he Italian Data Protection Authority, in Decision No. 87 of February 12, 2026, imposed a fine of 15,000 euros on a company active in legal training and publishing for violations of Articles 6, 12, and 15 of the GDPR and Article 130 of the Privacy Code. The proceedings stem from complaints filed by two professionals who had received unsolicited promotional emails and had not received a response to their requests for access to their personal data.

The company attributed the incidents to “human error” and organizational restructuring, but the Authority deemed these justifications irrelevant, reiterating the central importance of explicit consent for sending automated commercial communications and the obligation to respond fully and promptly to requests from data subjects.

In addition to the monetary penalty, the Data Protection Authority issued a formal warning to the data controller, urging strict compliance with the regulations governing direct marketing and access rights.