA detection with full check character validation, Italian-language NER (spaCy it_core_news), and documented GDPR legal basis for any AI training on Italian personal data are the baseline requirements for Garante compliance.
Sources: