Italian Supreme Court: Judges have the authority to review and potentially revise administrative penalties imposed by DPAs under GDPR if deemed excessive

Thanks to Michelegiuseppe Leggieri Cistena for collaborating on this article

The Court of Cassation, Italy’s highest court, determined that, a trial judge may not only annul in whole or in part an administrative fine issued for noncompliance with the GDPR, but may also modify its amount[1].

Additionally, the Court of Cassation outlined important principles to be followed in setting the amount of GDPR fines.


The decision relates to a EUR 2.6 million fine issued in 2021 by the Italian Data Protection Authority (Garante per la protezione dei dati personali) against Foodinho S.r.l., an Italian company in which the Spanish GlovoApp23 S.L. holds a controlling stake. That sanction was completely annulled by the court as it was deemed excessive. Indeed, according to the Court of Milan, the fine was set at an amount equal to 7.29% of Foodinho’s annual worldwide turnover, far above the parameter of 4% provided under Article 83 GDPR. Additionally, the fine is higher than the average percentage (0.0019%) applied by the Garante.

According to the Court of Milan, judges in such proceedings (unlike judges in other administrative proceedings governed by Articles 6 and 7 of Legislative Decree No. 150/2011) do not have the authority to modify the amount of a pecuniary fine issued under the GDPR (Legislative Decree No. 150/2011), even if it is deemed excessive.


Both parties challenged the decision of the Court of Milan before the Court of Cassation, which annulled the decision and referred the case back to the Court of Milan for it to establish a new fine following the criteria outlined in the Court of Cassation’s decision.

According to the Court of Cassation, the Milan court wrongly decided the case for the following reasons:

  1. Firstly, the Milan court erred in finding that the penalty imposed was excessive. Indeed, according to the Court of Cassation, the criteria of a percentage of annual worldwide turnover must be applied to determine a fine only if the resulting sanction is higher than the maximum threshold of EUR 20 million.
  2. Secondly, the Court of Cassation determined that—contrary to the arguments of the Milan court—judges have the power to reassess the amount of the fine issued by the Garante under the GDPR. Indeed, the Court of Cassation stated that Legislative Decree No. 150/2011 separately governs disputes concerning the protection of personal data in Article 10. Nevertheless, this provision must be coordinated with the current Article 166 of the Italian Data Protection Code (Legislative Decree No. 196/2003), which cites the adoption of sanctioning measures under Law No. 689/1981, as applicable.
    Article 22 of Law No. 689/1981 specifically invokes Article 6 of Legislative Decree No. 150/2011, which gives judges the opportunity to reassess the amount of a pecuniary sanction issued by a public administrative body. Therefore, even in a dispute regarding personal data the judge has the power to proceed independently with a review of the administrative monetary penalty if deemed excessive.

Finally, the Italian Court of Cassation clarified that the assessment of whether a processing activity qualifies as cross-border processing is a matter of merit. Therefore, it is up to the judge (and not the Court of Cassation) to determine whether the Garante applied the rule correctly.

For the above reasons, the Court of Cassation annulled the decision and sent the case back to the Court of Milan for it to reassess the fine to be issued following the criteria outlined in the Court of Cassation’s decision.

[1] Decision No. 2719/2023

Follow us on