Italian Supreme Court Rules GDPR Sanction Deadlines Are Mandatory

The Italian Supreme Court (Corte di Cassazione) has issued a ruling regarding the nature of the deadlines within which the Data Protection Authority (Garante per la Protezione dei Dati) must impose GDPR sanctions. The decision clarifies that these deadlines are mandatory and that the Authority must, under penalty of forfeiture, issue the sanctioning measure within the prescribed timeframes. This issue represented a long-standing legal challenge, not only in theory but also in practice, concerning the application of sanctions in the field of personal data protection.