The GDPR sets forth the EU regime of fines and penalties, which allows for penalties of up to four percent of worldwide revenue or €20 million (whichever is higher) (see section Enforcement > Fines, Penalties, and Sanctions).

In addition, the Italian Data Protection Code establishes criminal offenses for the most serious breaches of data protection rules, which are punishable with imprisonment up to six years.¹