RAI – Court Ruling (Italy, 2025)

In 2020 two TV programmes investigated and covered allegations of corruption against an Italian politician (the data subject). In this context, the programmes published private emails from the data subject. Both programmes aired on the Italian public broadcast RAI (the controller). The data subject filed a complaint in November 2020. In 2021 the DPA notified the parties that the preliminary investigation was closed. In 2023 the DPA held that the data were unlawfully processed and forbade their further processing. The procedure took almost three years in total. The controller challenged the decision in court on grounds that the DPA decided the complaint past the legal deadline. The court agreed with the controller and anulled the decision. In turn, the data subject challenged the ruling before the Supreme Court. In the Supreme Court, the parties put forward different interpretations of the law. The controller pointed to the DPA’s internal regulation, according to which the DPA shall adopt and notify sanctions within 120 days after the end of the investigation. The controller argued that this deadline was peremptory in nature and that the belated decision was, therefore, invalid. On the other hand, the data subject claimed that the term was merely indicative in nature and that its decision was therefore valid. The Supreme court upheld the first instance ruling. The court held that allowing the DPA to issue a sanction long after the violations took place, would undermine legal certainty as well as the controller’s right of defenceIn this regard, the court leveraged the case law of the Italian Constitutional court: see [https://www.cortecostituzionale.it/scheda-pronuncia/2021/151 Corte Cost. 151/2021].. On these grounds, the court concluded that the deadline was peremptory in nature and that the lower court had rightfully annulled the DPA’s decision.