The Italian data protection landscape is being enriched by new measures aimed at reducing bureaucratic burdens for smaller businesses. With the approval of the new decree-law on the implementation of the PNRR On January 29, 2026, the Council of Ministers introduced urgent provisions aimed at streamlining over 400 administrative procedures.
What's new: Article 2-quaterdecies.1 of the Privacy Code
With a view to greater digitalisation and simplification of procedural deadlines, the decree directly intervenes on the Personal Data Protection Code (Legislative Decree 196/2003). The main innovation is the introduction of the’Article 2-quaterdecies.1, specifically dedicated to the “Procedure for Notifying Personal Data Breaches by Micro-Enterprises”.
This provision aims to facilitate small businesses in fulfilling the obligations set forth in Article 33 of EU Regulation No. 679/2016 (GDPR), which requires all data controllers to notify the Italian Data Protection Authority of any personal data breaches.
Who can benefit from the simplification?
The new simplified procedure is not aimed at all companies, but is limited to microenterprises, identified by the legislator as those realities with less than five employees.
What does the simplified procedure consist of?
For these small businesses, compliance with the notification obligation will no longer follow the standard procedure, but may make use of:
- Guided self-assessment tools: to support the owner in understanding the extent of the breach and the steps to take.
- Simplified support channel: dedicated support provided by the Guarantor for the protection of personal data.
- Specific operating modes: The Guarantor will define the technical details and access methods to this procedure with its own provision.
The importance of interoperability
This intervention is part of a broader simplification framework based on the’interoperability of public databases. The key principle is that citizens and businesses should not provide the Public Administration with information it already possesses, thus optimizing bureaucratic time.
Although the rule has already been outlined in the decree-law, the practical implementation of the simplified notification procedure will depend on the future provision of the Privacy Guarantor.
Content edited by Attorney Aldo Feliciani and Attorney Gianmaria Pesce.
