Italy Founder Series: Privacy for Startups – First Moves

7 minute read | March.06.2025

italiano: Privacy per Startup – I primi passi

When launching a startup in Italy, it is critical to comply with the applicable data protection requirements. Failing to do so can lead to significant risks in terms of liability vis-à-vis data subjects and to potential sanctions.

Indeed, prioritizing data protection ensures compliance and builds trust with employees, customers, and suppliers and can facilitate smoother growth.

In order to correctly identify the main data protection issues, startups should carry out the following considerations:

1. Consider type of data processed and the industry.

Categories of data

The GDPR (and privacy laws at large) applies any time personal data is processed.

If the startup, in carrying out its activities in Europe, is able to identify directly or indirectly a physical person, then the GDPR applies. Personal data includes any information relating to an identified or identifiable physical person, such as names, phone numbers, IP addresses or email addresses.
Certain personal data are considered particularly sensitive and require stricter compliance. This is the case, by way of example, of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic, biometric or health data or data concerning a natural person's sex life or sexual orientation.

Industry

Starting a B2B or a B2C business will impact the duties from a privacy point of view.

B2B companies typically process personal data related to their employees, or to their clients and service providers’ employees.
B2C businesses typically process personal data of all their customers, thus needing to manage all of the related obligations.
Specific industry sectors also have particular points of attention under a data protection standpoint: this is the case, for instance, of payment services, telecoms services or of companies operating in the health industry.

2. Consider the type of Services triggering processing of personal data

While, as said, B2B businesses will likely have less categories of personal data to be processed (mainly employee data), B2C businesses will have to identify how the provision of their services will impact the processing of their customers’ personal data.

The startup must assess whether any of its services trigger activities that consist in the processing of personal data.
Any operation which is performed on personal data - such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction – is relevant under a privacy standpoint and is subject to the relevant data protection obligations.

This assessment will help the company prepare accurate privacy notices and policies at large, as well as put in place the right security measures.

3. Consider in which cases the Startup will operate as a data controller or as a data processor

Companies may process personal data either as data controllers or as data processors.

Data controllers are those entities that determine the purposes and means of the processing of personal data,
Data processors are those entities that process personal data on behalf of the controller.

The startup must identify when it’s acting as data controller or as data processor to properly comply with relevant obligations.

By way of example, typically:

All companies operate as data controllers in relation to their employees’ personal data. This because the company decides how and what data have to be processed in order to, for example, fulfill contractual obligations, exercise specific rights of the controller itself or of the data subject in the field of employment and social security and social protection law. For instance, Company A, which initiates an employee selection process, will be the data controller of the candidate’s personal data contained in the CV provided for the selection process.
B2C companies usually operate as data controllers in relation to their customers’ personal data. This because the company decides what kind of customers’ personal data it needs to process, and for what purposes. For example, if the marketing department of Company A launches an advertising campaign to promote its products, Company A will qualify as data controller with reference to the personal data of its customers to whom the marketing campaign is addressed, since Company A is the subject that determines the purposes and means of the processing of such data.
B2B companies often operate as data processors based on data processing agreements entered into with their business clients, which, in turn, will be the data controllers of their customers. This because the client decides what kind of personal data pertaining to its customers’ needs to be processed, and for what purposes. In this scenario, the B2B startup will process said personal data upon instructions from its client, and in doing so will abide by these instructions. For example, if Company A (the client) wants to adopt a new cloud solution to store its employees’ personal data, Company A may purchase the cloud solution from Company B (the startup). At this point, Company B will process (by way of storing) the personal data pertaining to the employees of Company A in its capacity as data processor, and in doing so will have to comply with the instructions received by Company A. These instructions will be contained in an ad hoc data processing agreement entered into between Company A and Company B.

4. Practical Steps for Compliance

Once the startup, typically with the support of Privacy consultants, has

identified which categories of personal data it will process,
how its services will impact on the relevant processing, and
when they will operate as a data controller as opposed to data processor

it may start its compliance process, following the practical steps below :

Allocate resources to meet privacy obligations, such as appointing a privacy responsible or even a Data Protection Officer (DPO) who will take care of drafting relevant privacy documentation.
Identify all personal data collection and processing activities
Draft a privacy notice for each data subject category whose data are processed (customers, employees, partners, collaborators, suppliers etc.), outlining (among others) how personal data is collected, used, and protected.
Identify and implement security measures and policies that ensure a safe and secure processing of the personal data at stake.
Keep and update the record of processing, that is a sort of register including all types of operations carried out in the processing of personal data collected. Indeed, even if for some companies this is not mandatory, this data mapping exercise may help the company keep records of the activities put in place from a privacy point of view and prevent risks.
Pay special attention to web-based compliance, particularly for startups operating through platforms, websites, or e-commerce. For “static” sites, provide a privacy policy that meets Article 13 GDPR requirements. For “dynamic” sites, ensure comprehensive privacy and cookie notices and explicit consent mechanisms for profiling and marketing activities, where applicable.
Identify all remaining applicable privacy obligations on a case-by-case basis so as to ensure full compliance with the GDPR and other local privacy laws.
Understand that outsourcing IT services does not absolve responsibility. Formalize agreements with external providers processing personal data, as required by Article 28 GDPR.

5. Develop a Privacy Culture

Train employees on data protection practices and foster a culture that values privacy.
Ensuring that all employees understand their responsibility in protecting personal data and are aware of the consequences of any breaches is a key asset to prevent data breaches and compliance with mandatory obligations.
Recognize the business value of a strong privacy reputation. In a market increasingly focused on privacy, companies that demonstrate a strong commitment in this area can stand out.

Addressing these relevant issues is an excellent opportunity for startups to build a solid reputation for data protection and strengthen the trust relationship with their customers.

Our Tech Team is at your disposal to provide advice on privacy matters so that you can focus on your startup's growth. If you want more details on one of the topics mentioned above, please contact the authors of this article.

Authors

Andrea Mezzetti Of Counsel, Artificial Intelligence (AI), Intellectual Property

Rome

See my bio

D:+3906 4521 3917
E: [email protected]

Practice:

Artificial Intelligence (AI)
Intellectual Property
Technology & Innovation
Technology Transactions

vCard

See full bio

Andrea Mezzetti Of Counsel

Rome

Andrea has been working for 20 years in the Information Technology & Communications sector advising national and international clients on both regulatory and commercial issues.

Andrea is well recognized in the market for his commercial and transactional skills in Tech transactions. He works alongside leading Tech players with a focus on the regulatory aspects of new technologies and the drafting and negotiation of strategic contracts for the launch of new types of services and industry-specific agreements.

As a recognized expert, Andrea is often invited to take part to technical committees established at independent Authorities and Ministries and is a member of several sector-specific associations. He is also regularly invited to give speeches on technology law issues by prestigious Italian Universities.

Andrea is the author of numerous papers and in-depth studies on the matter. He regularly contributes to numerous national and international journals, writing articles on topics related to telecommunications, consumer protection and technology. He participates as a speaker in several conferences, seminars and master's degrees concerning the TMT sector in Italy.

Related Lawyers

Attilio Mazzilli Partner, Technology & Innovation, Mergers & Acquisitions

Milan

See my bio

D:+39 02 4541 3800
E: [email protected]

Practice:

Technology & Innovation
Mergers & Acquisitions

vCard

See full bio

Attilio Mazzilli Partner

Milan

Attilio brings to the table a wealth of knowledge and a deep understanding of the technology sector, which is critical in today's rapidly evolving business landscape. His practice is primarily focuses on providing expert legal advice on cross-border and domestic mergers and acquisitions (M&A), private equity, and venture capital transactions.

Attilio has a rich history of advising both domestic and multinational companies as well as private equity funds through their most critical and complex M&A and investments transactions. His focus within the dynamic realms of technology industry has positioned him as a go-to legal strategist for companies seeking to navigate the intricate and often disruptive characteristic market shifts of these sectors. His tailored approach ensures that the companies he advises are well-positioned to capitalize on the opportunities presented by their investments and M&A activities, fostering growth, innovation, and competitive advantage in a rapidly evolving business landscape.

In the context of innovation, Attilio’s role as an advisor to VC firms and high-growth technology companies places him at the forefront of investments in the tech industry.

His experience covers a broad spectrum of legal disciplines and is critical in identifying and evaluating potential investment opportunities within the sector, particularly in areas prone to rapid growth and innovation. With a seasoned understanding of market trends and the intricacies of startup development, Attilio advises investors on how to allocate their capital effectively, maximizing potential returns.

He is also extensively experienced at guiding technology companies at all stages of their life cycle and his contributions is invaluable for companies transitioning from seed stage through Series A and B funding rounds and eventually to exit strategies. His guidance encompasses strategic planning, corporate governance, and the navigation of regulatory environments. Startups, with their inherent risks and potential for exponential growth, require nuanced advice to thrive, and Attilio offers tailored counsel to help these companies scale their operations, refine their business models, and attract further investment. His experience is also instrumental in preparing these companies for various exit scenarios, whether through acquisitions, mergers, or initial public offerings (IPOs), ensuring that founders and investors alike realize their ventures' full value.

Related Areas

Markets

Italy