AI Voice Agent in Italy: Garante Privacy Compliance Guide
Important Disclaimer
This article provides general guidance on Italian data protection requirements for AI voice systems. It is not legal advice. Businesses deploying AI voice agents in Italy should consult an Italian data protection specialist or legal counsel familiar with Garante requirements and Italian telecommunications law.
Italy presents unique challenges for businesses deploying AI voice agents. The Garante per la Protezione dei Dati Personali (Italy's data protection authority) has been one of the most active regulators in Europe on AI issues. Italy was the first EU country to temporarily ban ChatGPT (March 2023), and the Garante has consistently taken aggressive enforcement positions on automated calling, data processing, and AI transparency.
For businesses planning to deploy AI voice agents that serve Italian customers or operate from Italian phone numbers, understanding the Garante's approach is not optional - it is essential for avoiding enforcement actions that can reach millions of euros in fines.
Why Italy Is Different: The Garante Approach
While all EU countries implement GDPR, Italy's regulatory environment has several distinguishing features for AI voice agents:
- Proactive enforcement: The Garante does not wait for complaints. It conducts proactive investigations, industry sweeps, and technology reviews. AI companies operating in Italy can expect regulatory attention even without a specific complaint.
- Strict automated calling rules: Italy has comprehensive rules governing automated telephone calls that predate and supplement GDPR. The Registro delle Opposizioni (opt-out register) and specific consent requirements for marketing calls create a stricter regime than in most EU countries.
- ChatGPT precedent: The Garante's 2023 action against OpenAI set a precedent for how Italian regulators approach AI services. The concerns raised - insufficient legal basis, lack of age verification, transparency failures - apply equally to AI voice agents.
- Active AI guidance: The Garante has published specific guidance on AI and data protection, including requirements for AI transparency, data minimization, and automated decision-making that go beyond minimum GDPR requirements.
Garante per la Protezione dei Dati Personali: Overview
The Garante is Italy's independent data protection authority, established under the Italian Data Protection Code (Codice in materia di protezione dei dati personali, D.Lgs. 196/2003, as amended by D.Lgs. 101/2018). Key facts:
- Enforcement powers: The Garante can impose fines up to 20 million EUR or 4% of worldwide annual turnover (GDPR maximum). It can also order temporary or permanent bans on data processing.
- Processing bans: Unlike some DPAs that primarily levy fines, the Garante frequently uses processing bans - ordering companies to stop specific data processing activities until compliance is achieved. For an AI voice agent, this could mean a ban on handling calls in Italy.
- Urgency powers: The Garante can issue urgent measures without the standard investigation timeline if it believes there is an immediate risk to individuals' rights. The ChatGPT ban was issued under these urgency powers.
- International cooperation: The Garante actively participates in EDPB (European Data Protection Board) activities and coordinates with other DPAs on cross-border enforcement.
Automated Calling Rules in Italy
Italy has specific rules for automated telephone communications that apply to AI voice agents:
| Call Type | Legal Basis Required | RPO Check Required? | Additional Requirements |
|---|---|---|---|
| Inbound business calls (AI answers) | Legitimate interest or contract | No - caller initiated | AI disclosure under AI Act, call recording consent if applicable |
| Outbound marketing calls | Explicit consent (opt-in) | Yes - must check registry | Identify caller, state purpose, provide opt-out |
| Outbound service calls (existing customers) | Legitimate interest or contract | Check recommended | AI disclosure, purpose limitation |
| Outbound automated/pre-recorded calls | Explicit consent required under Art. 130 Codice Privacy | Yes | Specific consent for automated calling method |
| Outbound debt collection calls | Legitimate interest with strong safeguards | Check recommended | Debtor rights, proportionality, documentation |
Article 130 - Consent for Automated Calls
Article 130 of the Italian Codice Privacy (as amended) requires prior consent for unsolicited communications made by automated calling systems, including AI-powered calls. This is stricter than the general GDPR legitimate interest basis. For outbound AI voice agent calls in Italy, explicit opt-in consent is typically required unless the call falls within specific exceptions for existing customer relationships.
Registro delle Opposizioni: Italy's Do-Not-Call Registry
The Registro Pubblico delle Opposizioni (RPO) is Italy's national opt-out registry for unsolicited telephone marketing. Since July 2022, the registry covers both landline and mobile numbers:
- Scope: All unsolicited telephone marketing calls, including those made by AI voice agents for marketing purposes.
- Obligation: Before making marketing calls, businesses must check the RPO and exclude registered numbers. This check must be performed regularly (at least monthly) as new registrations occur continuously.
- Penalties: Calling a number registered on the RPO without consent can result in fines from the Garante, typically in the range of tens of thousands to millions of euros depending on the scale of violation.
- Consent override: Even if a person previously consented to marketing calls, registering on the RPO revokes all prior consents. Only consent given after RPO registration is valid.
- AI implication: AI voice agents making outbound calls in Italy must integrate RPO checking into their calling workflow. This is a technical requirement that the AI platform must support.
GDPR Italian Implementation: Codice Privacy
Italy implemented GDPR through Legislative Decree 101/2018, which amended the existing Codice Privacy (D.Lgs. 196/2003). The Italian implementation includes several provisions particularly relevant to AI voice agents:
- Children's data (Article 2-quinquies): Italy set the age of consent for data processing at 14 (GDPR allows member states to set it between 13-16). AI voice agents that might interact with minors must implement age verification or treat all data with child-protective standards.
- Automated individual decision-making (Article 22 GDPR, enhanced): The Garante has published guidance interpreting Article 22 broadly. AI voice agents that make decisions affecting individuals (scheduling priority, service eligibility) may trigger automated decision-making requirements even if a human reviews the decision afterward.
- Specific sectoral rules: The Codice Privacy retains specific rules for telecommunications, healthcare, and employment data processing that supplement GDPR. These sector-specific rules can impose additional requirements on AI voice agents operating in these sectors.
AI-Specific Garante Actions and Precedents
The Garante's enforcement actions provide insight into how it evaluates AI systems:
ChatGPT ban and resolution (March-April 2023)
The Garante temporarily banned ChatGPT in Italy over concerns about legal basis, transparency, data accuracy, and age verification. OpenAI was required to implement transparency measures, provide opt-out mechanisms, implement age verification, and clarify legal basis. These same requirements apply to any AI system processing Italian users' data.
Telemarketing enforcement wave (2022-2025)
The Garante imposed multiple fines on companies using automated calling systems for marketing without proper consent. Fines ranged from 100,000 EUR to over 5 million EUR. The principle is clear: automated calling in Italy requires robust consent management.
AI transparency guidance (2024)
The Garante published guidance specifically addressing AI transparency requirements, emphasizing that AI systems must be transparent about their nature, capabilities, and limitations. This guidance predates and supplements the EU AI Act transparency obligations.
Voice assistant investigations (ongoing)
The Garante has investigated voice assistant providers (smart speakers, voice-activated devices) regarding data collection, retention, and processing. The principles from these investigations - data minimization, purpose limitation, retention limits - apply to AI voice agents on phone calls.
Consent Requirements for AI Voice in Italy
| Activity | Consent Type | How to Obtain | How to Document |
|---|---|---|---|
| Answering inbound business calls | Not required (legitimate interest) | N/A | Document legitimate interest assessment |
| Recording inbound calls | Specific consent | Verbal disclosure + opt-in at call start | Log consent event in system |
| Outbound marketing calls | Explicit prior consent | Written or electronic opt-in before calling | Consent database with timestamp and method |
| Processing health data (medical AI) | Explicit consent for special categories | Separate, specific consent for health data | Documented consent with purpose specification |
| Emotion/sentiment analysis | Informed consent | Disclosure at call start + implicit consent to continue | Log disclosure delivery |
| Sharing data with sub-processors | Transparency (not separate consent) | Privacy notice listing processors | DPAs with all sub-processors |
Technical Compliance Requirements
Technical requirements for AI voice agents operating in Italy combine GDPR, Codice Privacy, EU AI Act, and Garante-specific guidance:
- Data processing location: The Garante is particularly attentive to cross-border data transfers. Processing Italian citizens' voice data outside the EU/EEA requires Standard Contractual Clauses or other adequate transfer mechanisms. Processing within the EU is strongly preferred.
- Data retention limits: The Garante expects specific, justified retention periods. Indefinite retention of call recordings or transcripts is not acceptable. Define and enforce retention periods: 30-90 days for quality assurance, longer only with specific justification.
- Right to erasure implementation: Italian data subjects actively exercise their right to erasure. Your AI voice system must support identifying and deleting a specific individual's data across all systems - recordings, transcripts, customer records, and backups - within the 30-day GDPR response window.
- Data breach notification: The Garante requires breach notification within 72 hours. For voice AI breaches affecting Italian data subjects, prepare notifications in Italian and follow the Garante's specific notification format and procedures.
- DPIA requirement: A Data Protection Impact Assessment (DPIA) is likely required for AI voice agents processing Italian data, given the systematic monitoring, automated processing, and potential for sensitive data handling. Complete a DPIA before deployment.
Italy Compliance Checklist for AI Voice Agents
Complete a DPIA for Italian operations
Conduct a Data Protection Impact Assessment specifically covering Italian data subjects. Document data flows, risks, mitigation measures, and the legal basis for each processing activity. The Garante may request this document during an investigation.
Implement AI disclosure in Italian
Configure the AI voice agent to disclose its AI nature in Italian at the start of every call with Italian callers. Example: "Grazie per aver chiamato [Azienda]. Sta parlando con un assistente AI. Come posso aiutarla?"
Check the RPO before outbound calls
If making outbound calls to Italian numbers, integrate RPO registry checking into your calling workflow. Check monthly at minimum. Document all RPO checks and maintain audit trails.
Obtain and document proper consent
For outbound marketing, obtain explicit consent before calling. For call recording, obtain consent at the start of each call. Document all consents with timestamps, method, and scope.
Appoint an Italian-speaking DPO or representative
If processing significant volumes of Italian data, appoint a Data Protection Officer or EU representative who can communicate with the Garante in Italian. The Garante communicates primarily in Italian.
Prepare Italian-language privacy notices
Privacy notices and data processing information must be available in Italian for Italian data subjects. Include specific information about AI processing, sub-processors, data transfer mechanisms, and data subject rights.
Frequently Asked Questions
Yes. Inbound calls where the caller contacts your business are generally covered by legitimate interest or contract performance as a legal basis. You must still comply with AI Act transparency requirements (disclosing AI nature), GDPR obligations (data protection), and any call recording consent requirements. Inbound AI voice agents face fewer restrictions than outbound.
It depends on the purpose. For marketing calls, explicit prior consent is required and RPO checking is mandatory. For service calls to existing customers (appointment reminders, order updates), legitimate interest may apply, but the Garante interprets this narrowly. For all outbound AI calls, AI Act disclosure is required. Consult Italian legal counsel before launching outbound AI calling campaigns.
Processing bans. While fines are significant (up to 20M EUR), the Garante's power to ban data processing is often more disruptive. A processing ban could force you to stop all AI voice operations in Italy until compliance is achieved, causing immediate revenue loss and potential permanent customer loss.
The Garante primarily operates in Italian. While they can review English documentation, compliance documentation, privacy notices for Italian data subjects, and correspondence with the Garante should be in Italian. Having Italian-language materials demonstrates compliance seriousness and facilitates regulatory interaction.
Voice recordings that can identify an individual are biometric data under GDPR, which is special category data requiring explicit consent for processing in most cases. The Garante takes biometric data seriously. If your AI voice agent creates voiceprints or uses voice recognition for identification, obtain explicit, specific consent and document a strong justification.
Very likely yes. The Garante's published list of processing activities requiring a DPIA includes systematic monitoring of publicly accessible areas, large-scale processing of special categories, and innovative use of new technologies. AI voice agents typically trigger at least one criterion (innovative technology, systematic monitoring of interactions).
The Garante has not specified a universal retention period for call recordings, but expects retention to be justified by the stated purpose. For quality assurance, 30-90 days is generally defensible. For legal compliance, longer periods may be justified (but must be documented). Indefinite retention is not acceptable.
Health data is special category data requiring explicit consent under Article 9 GDPR and the Italian Codice Privacy. If your AI voice agent handles medical practice calls where patients discuss health conditions, you need explicit consent for health data processing, enhanced security measures, and strict access controls. The DPIA becomes even more critical for health data processing.
The Garante closely scrutinizes cross-border transfers, particularly to the US. While the EU-US Data Privacy Framework provides an adequacy basis for certified US companies, the Garante may apply additional scrutiny. Processing voice data within the EU eliminates transfer risk. If transfer is necessary, ensure proper SCCs or other mechanisms are in place and documented.
Respond promptly and in Italian. The Garante typically sends an initial inquiry requesting information about your processing activities. Engage Italian-speaking data protection counsel immediately. Provide complete, accurate responses within the specified timeframe. Demonstrating cooperation and compliance awareness can significantly influence the outcome of a Garante investigation.
Founder & CEO, AInora
Building AI digital administrators that replace front-desk overhead for service businesses across Europe. Previously built voice AI systems for dental clinics, hotels, and restaurants.
View all articlesReady to try AI for your business?
Hear how AInora sounds handling a real business call. Try the live voice demo or book a consultation.
Related Articles
AI Voice Agent EU Compliance Matrix: All 27 Countries
AI voice agent regulations across all 27 EU member states plus UK and Switzerland.
EU AI Act & Voice Agents: What Every Business Needs to Know (2026)
Complete overview of the EU AI Act for businesses deploying voice AI.
AI Voice Agent GDPR Compliance Guide
GDPR compliance for AI voice agents in European businesses.
AI Cold Calling GDPR Compliance Guide for Europe
GDPR and ePrivacy rules for AI-powered calling in European markets.