Global Data and Cyber Handbook

Italy

Select a Topic
Start Comparison
Artificial Intelligence, Profiling and Automated Decision Making
Jump to
Artificial Intelligence, Profiling and Automated Decision Making Start Comparison
Are there any restrictions or requirements related to creating profiles of data subjects or utilizing automated decision-making for decisions related to data subjects, including with respect to artificial intelligence?

[Last reviewed: January 2025]

Yes.

The restrictions or requirements are as follows:

☒   qualified right not to be subject to a decision based solely on automated decision making, including profiling – for example, only applicable if the decision produces legal effects concerning them or similarly significantly affects them

☒   right to information / transparency requirement

☒   right to request human review of the automated decision making

If such restrictions or requirements exist, are they subject to any exceptions?

[Last reviewed: January 2025]

Yes.

The exceptions are as follows:

If the decision:

  • is necessary for entering into, or performance of, a contract between the data subject and a data controller
  • is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights/freedoms and legitimate interests
  • is based on the data subject's explicit consent
Has the data privacy regulator issued guidance on data privacy and artificial intelligence, automated decision-making or profiling?

Last review date: January 2025

Please refer to the EU Chapter for detailed information regarding EU-wide guidance.

Yes.

The Garante undertaken enforcement actions against GenAI platforms over concerns regarding transparency, age gate and fairness of processing and issued an order to address those concerns.

In relation to profiling and social scoring, the Garante started investigation activities claiming unfair data processing for individuals.

Has the data privacy regulator taken enforcement action in relation to artificial intelligence, including automated decision-making or profiling?

Last review date: January 2025

         Enforcement activity against AI user(s)/deployer(s)

         Enforcement activity under existing privacy law

Do other (non-personal data or cybersecurity) laws or regulations impose restrictions on use of artificial intelligence, automated decision-making or profiling?

Last review date: January 2025

☒   Yes, laws in force

☒   Draft legislation in progress

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

The Digital Services Act (Regulation 2022/2065 of 19 October 2022 on a Single Market For Digital Services - “DSA”), which will be fully applicable as from 17 February 2024, sets forth specific restrictions with respect to certain uses of profiling. In particular, under Art. 26 (3) of the DSA, providers of online platforms may not present advertisements to recipients of the service based on profiling as defined in Art. 4 GDPR using special categories of personal data referred to in Art. 9 (1) GDPR. Furthermore, pursuant to Art. 28 (2) of the DSA, providers of online platforms may not present advertisements on their interface based on profiling (within the meaning of Art. 4 GDPR) using personal data of the recipient of the service when they are aware with reasonable certainty that the recipient of the service is a minor. Lastly, according to Art. 38 DSA, providers of very large online platforms and of very large online search engines that use recommender systems must provide at least one option for each of their recommender systems which is not based on profiling (within the meaning of Art. 4 GDPR).

{{ $store.state.loadingScreen.message }} ...