The Court of Cassation[1] overturned the decision of the Tribunal of Rome in dispute between Enel Energia S.p.A. (“Enel”) and the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”)[2]. The ruling follows the annulment of the decision, issued by the Garante against Enel, inflicting a fine of more than 26 million Euros.
The Case
This decision represents a watershed moment in the case that resulted in the Garante imposing a Euro 26,513,977 fine on Enel Energia, along with various warnings, admonitions and prescriptions.
Back in 2024, the Tribunal of Rome had annulled the decision, arguing that that the Garante had exceeded the peremptory 120-day term for notifying the contestation of violations. The Tribunal held that this term should run from the date on which the Garante received the final responses to its requests for information and clarifications, and that the Garante’s delay in issuing the contestation rendered the sanctioning measure invalid. In particular, the Tribunal criticized the Garante’s use of the cumulative procedure (CUM) for grouping complaints and the extended investigative phase spanning approximately two and a half years, concluding that such prolonged activity violated Enel’s right of defense and the principle of legal certainty.
Key Elements of the Judgment
The Court of Cassation, however, rejected the position held by the Tribunal of Rome, arguing that the Garante’s procedural activity is structured in two phases:
a) A preliminary investigative (or pre-investigative) phase: governed by Article 166, paragraph 4, of the Data Protection Code, during which the Garante exercises its inspection powers under Article 58 of the GDPR to gather information. During this phase, the Garante does not have actual knowledge of the prerequisites for imposing a sanction.
b) A sanctioning phase in the strict sense: this phase begins with the notification under Article 166, paragraph 5, and amounts to a proper administrative proceeding during which the alleged offender may submit defensive briefs and request a hearing, and culminates in the adoption of the sanctioning decision.
Against this backdrop, the Court of Cassation held that:
- The 120-day time limit is peremptory. The Court of Cassation confirmed that the 120-day term provided by Garante Regulation No. 2/2019 for the conclusion of sanctioning proceedings is peremptory. The provision of a precise time limit protects both legal certainty (in terms of predictability of consequences) and the effectiveness of the right of defense, which requires temporal contiguity between the ascertainment of the offence and the application of the sanction.
- However, the 120-day term starts running from the notification of an alleged violation. this term applies only to the second phase of the Garante’s procedural activity and starts running from the notification of an alleged violation pursuant to Article 166, paragraph 5, of the Data Protection Code.
- On the contrary, the first pre-investigative phase is not subject to any (peremptory) term. According to the Court of Cassation, there is not a specific term for this phase in the Garante’s Regulation no. 2/2019. As such, this phase is subject to the general term of 90 days from the receipt of the request, whose violation does not have consequences on the validity of the adopted decision (in line with an established administrative case law). Rather, the consequence of violating this term would entail anyone damaged from it to the right to compensation for the damage suffered in connection with the violation of this term.
Concluding Remarks
The Court of Cassation’s judgment provides important clarification on the application of the 120-day peremptory term for sanctioning proceedings before the Garante, establishing a clear distinction between the preliminary investigative phase and the sanctioning phase. Nevertheless, the decision simultaneously highlights certain areas deserving further reflection and analysis.
First, this interpretation seems to be in contrast with the same provision of Regulation 2/2019, which sets forth that the term for “the communication of the violations (article 166, para. 5, Data Protection Code)” is:
“120 days from the ascertaining of the infringement for the notification of the same”
As it is worded, this provision seems to set forth the term for the notification of the infringements. However, according to the Court of Cassation, the 120-term would run from the notification itself.
Second, the judgment by the Court of Cassation does not consider another term provided by the same Regulation 2/2019, i.e. in proceedings following a report from individuals or proceedings started ex officio by the Garante, the Garante must adopt a decision (issuing a sanction and/or imposing corrective measures) within 18 months from the opening of the proceedings to adopt that decision. As such, according to the Court of Cassation, there would be two terms referring to the sanctioning phase: one of 120 days and the other of 18 months.
The decision, therefore, does not seem to shed a light on the issue of the terms for the Garante to conduct investigations and further judicial intervention are expected to provide more clarity.
[1] Judgment No. 18583/2025 of the Civil Court of Cassation, sez. I.
[2] Judgment No. 2615/2023 of the Rome Tribunal.
