Italy — AgID fined €55,000 for INAD/INI‑PEC transparency failures

On 28 May 2026, Italy’s Data Protection Authority (Garante) fined the Agency for Digital Italy (AgID) €55,000 for publishing and reusing professionals’ PEC addresses moved from INI‑PEC to INAD without adequate prior information. The shortcomings affected all listed professionals, with the decision ordered to be published.

The facts

The Garante found that addresses from a professional register (INI‑PEC) were repurposed for a new objective (INAD) without specific prior notice and without appropriate privacy‑by‑design/by‑default controls for the changed context.

Legal basis and reasoning

• Lawfulness, fairness and transparency (Article 5(1)(a) GDPR)
• Purpose limitation (Article 5(1)(b))
• Accountability (Article 5(2))
• Privacy by design/by default (Article 25)
• Information duties (Articles 12 and 14)

The fine relies on Articles 58(2)(i) and 83 GDPR, with publication under Italian law. Applying EDPB Guidelines 04/2022 on fine calculation ("medium" gravity, late remediation), the decision stresses that generic communications cannot replace prior, individual, effective information when purposes change.

For EU requirements, see the GDPR Articles 12, 14, 25 and 83 and their practical implications.

What this means for Luxembourg organisations

• Public registers and directories. In Luxembourg, reusing professional contact data (INI‑PEC/INAD equivalents, professional orders, sector directories) requires individual prior notice and tight purpose‑information alignment. Lack of targeted information risks CNPD non‑compliance. An outsourced DPO mandate can structure analyses and notices.
• Operational privacy‑by‑design/by‑default. Any migration/syndication of directories should include risk‑based DPIA, push‑style information flows and evidencing. Refer to our GDPR Luxembourg overview and CNPD expectations to scope your projects.
• Cross‑border governance. In multi‑jurisdiction groups, reusing member/customer directories (marketing, IDs, matching) requires a solid legal basis and prior information before transfers. The same bar applies to public bodies.

Immediate actions this week

• Map all “riversamenti” and internal/external directory reuses (HR, B2B clients, members, public registers) and check purpose‑information alignment (Articles 5 and 14).
• Roll out a “reinforced transparency” plan before any new publication/reuse: individual notices, proof of information, versioning, contextual banner.
• Embed privacy‑by‑design (Article 25) in your project lifecycle: risk checklists, DPIA where needed, objection/opt‑out where legitimate interest applies, pre‑production legal review, and full traceability in the RoPA. Where helpful, engage a Luxembourg DPO to accelerate compliance.

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.