Italy: €100,000 fine against Lepida over LepidaID shortcomings
Italy’s DPA fined Lepida S.c.p.A. €100,000 for GDPR violations in managing LepidaID (>1.5M users). Transparency, data minimization, and excessive log retention were flagged.
Summary. Italy’s DPA (Garante) fined Lepida S.c.p.A. €100,000 for data protection infringements in the LepidaID digital identity system. Key findings concern transparency, data minimization, and excessive retention of technical logs.
Facts
On 29 April 2026, the Italian Data Protection Authority fined Lepida S.c.p.A. €100,000 for violations of the GDPR related to the LepidaID digital identity system. The decision notes the service covers “over 1.5 million people” and highlights retention of transaction logs beyond 24 months, insufficient information (Art. 13), and shortcomings in privacy by design/by default. Trade press reported the decision on 1 July 2026.
Legal basis
- Article 5(1)(c), (e), (f) GDPR: data minimization, storage limitation, integrity/confidentiality.
- Article 13(1)(a) GDPR: clear information to data subjects.
- Articles 25 and 32 GDPR: privacy by design/by default and security of processing.
The Garante relied on EDPB Guidelines 04/2022 on the calculation of fines (v2.0, 24 May 2023) and recalled the possibility to publish the sanction (Art. 166 of the Italian Code). Retention beyond 24 months also conflicts with SPID sector rules and the storage limitation principle.
What this means for Luxembourg organizations
- Digital identity and public/para‑public services. Expectations carry over to eID/eIDAS ecosystems, one‑stop portals and KYC providers: clear role governance (controller/processor/joint controller), precise information and tightly bounded, documented log retention.
- Log retention and NIS 2/DORA compliance. Logs are vital for detection and investigation, but durations must be justified, limited and secured. Align practices with NIS 2 requirements and, for financial entities, with the DORA framework, without exceeding what is necessary under the GDPR.
- Transparency and by design. Authorities increasingly require granular information and design (default settings, least privilege, admin access traceability), even at large scale (>1.5M users).
Immediate actions this week
- Map and freeze log retention periods. Document purposes, legal bases and durations (e.g., 6, 12, 24 months), enable automated purging, and keep evidence (screenshots, change tickets, SIEM records). A managed SOC for logging and incident detection can help operationalize these controls.
- Update Art. 13 GDPR information for logs and identity. Provide a dedicated section on log types, purposes (security, anti‑fraud), legal bases, durations, rights and transfers. A certified DPO mandate supports coherence and traceability (versions, dates, rollout).
- Review operator roles and access. Reassess admin rights (least privilege, business justification, access logging) and formalize processor/joint‑controller clauses (Arts. 28/26 GDPR) with audit evidence and a ≤30‑day remediation plan.
References
- Garante Privacy – Provvedimento del 29 aprile 2026 n. 10263964 (Lepida S.c.p.A.)
- Federprivacy – Il Garante Privacy sanziona Lepida per violazioni del Gdpr (01/07/2026)
Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →