Streamlined enforcement and renewed focus on marketing practices: signals from the Italian DPA

Recently the Italian Data Protection Authority (the “Authority”) delivered two converging signals that may be of interest for companies operating consumer-facing and data-intensive business models in Italy: a procedural reform aimed at accelerating low-impact enforcement cases, and a significant sanction in the telemarketing business.

1) By Resolution of March 26, 2026, the Authority amended its Internal Regulation No. 1/2019 to allow the heads of the Authority’s organizational units to issue reprimands directly, without a plenary decision of the Authority’s board, in cases where the alleged violation is outdated, has ceased to have any effect, or has already been adequately remedied. The simplified procedure will, however, not apply to proceedings involving: journalism, citizen and/or labor rights, data controllers and data processors with annual revenue exceeding 500,000 euros, or to processing activities carried out by ministries, regions, and autonomous provinces, local health authorities (ASL), and municipalities with a population exceeding 50,000 inhabitants.

From a policy standpoint, the reform confirms a more selective use of collegial enforcement, enabling the Authority to concentrate its full investigative resources on cases with systemic relevance.

2) The telemarketing sector remains an area of close regulatory scrutiny in Italy. In its Decision of March 12, 2026, the Authority imposed an administrative fine exceeding EUR 500,00 on an energy operator after finding that customer contacts had in some cases been used to address promotional offers without an adequate legal basis. The Authority also found that such offers had been made even when the individuals concerned had refused the processing of their personal data for marketing purposes at the time of the contractual relationship.

The decision is noteworthy for its focus on organizational safeguards. In particular, the Authority identified shortcomings in the measures adopted in connection with certain re-contact procedures and reiterated that controllers must implement technical and organizational arrangements capable of ensuring the lawful origin and use of personal data. In the Authority’s view, this includes the need to adopt mechanisms that are genuinely capable of verifying the data subject’s intention to receive promotional communications and, more broadly, to ensure that data processing remains compliant throughout the relevant commercial and operational chain.

From a business perspective, the case serves as a timely reminder of several well-established, yet still operationally challenging, compliance expectations. First, interactions framed as customer care, account management, or service-related communications should not, in practice, become a vehicle for promotional outreach unless the relevant legal requirements are independently satisfied. Secondly, the collection and recording of customer preferences must be supported by governance measures that make those preferences effectively traceable, actionable, and consistently respected across channels. Thirdly, reliance on external partners does not dilute the controller’s accountability: rather, it requires verifiable controls over the ways in which these partners access, use and apply customer data in external marketing activities.

More broadly, the decision illustrates the Authority’s continued emphasis on practical compliance rather than purely formal privacy documentation. For companies operating in high-volume B2C contexts, this means that the legal separation between service communications and marketing activities must be reflected not only in internal policies, but also in scripts, workflows, vendor instructions, consent collection mechanisms, audit trails, and escalation procedures.

EUDI Wallet enters the operational phase: Commission sets harmonised rules on remote onboarding

A key step in the implementation of the revised eIDAS framework was taken with the adoption of Commission Implementing Regulation (EU) 2026/798 of April 7, 2026, laying down harmonised rules for the remote onboarding of users to the European Digital Identity Wallet (“EUDI Wallet”).

The EUDI Wallet is the tool established by Regulation (EU) 2024/1183 (eIDAS 2) to create a single legal framework for European digital identity. It allows citizens to hold and selectively share electronic attribute statements (educational qualifications, licenses, health data) with full legal and evidentiary value throughout the European Economic Area, ensuring cross-border interoperability and direct user control over their personal data.

The Regulation specifies how electronic identification means issued at “substantial” assurance level may be combined with additional remote onboarding procedures in order to reach an overall “high” assurance level, within the meaning of the eIDAS regime. The objective is to ensure a consistently high level of trust, security and interoperability across Member States, while allowing for scalable and user‑friendly enrolment processes.

From a regulatory perspective, the Regulation significantly reduces national discretion in the design of wallet onboarding procedures and marks a clear transition from architectural planning to operational deployment of the EUDI Wallet ecosystem. The rules are directly applicable and set binding reference standards and specifications, thereby narrowing the margin for fragmented national implementations.

The implications are relevant not only for Member States and wallet providers, but also for private‑sector actors that will increasingly rely on the EUDI Wallet as a trusted identification and authentication tool. Providers of digital services, financial services, platforms and regulated entities should expect a gradual but decisive shift towards wallet‑based identification flows, with corresponding impacts on user journeys, compliance architectures and contractual arrangements.