Marketing and personal data protection: the Garante sanctions a well-known gym chain for misalignment between CRM and suppliers’ databases for marketing purposes

Data protection

By decision of 12 February 2026, the Italian Data Protection Authority (the “Garante”) imposed an administrative pecuniary sanction on a well-known gym chain following violations found in the processing of personal data for marketing purposes. The investigation was initiated on the basis of a complaint by a former gym attendee who complained of receiving unauthorised promotional communications, which continued despite his express objection and request for erasure.

The case under examination highlights the risks linked to fragmented management of personal data for marketing purposes. The company, in particular, used a cloud-based customer relationship management (CRM) system to manage members’ personal data and consent to the receipt of commercial communications, while promotional contacts were entrusted to external suppliers through dedicated platforms. On that basis, during marketing campaigns, the lists of contactable individuals were extracted from the company’s CRM and communicated to the supplier in charge for the contact activities.

In the case at hand, a misalignment emerged between the company’s CRM and the external marketing platforms. The alignment activity between databases, in fact, did not take place automatically, but manually, with the consequence that withdrawals of consent or objections were not automatically transmitted between the company and the suppliers. This management method allowed, due to human error in the operation, the complainant’s name to still appear as “contactable”, despite having been removed from some contact lists, resulting in unlawful processing, in breach of Articles 12 and 17 of the GDPR and Article 130 of the Privacy Code. In order to limit similar events, the company therefore entrusted the management of the activity of sending commercial communications to a supplier capable of ensuring the unsubscribing and erasure of the data of attendees who so request, simultaneously and automatically, both from its own platform and from the cloud-based CRM.

The Garante’s decision is also of great interest for the reasoning adopted in calculating the pecuniary sanction imposed. In defining the amount, equal to EUR 30,000.00, the Garante first calculated the theoretical maximum statutory penalty, set at EUR 20 million, pursuant to Article 83(5) of the GDPR, and then applied the criteria of effectiveness and proportionality, balancing the following elements: (i) the existence of the aggravating factor represented by the company’s repeat offending in having already in the past failed to respond promptly to the Garante’s requests for information; (ii) the mitigating factor, consisting in the nature of the data involved, limited to ordinary contact data. The Garante thus set the sanction at 0.15% of the maximum statutory penalty, also taking into account the company’s cooperative conduct and the implementation of automatic database alignment systems to prevent future errors.

In conclusion, the decision confirms once again how the adoption of appropriate technical and organisational measures is essential to ensure that the exercise of data subjects’ rights and regulatory compliance is not undermined by technological and human inefficiencies.

Cybersecurity Act 2 and NIS2: the joint EDPB-EDPS opinion recalls the necessary balance between security and rights

Cybersecurity & Data Protection

By Joint Opinion 4/2026, adopted on 18 March 2026, the EDPB and the EDPS intervened on the proposal for Cybersecurity Act 2 and on the amendments to the NIS2 Directive, offering a particularly interesting reading of the increasingly close relationship between cybersecurity and the protection of personal data.

The opinion welcomes the Commission’s objective of strengthening ENISA’s role, simplifying compliance obligations and making the European cyber certification framework more effective. Particularly appreciated is the provision for a single-entry point for incident notification, intended to reduce the fragmentation of reporting obligations without diminishing the level of protection of data subjects.

The most relevant point, however, is systemic in nature: the European authorities reiterate that cybersecurity and data protection do not coincide, although they are now closely interdependent. If, on the one hand, security measures constitute an essential safeguard under Articles 5(1)(f) and 32 GDPR, on the other hand some cyber measures — such as advanced logging, traffic monitoring, behavioural analysis or threat intelligence — may significantly affect the fundamental rights of data subjects. Hence the very clear reminder of the principles of necessity and proportionality, which must accompany every technical and organisational choice.

Of particular interest is also the passage dedicated to the new European certification framework, in relation to which the EDPB and the EDPS call for greater clarity on its relationship with the certification mechanisms provided for by Articles 42 and 43 GDPR. The underlying message is clear: cyber certification cannot be read as an automatic attestation of privacy compliance, although important synergies may certainly exist.

From an operational point of view, the opinion seems to confirm a now established trend: cyber compliance can no longer be managed in isolation from the privacy area or the legal team. Governance, incident management, supply chain security and notification processes require an integrated approach, capable of combining technical effectiveness and regulatory robustness.

In this sense, the real issue is not only to “increase security”, but to do so in a legally sustainable way, avoiding the risk that the cyber safeguard itself becomes a source of regulatory risk.

Green claims and the Consumer Code: towards an “evidence-based” model of environmental communication

Consumer Protection

By Legislative Decree No. 30/2026, published in the Official Gazette on 9 March 2026 and entering into force on 24 March, with application from 27 September 2026, the Italian legislator implemented Directive (EU) 2024/825 (Empowering Consumers Directive), intervening in an organic manner in the regulation of unfair commercial practices in the field of environmental communication.

The measure marks a particularly significant step: greenwashing expressly enters the Consumer Code, through new statutory definitions, the expansion of the black list of prohibited practices and a significant strengthening of the information and evidential obligations incumbent on traders.

For the first time, notions such as “environmental claim”, “generic environmental claim”, “sustainability label” and “certification scheme” are codified, with the effect of reducing the interpretative grey areas which, until now, have often left room for ambiguous or excessively promotional communications. On the substantive level, the following become expressly prohibited, among other things: the use of generic claims such as green, eco-friendly or sustainable, if not adequately supported; the use of labels lacking independent certification schemes; statements referring to the whole product when they concern only limited aspects; as well as climate neutrality claims based exclusively on offsetting mechanisms.

The central point of the reform, however, is another: the shift to an ex ante evidential model, according to which the undertaking must be able to demonstrate, in a documented, verifiable and traceable manner, the correctness of every environmental statement.

The reform, moreover, also extends to issues of product durability, reparability and transparency regarding software updates, while at the same time strengthening pre-contractual information obligations.

The AGCM’s powers remain unaffected, with a particularly incisive sanctions regime: up to EUR 10 million, which may be increased to 4% of annual turnover in cross-border cases.

The real paradigm shift is cultural before it is regulatory: sustainability can no longer be managed as a mere marketing lever, but requires an internal process of prior validation, based on technical evidence, governance safeguards and alignment between communication, product and supporting documentation. In other words, compliance on green claims now becomes an essential safeguard not only from a regulatory perspective, but also in terms of reputational risk and consumer trust.

Influencer marketing: AGCOM’s FAQs between operational clarifications and strengthened compliance

Media & Communication

On 16 March 2026, the Communications Regulatory Authority published two supporting documents, Annex A and Annex B (FAQs), with the objective of facilitating the application of the Guidelines and Code of Conduct adopted by Resolution No. 197/25/CONS on influencer marketing and audiovisual commercial communications.

The intervention forms part of an already structured regulatory framework and, as clarified by the Authority itself, does not introduce new obligations, but helps to define in a much more concrete manner the methods of application of the existing rules, significantly reducing those areas of interpretative uncertainty which, in practice, have often favoured excessively flexible approaches.

From a subjective point of view, a broad notion of influencer is confirmed, including anyone who produces or selects content intended for the online public, exercising editorial control and deriving an advantage, even if not strictly economic, from their activity. Alongside this general category stands that of “relevant” influencers, identified on the basis of size thresholds (500,000 followers or 1 million average monthly views on at least one platform), for whom additional obligations are provided, including registration in the AGCOM list. It remains the case, however, that persons below those thresholds are also fully bound by transparency obligations.

The heart of the FAQs, however, concerns the disclosure of promotional content. The Authority states very clearly that any content having an advertising purpose must be immediately recognisable as such. The commercial nature of the message is found whenever there is an advantage connected to the visibility of the brand, regardless of the existence of financial consideration.

It follows that there is an obligation to use explicit and unequivocal wording, such as “Advertising” or “ADV”; more nuanced formulae, such as “in collaboration with”, are not considered sufficient to make the promotional purpose of the content clearly perceptible.

Particularly relevant is the clarification according to which neither the simple tagging of the brand nor the native tools of the platforms are sufficient. The information must be immediately perceptible, without the user having to perform any action. From this derive very specific operational indications: disclosure present from the beginning of the post; superimposition and description in videos; repetition in stories and live streams; continuation of the indication also in content published subsequently, where the brand remains recognisable.

The FAQs then address some cases particularly frequent in practice: products received free of charge (gifted by), invitations to events, content published after the end of the collaboration. The common thread is always the same: maximum substantive transparency, rather than mere formalism.

Although not formally binding in nature, these clarifications offer a very clear indication of the interpretative and enforcement approach that AGCOM intends to adopt. For influencers, agencies and brands, it therefore becomes increasingly difficult to rely on minimalist readings of the rule: compliance now requires structured editorial and contractual processes, internal policies and prior control of content, in line with a substantive notion of commercial transparency.

Second draft of the Code of Practice on Transparency of AI-Generated Content and joint statement by data protection authorities on AI-generated content

Artificial Intelligence

On 5 March 2026 the European Commission published the second draft of the Code of Practice on Transparency of AI-Generated Content (the “Code” below). The Code, the first draft of which had been published on 17 December 2025 (for further information, we invite you to consult our dedicated article by clicking here), is intended to facilitate the implementation of the transparency obligations provided for by Article 50 of Regulation (EU) 2024/1689 (the “AI Act”). The Commission indicated May/June 2026 as the date of publication of the final text, following a series of consultations with interested parties.

On the provider side (Article 50(2) AI Act), the second draft of the Code consolidates and clarifies the multi-layered approach already outlined in the first version. It now expressly requires the implementation of at least two distinct levels of machine-readable marking, for the purposes of content traceability. In concrete terms, a combination of metadata (embedding), that is digital signatures, and watermarking, that is imperceptible watermarks, is required; the fingerprinting mechanism, indicated in the first draft as a necessary measure where the other techniques proved insufficient, is now reclassified as a supplementary optional measure. Similarly, the functionalities for perceptible marking of content, provided in the first draft as an option enabled by default, become in this second version of the Code a mere recommendation addressed to providers, in support of the obligations of deployers.

On the deployer side (Article 50(4) of the AI Act), the second draft of the Code simplifies the structure compared with the first, abandoning the detailed “fully AI-generated/AI-assisted” taxonomy in favour of more specific requirements relating to the design and positioning of the icon indicating the use of artificial intelligence. The icon, of which the Code provides some illustrative examples, must feature the acronym “AI” as its main visual element, with specific accessibility standards. The Code also proposes a two-stage model: a first EU icon on a voluntary basis, followed by an interactive label with a second level of information, the development of which will be entrusted to a task force coordinated by the AI Office.

In a context of growing attention to content generated by means of artificial intelligence, the European Data Protection Board (EDPB) published on 23 February 2026 a joint statement signed by 61 data protection authorities from all over the world — including the Italian Data Protection Authority — expressing concern about generative AI systems creating images and videos of real people without consent, and calling for the adoption of specific safeguards, with particular regard to the protection of minors.