After the landmark decision adopted by the Tribunal of Rome in 2023, which was overruled by the Supreme Court of Cassation in 2025, a vigorous debate arose on the nature of the time limits applying to proceedings before the Italian Data Protection Authority (Garante per la protezione dei dati personali – “Garante”).
The debate mainly focuses on whether the time limits governing proceedings before the Garante are mandatory or not, and has been further fueled by subsequent judgements of lower courts following the interpretative approach of the Supreme Court of Cassation.
The development of the case law leads to questioning the need to reform Regulations 1/2019 and 2/2019 governing proceedings before the Garante, so as to better align them with the principles enshrined at constitutional level, with the aim of ensuring effective protection of all parties involved.
In a nutshell, the Supreme Court stated that proceedings before the Garante must be concluded within 120 days from the ascertainment of the violation. In other words, this mandatory time limit applies to the so-called “investigative phase”, which begins when the Garante notifies the data controller of the initiation of the proceeding.
The reasoning underlying the interpretation followed by the Supreme Court is clear: a different approach, allowing the Garante to extend proceedings for an indefinite period, would be incompatible with the right of defence.
However, to grant full and effective protection of the right of defence, as well as a concrete application of the principle of legal certainty, the approach followed by the Supreme Court should be extended also to the “pre-investigative phase”, i.e. the activities carried out by the Garante prior to the notification of the proceeding to the data controller.
Indeed, during the pre-investigative phase, the Garante has the power to request information on a broad basis, and, under the current regulatory framework, this phase can potentially last for years without any defined time constraint.
Therefore, although the Garante is in theory subject to a mandatory deadline to close the proceeding, data controllers could in practice be involved in investigations for an indefinite period, in breach of the principle of legal certainty.
To address this issue, a viable solution could be amending the existing Regulations 1/2019 and 2/2019 adopted by the Garante, in order to clearly identify the phases of the proceedings, the deadlines applying to each of them, as well as the powers granted to the Garante during the entire proceeding.
This is crucial to ensure a correct balance between the different interests involved: the right to data protection and the freedom of enterprise, both of which are protected at constitutional level.
