By deliberation No. 797 of 30 December 2025 the Italian Garante planned its inspection activity for the first half of 2026: artificial intelligence in schools, data breaches of public databases, whistleblowing, health dossiers, energy-sector telemarketing, and anonymisation of Telco big data. And the recent Emirates fine shows that even a lawful legal basis does not save the controller from disproportionate retention and opaque privacy notices. What should controllers and DPOs know?
The Garante’s inspection planning has always been a valuable map for controllers and processors: it indicates where the Authority’s attention will concentrate and, in the background, which processing operations it considers most risky for data subjects’ rights and freedoms. This seems the right place to examine the plan for the first half of 2026, adopted by deliberation No. 797 of 30 December 2025, concerning the inspection activity “carried out by the Garante’s Office, also through the Guardia di Finanza, limited to the January–July 2026 period”, based, among other things, on Articles 157 and 158 of the Italian Data Protection Code and Article 58 of the GDPR.
The areas under scrutiny
The deliberation identifies the following areas of intervention: the continuation, within the interdepartmental task force, of checks on data breaches affecting particularly significant and sensitive public databases, with the declared aim “of curbing the phenomenon of unauthorised access and the resale of confidential information”; the continuation of checks on the “most widespread applications for acquiring and managing whistleblowing reports”; the “checks on the use of artificial-intelligence tools employed in the school environment”; the continuation of checks on the so-called health dossier; the “unlawful processing of data for telemarketing purposes with particular reference to the energy sector”; the processing carried out within the Customs Information System; and the “policies and anonymisation techniques implemented by Telcos for the sharing of big data in the light of the CJEU judgment of 4 September 2025”. The deliberation specifies that the planned activity will concern “at least 40 inspections”.
What is new compared with the previous plan
The comparison with deliberation No. 451 of 4 August 2025 (July–December 2025) is instructive. First, three new areas enter the plan: AI in schools, the Customs Information System and the anonymisation of Telco big data — the latter in declared dependence on the Court of Justice judgment of 4 September 2025. Second, insurance quotation processing, local public transport, biometric recognition of banking customers and disease registries for statistical purposes leave the plan. Third, the quantitative threshold rises from at least 35 to at least 40 inspections. Finally, the fight against unauthorised access to public databases acquires an explicit aim, that of “curbing the phenomenon of unauthorised access and the resale of confidential information”. The direction of travel is clear: at the centre of the half-year lie the public data ecosystem, AI in contexts involving vulnerable subjects — minors first of all — and the robustness of anonymisation techniques.
The Emirates case: when the legal basis is not enough
That formal compliance does not exhaust the lawfulness assessment is shown by provision No. 347 of 14 May 2026, made public with newsletter No. 548 of 17 June 2026, by which the Garante fined Emirates in relation to the collection, through the MEDIF form, of the data of passengers with disabilities or reduced mobility. The outcome is surgical. The Authority “finds the processing carried out by Emirates unlawful […] for the infringement of Articles 5(1)(a) and (e), 12 and 13 of the Regulation”: lawfulness, fairness and transparency, storage limitation, information. No infringement was found, instead, as to the legal basis, deemed lawful. The fine was set at €180,000, accompanied by corrective measures under Article 58(2)(d) of the GDPR.
The sore point was, first of all, retention: the provision notes that the MEDIF “is kept by Emirates together with the passenger’s travel documents and retained for the whole flight […] as well as for the following 7 years”; as the newsletter summarises, “the company retained the health data collected through the Medif form for a period of seven years, considered by the Authority excessive and not proportionate to the purpose pursued”. To this was added a privacy notice that was present but not adequate, being unclear on who was required to complete it and which fields were actually mandatory. The same newsletter reports further interventions: a reprimand to a Municipality that had used urban video-surveillance footage to contest a traffic offence, in breach of the principles of lawfulness and purpose limitation, and the provision on so-called sharenting of 29 April 2026, reaffirming that “to publish on social networks images depicting minors under 14, the prior consent of both parents is required”.
What controllers and DPOs must do
From this picture at least four operational indications follow. First, the retention of special-category data is confirmed as an autonomous ground for sanctions: the lawfulness of the legal basis does not save the controller from disproportionate and undocumented retention periods. Terms must be defined purpose by purpose, and evidenced. Second, transparency must be effective and not merely formal: an existing but unclear privacy notice on recipients and mandatory fields infringes Articles 12 and 13 of the GDPR. Third, the new inspection priorities draw the risk map of the half-year: those operating in AI in schools, whistleblowing, public-database management or big-data anonymisation should anticipate the inspection with internal audits, updated DPIAs and registers in order — bearing in mind that on-site inspection, also through the Guardia di Finanza, does not require a prior complaint. Finally, for local authorities, the purpose constraint in urban video-surveillance: further uses of footage require an express legal basis.
Conclusions
The 2026 inspection plan and the most recent enforcement practice compose a univocal message: the Authority progressively shifts its attention from the mere existence of obligations to their substantive quality, with particular regard for contexts involving vulnerable subjects and for emerging technologies. In the light of the above, one wonders whether controllers and processors will grasp the meaning of this evolution, verifying in concrete terms retention periods, the transparency of privacy notices and the proportionality of processing operations, before an inspection — not infrequently conducted without notice — comes to expose their shortcomings.
