When the Privacy Authority Goes Silent: What the Italian Supreme Court Just Ruled

Table of Contents
What happens when the Italian Data Protection Authority remains silent on a complaint?
The Italian Supreme Court ruled that the Garante's silence on complaints can have legal consequences for organizations. If the authority fails to respond within the statutory timeframe, the complainant may seek judicial review, and the organization may face liability for non-compliance. This decision underscores the importance of proactive data protection measures.
The Silence That Speaks Volumes
Imagine filing a complaint with the data protection authority, then waiting... and waiting. It's like sending a letter to Santa and getting nothing but radio silence. For many organizations and individuals, this has been the frustrating reality when dealing with the Italian Garante per la protezione dei dati personali. But a recent ruling by the Italian Supreme Court (Corte di Cassazione) has changed the game.
The Court clarified the nature of the deadlines within which the Garante must respond, establishing that the authority's silence can have practical consequences for organizations. This decision creates an important precedent for handling complaints and requests for intervention.
What the Court Actually Said
In its ruling, the Supreme Court addressed a key question: what happens when the Garante fails to respond within the statutory deadlines? The Court held that the Garante's silence is not merely a procedural hiccup—it can be interpreted as a tacit rejection of the complaint, which then allows the complainant to take further legal action.
Specifically, the Court stated that the Garante must issue a decision within 60 days from the receipt of a complaint (or 90 days in complex cases). If it fails to do so, the complainant can consider the complaint rejected and challenge that 'silent rejection' before the administrative court (TAR).
Why This Matters for Organizations
For companies and data controllers, this ruling is a double-edged sword. On one hand, it provides clarity: if you're facing a complaint, you can't rely on the Garante's inaction to make the problem go away. The clock is ticking, and silence from the authority doesn't mean the issue is dead.
On the other hand, it also means that complainants have a clear path to escalate matters. If the Garante drags its feet, the complainant can go straight to court. This puts pressure on the Garante to act promptly, which could lead to faster resolutions—or more rushed decisions.
Practical Steps for Organizations
So, what should you do if you're caught in the middle of a complaint? First, don't assume that the Garante's silence is a win. Monitor the timeline closely. If the deadline passes without a response, be prepared for the complainant to take the matter to court.
Second, proactively engage with the Garante. Submit your defense early and clearly. The more you help the authority understand your position, the less likely they are to issue a rushed or unfavorable decision.
Third, review your internal data protection practices. A complaint is often a symptom of a deeper issue. Use it as an opportunity to improve your compliance posture.
The Bigger Picture
This ruling is part of a broader trend in European data protection law: holding authorities accountable for their actions—and inactions. The GDPR itself requires supervisory authorities to handle complaints 'without undue delay.' The Italian Supreme Court is now giving teeth to that requirement.
For a deeper dive into the legal framework, check out the GDPR text on EUR-Lex.
In the end, the message is clear: silence is not golden when it comes to privacy complaints. Whether you're a complainant or a data controller, the clock is ticking. Don't wait for the Garante to break its silence—act now.
FAQ
What did the Italian Supreme Court rule regarding the Garante's silence?
The Court ruled that the Garante's failure to respond to a complaint within the required timeframe can be challenged in court, and organizations may be held accountable for violations even without an explicit decision from the authority.
How should organizations respond to complaints if the Garante is silent?
Organizations should continue to address complaints internally and document their actions. They should also monitor the Garante's response and be prepared for potential legal action by the complainant.
What are the practical implications for data protection compliance?
This ruling emphasizes that organizations cannot rely on the Garante's inaction as a shield. They must ensure robust data protection practices and timely responses to complaints to mitigate legal risks.
Checklist: What to Do When the Garante Goes Silent
- Confirm the complaint was filed correctly
- Note the deadline: 60 days (or 90 for complex cases)
- If no response, consider the complaint 'silently rejected'
- Challenge the rejection before the TAR within 60 days
- For organizations: proactively submit your defense
Pro Tip: Keep a log of all communications with the Garante. If they go silent, you'll have proof of your diligence.

NakedPact Editorial Committee
Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.
Sources and Legal References

Do you own a website?
Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.
Recommended Readings
🛡️ Protect your rights with one click
Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.
Don't trust, verify.
Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.
Analyze Your Contract Now

