# Garante per la protezione dei dati personali (Italy) - 487/2026

- Type: Enforcement
- Source: GDPRhub
- Date: 2026-07-03
- Original: https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_487/2026
- Canonical: https://overview.legal/posts/108999
- Topics: Right to Object, Social Media, Data Controller, Integrity and Confidentiality Principle, Notified Body Information Obligations, Child Consent, Accountability, Artificial Intelligence, Marketing, Profiling

## Summary

Facts — Character Technologies, Inc (the controller) is a company established in the US that operates the site Character.AI. Character.AI is a generative AI service that allows users to create and interact through chat with virtual characters that already exist or are created at the moment. The controller made this available to data subjects in Italian, and had a specific version for children. The DPA initiated an ex-officio investigation in 2024. The DPA requested information related to the LLM models used by the controller, the provision of the service, and data transfers. The controller provided a DPIA, and stated that it introduced an age verification system that required data subjects to register their date of birth. In 2025, the controller announced it would prevent underage data subjects from accessing open chat rooms, and would begin processing personal data of data subjects in the EEA to post-train its generative AI systems. Holding — The DPA first clarified that the GDPR is applicable even if the controller was established outside of the EU, in accordance with Article 3(2) GDPR. The DPA took into account the fact that the service was available in Italy and in Italian, as well as the privacy policy also applying to EEA residents. Given that the controller did not have an establishment in the EU, the one-stop-shop mechanism did not apply and the DPA was competent. The DPA found a violation of Articles 12(1), 13(1) and (2), and 14(1) and (2) GDPR. The DPA considered that the controller had failed to meet its information obligations. In terms of the controller’s privacy policy, the DPA considered that the controller had not provided data subjects’ with clear information regarding its processing activities, data transfers, or data subjects’ right to object and opt out. In addition, the controller failed to designate a representative in the EU, and included misleading and inaccurate statements on the processing of personal data for purposes of post-training LLMs for the service. However, the DPA also took into consideration that the controller had updated its privacy policy to make its language clearer. In terms of its pre-training activities, the DPA stated that the controller had failed to provide adequate information and therefore violated Articles 14(1) and (2) GDPR. The DPA dismissed the controller’s argument that it did not have the obligation to provide this information due to the data being collected by third parties from open sources. The DPA stated that the controller had the obligation to verify whether personal data was present. In addition, the exemption under Article 14(5)(b) GDPR does not exempt the controller from having the obligation to implement appropriate measures to protect data subjects’ rights. However, the DPA did not find a violation of Articles 21(1) and (4). The DPA referred to the EDPB opinion on processing personal data in relation to AI systems. The EDPB recommended controllers to adopt measures for data subjects to exercise their rights, including providing the option to provide data subjects with the option to object unconditionally before the processing takes place. The DPA considered that this opinion went beyond the literal wording of Articles 14 and 21 GDPR. This interpretation could not, in the DPA’s view, be interpreted retroactively to the controller’s processing activities. The DPA found a violation of Articles 24(1) and 25(2) GDPR. The DPA considered that the controller had failed to implement adequate technical and organisational measures to verify data subjects’ age. During its investigations, the DPA found that the controller’s age verification systems were not effective, as they allowed data subjects’ to access the service even after self declaring to be younger than the minimum age limit set by the controller. The DPA also found that the accounts were set to public by default. Therefore, the controller had failed to implement appropriate measures to protect underage data subjects, even if the GDPR does not set a harmonised and binding standard in relation to age verification. The DPA also found a violation of Articles 5(2) and 35 GDPR. Under Article 5(2) GDPR, the controller has the obligation to proactively demonstrate compliance with the GDPR. The DPA stated that a key tool to do this is through data protection impact assessments (DPIAs). Controllers are obliged to carry out a DPIA under Article 35 GDPR if the processing is likely to result in a high to the rights and freedoms of data subjects. The controller failed to do a DPIA on time in relation to providing the service to underage data subjects, as well as in relation to its processing activities for the purpose of pre-training its LLM. The DPA stated that the controller should have done this before launching the service in 2022, as the processing activities had a presumed high risk to freedoms and rights of data subjects (e.g. the use of large scale processing or processing data of vulnerable data subjects). However, the DPA acknowledged that the controller progressively improved its compliance by doing a (late) DPIA and updating it. Finally, the DPA found a violation of Article 27(1) GDPR, as the controller belatedly designated a representative in the EU. The DPA stated that the exemption under Article 27(2) GDPR did not apply. The DPA fined the controller €158,000. The DPA also ordered the controller to bring its privacy policy and storage of personal data for purposes of pre-training its LLM into compliance with the GDPR. The DPA also ordered the controller to implement effective age verification mechanisms.

## Full text

SEE ALSO Press Release of July 9, 2026 [web doc. no. 10269571] Measure of July 3, 2026 Register of Measures No. 487 of July 3, 2026 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Member, and Dr. Luigi Montuori, Secretary General; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter "Regulation"); HAVING SEEN the Personal Data Protection Code (Legislative Decree No. 196 of June 30, 2003) (hereinafter the "Code"); HAVING SEEN Regulation No. 1/2019 concerning internal procedures of external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Italian Data Protection Authority, approved by Resolution No. 98 of April 4, 2019, published in the Official Journal No. 106 of May 8, 2019, and on www.gpdp.it, web doc. No. 9107633 (hereinafter "Italian Data Protection Authority Regulation No. 1/2019"); HAVING SEEN the documentation in the file; HAVING SEEN the observations made by the Secretary General pursuant to Article 15 of the Italian Data Protection Authority Regulation No. 1/2000 on the organization and functioning of the Office of the Personal Data Protection Authority, adopted by resolution of June 28, 2000 (web doc. no. 1098801); RAPPORTEUR: Professor Pasquale Stanzione; 1. BACKGROUND AND PROCEDURE OF THE INVESTIGATION 1.1. Origin of the preliminary investigation The proceeding arose from an investigation initiated by the Authority in November 2024, following the determination that the generative artificial intelligence service Character.AI (hereinafter "Character.AI" or the "Service"), offered by the US company Character Technologies, Inc. (hereinafter "Character," the "Data Controller," or the "Company"), headquartered in Menlo Park, California, was available in Italy via a mobile app and web platform, that the privacy policy in effect at the time was aimed at data subjects in the EEA region, and that the Service was also offered in Italian. Character.AI is a generative artificial intelligence service that allows users to create and interact, via chat, with existing or custom-created virtual characters (hereinafter "Characters"), enabling them, through interactive entertainment and technology, to express themselves, explore ideas, and unleash their imagination and creativity. Character, a company incorporated on November 3, 2021, launched the beta version of the Service in web mode on September 16, 2022, and in app mode on May 23, 2023. On April 8, 2024, the beta version was replaced by the final version, available at the top-level domain www.character.ai and also offered in Italian. In November 2024, a dedicated version of the Service was launched, reserved for minors. Character uses a generative artificial intelligence system based on proprietary large language models (hereinafter also "LLMs"), refined through user interaction with the Service (as of April 30, 2026, users in the EEA are not included). These LLMs were no longer pre-trained... REDACTED. For the purposes of this provision, "generative artificial intelligence" means the field of artificial intelligence dedicated to the creation of new and original content based on user prompts, through the use of predominantly neural algorithms and typically based on large-scale linguistic models. For the purposes of this provision, LLM also means a probabilistic model of a natural language, such as Italian, based on the assumption that all natural languages are highly redundant and correlated; hence, the LLM's ability to identify the word or symbol that, probabilistically, immediately follows a given piece of data. 1.2. Activities carried out 1.2.1 The first request for information On November 7, 2024, the Office notified Character (ref. no. 131170/24) of a request for information pursuant to Article 57, paragraph 1, letter b) of the Italian Legislative Decree. a) of the Regulation, requesting clarification from the Company regarding the existence of an establishment or the appointment, pursuant to and for the purposes of Article 27 of the Regulation, of a representative in the European Union, the measures adopted to verify the age of Service users, and the processing activities performed, including, in particular, those aimed at training the artificial intelligence models underlying the Service. On December 20, 2024, the Office granted (ref. no. 150217/24) a request for an extension of the deadline to provide a response, submitted by the Company on the same date (ref. no. 150737/24), due to the scope of the request and the difficulty in obtaining the necessary information during the Christmas period. On January 21, 2025, the Company responded to the request for information (ref. no. 6935/25), providing a copy of the impact assessment (hereinafter also "DPIA") pursuant to Article 35 of the Regulation and the assessment of legitimate interest (hereinafter also "LIA") pursuant to Article 6, paragraph 1, letter f) of the Regulation. Regarding the Service, the Data Controller stated: • that it had developed its proprietary LLMs by training them primarily with data publicly available on the internet; • that it had carried out the post-training phase using ...OMISSIS. Regarding age verification, Character stated that in the fall of 2023 it had introduced a system to block use of the Service based on a neutral so-called "legal" mechanism. An age gate that requires users to enter their date of birth and that, in November 2024, users who had registered before the system was introduced had to verify their age in order to continue using the Service. It also reported that, in November 2024, it had implemented a separate version of the Service based on a specifically trained LLM for users under the age of eighteen and had prevented them from indiscriminately accessing all Characters and making their Characters public. In an update, spontaneously submitted on July 29, 2025 (ref. no. 106560/25), the Company announced that it had designated VeraSafe Ireland Ltd. (hereinafter also "VeraSafe"), based in Cork, Ireland, as its representative in the European Union, and that it had updated the Service's privacy policy, effective August 27, 2025. 1.2.2 The Second Request for Information On August 6, 2025, the Office sent Character a supplementary request for information (ref. no. 109878/25), requesting clarifications regarding the processing of personal data related to: i) the operation of the generative artificial intelligence models underlying the Service; ii) the provision of the Service; and iii) the transfer of personal data outside the European Union. The Office also requested clarification regarding some of the security measures indicated in the DPIA, as well as a copy of the document designating the representative pursuant to Article 27 of the Regulation. On September 30, 2025, the Company responded to the second request for information (ref. no. 129329/25), within the timeframe allowed, providing a copy of the privacy policy updated to August 27, 2025, a copy of the DPIA updated to September 30, 2025, a copy of the LIA updated to September 29, 2025, and a copy of the document designating the representative pursuant to Article 27 of the Regulation. In this response, the Company confirmed that the Service was based on large, proprietary models, but that these models had not been pre-trained in the year prior to the response. 1.2.3 The third request for information On November 4, 2025, following the publication of press reports suggesting that the Company was planning to block underage users from accessing the Service's open chats starting November 25, 2025, the Office sent a third request for information (ref. no. 146211/25) requesting clarification on the aforementioned issue as well as on the plan, announced by the Company in its response note of September 30, 2025, to begin processing the personal data of EEA users for post-training purposes of its generative artificial intelligence systems. The Company responded with a letter dated December 9, 2025 (ref. no. 171362/25) in which, regarding the profile of underage users, it confirmed the veracity of the information regarding the plan to eliminate the ability of minors under 18 to participate in open conversations with Service Personalities starting November 24, 2025 in the United States and by the end of February 2026 in Italy. Furthermore, the Company informed the Office that it had introduced an age verification system that operates during the use of the Service in order to offer underage users an age-appropriate experience. This age assurance mechanism complements the technical age verification measures already adopted to prevent access to individuals under the age of 13, through a proprietary age verification model combined with the intervention of a third party, Persona Identities, Inc. (hereinafter "Persona"). … OMISSIS. 2. INITIATION OF THE PROCEEDINGS FOR THE ADOPTION OF CORRECTIVE AND PENALTY MEASURES AND THE PARTY'S DEFENSES 2.1. Initiation of the proceedings (Article 166, paragraph 5, of the Code) Based on the information acquired during the preliminary investigation described above, with a note dated January 26, 2026 (ref. no. 10830/26), notified pursuant to Article 166, paragraph 5, of the Code, the Office initiated the proceedings for the adoption of the measures referred to in Article 58, paragraph 1, of the Code. 2, of the Regulation against the Data Controller, inviting the latter to produce written defences or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of Law 24 November 1981, no. 689). The alleged violations are: 1) Articles 12, paragraphs 1, 13, paragraphs 1 and 2, and 14, paragraphs 1 and 2 of the Regulation, for Character's failure to provide, both in the privacy policy dated October 23, 2023, and in the updated privacy policy dated August 27, 2025, clear, intelligible, and complete information regarding the various processing operations carried out through the Service; 2) Articles 14, paragraphs 1 and 2, and 21, paragraphs 1 and 4, of the Regulation, for Character's failure to provide adequate information to Italian data subjects regarding the pre-training activities of the proprietary LLMs underlying the Service, as well as to establish appropriate mechanisms to allow them to exercise their right to object; 3) Articles 24, paragraphs 1 and 25, paragraph 2. 2) of the Regulation for Character's failure to adopt adequate technical and organizational measures, by default, in relation to the processing of data of minors prior to the implementation of an age gate mechanism (November 2024) and of minors under the age of sixteen for the period following such implementation, at least until 8 April 2025; 4) Articles 5(2) and 35(1) of the Regulation for Character's belated adoption of the data protection impact assessment (first version dated 14 November 2024, updated 30 September 2025), although it was required to do so; 5) Article 27(1) and (4) of the Regulation for Character's belated designation of VeraSafe Ireland Ltd. as its representative in the European Union, pursuant to and for the purposes of Article 27(1) and (4) of the Regulation. 27 of the Regulation and for having included in the privacy policy of August 27, 2025, a contact link that redirects to an unreachable web page, thus effectively making any online communication with the designated representative impossible. 2.2. Defenses of the Party (Article 166, paragraph 6, of the Code) On March 31, 2026 (ref. no. 49636/26), Character filed a defense brief requesting a hearing, pursuant to Article 166, paragraph 6 of the Code. In this brief, the Company rejected all objections and, believing it had fulfilled all obligations under the Regulation, requested that the proceedings be dismissed. From an objective standpoint, the Data Controller rejected all objections in the following terms. Regarding the alleged failure to comply with transparency obligations towards users, the Company has deemed the Office's objections to both versions of the privacy policy to be unfounded. Specifically, regarding the objections to the privacy policy dated October 25, 2023, the Data Controller deemed its availability only in English irrelevant and rejected the Office's accusations of incompleteness, lack of intelligibility, and lack of clarity. Likewise, regarding the privacy policy dated August 27, 2025, the Company rejected the objection regarding the syntactical and terminological deficiencies of the Italian version, the methods of indicating data retention periods, legal bases, transfers outside the EU, and the process of de-identification of personal data. The Company has also announced, in a spirit of cooperation with the Authority and in accordance with the principle of accountability, an imminent further update to the privacy policy. Regarding the alleged failure to comply with transparency obligations and the right to object to processing by European data subjects, particularly Italians, regarding the personal data used in the pre-training activities of the proprietary LLMs underlying Chararacte.AI, the Data Controller highlighted the legal uncertainty surrounding the application of data protection legislation in the context of artificial intelligence services at the time of the company's incorporation (November 2021) and the start of its operations (September 2022) and declared that it had ceased all pre-training of its LLMs ... OMISSIS. On the merits, the Data Controller stated that the presence of personal data within the training datasets, "generally consisting of large-scale, open-source third-party data collections," publicly available datasets commonly used in the industry, must be considered incidental and the related processing unintentional. It also stated that in the specific case, the exception under Article 14, paragraph 1, of the GDPR would apply. 5 of the Regulation (impossibility or disproportionate effort in communicating information) and, in any case, to have complied with the obligations set forth in Article 14 of the Regulation by publishing updates on its blog, in the Help Center, and on forums hosted by third-party websites (e.g., Reddit and Discord). Regarding the right to object, the Company reiterated i) that, starting with the official version of the Service launched in 2023, even non-users have had the opportunity to object to the processing of their personal data by sending a request (ticket) via the Help Center or by email to the address indicated in the privacy policy (dated October 23, 2023) and ii) that the Office's further arguments on this point cannot be accepted as they refer to Opinion No. 28/2024 of the European Data Protection Board (hereinafter "EDPB"), adopted after the pre-training process and therefore not applicable retroactively. Regarding the contested failure to adopt an appropriate age verification system, after arguing that the Regulation does not impose a specific legal obligation to verify the age of users and that such verification must be implemented on the basis of a risk-based assessment, the Company stated that the initial adoption of a neutral age gate was in line with the state of the art at the time (October 2023) in the technical and regulatory context of generative artificial intelligence and the subsequent introduction (November 2025) of a multi-level age assurance system is to be considered in line with subsequent industry practices, a sector which is still developing given that, to date, there is no single, binding technical standard. The Data Controller also emphasized that in November 2024, it implemented a dedicated version of the Service for minors, "designed to reduce the likelihood that minors will encounter or generate sensitive or suggestive content." This version is based on a dedicated LLM and features enhanced security measures such as limiting the number of available Characters, limiting interaction time, using more conservative content classifiers, and introducing a tool called "Parental Insight" that provides parental guardians with information on minors' activity on Character.AI. Finally, the Company noted that in November 2025, it excluded minors from participating in open conversations with Characters and implemented an age assurance system that combines a proprietary age prediction model developed by Character (which evaluates a combination of signals collected from user interactions with the Service) with a third-party age verification process. Third-party intervention is activated only if the internal system's findings are contested and consists of two phases: the user submits a selfie and, only if the user's age cannot yet be determined with sufficient reliability, an identity document (both data are retained for only seven days). Regarding the disputed late preparation of the data protection impact assessment, after arguing that the obligation to prepare a DPIA presupposes an assessment of the existence of a high risk to the rights and freedoms of natural persons and that the principle of accountability does not impose strict liability, the Company stated that it had conducted internal risk assessments gradually and using a multidisciplinary approach since the launch of the Service (September 2022) but that it formalized these assessments in a structured form in a DPIA only following the Authority's first request for information (November 8, 2024). The document was subsequently updated in February 2025 and September 2025. Finally, regarding the disputed late designation of a representative in the European Union pursuant to Article 27 of the Regulation and, following its designation, the lack of valid online contact information, the Company argued that it had no obligation to designate until May 31, 2025 (the date of VeraSafe's appointment) because, in the prior period, its processing activities fell within the exemption under Article 27(2) of the Regulation, as it was occasional processing and did not entail a likely risk to the rights and freedoms of natural persons, given that the EEA market was not a priority compared to Character's commercial activities. Regarding the malfunction of the VeraSafe contact link, the Data Controller argued that it was a "minor material error in the hyperlink," which, as such, had no impact on the substance and accessibility of the information, which has since been corrected, including in the privacy policy. From a subjective perspective, in its defense brief, Character argued that the initiation of the proceedings does not demonstrate that the alleged violations were committed intentionally or negligently, as required by the Court of Justice of the European Union in its ruling of December 5, 2023, Case C-807/21. For its part, the Data Controller considered that there was no evidence of intent or negligence because, when it began offering its Service to users in the EEA, it "promptly adopted measures to improve its data protection practices." Finally, in its brief dated March 31, 2026, Character identified and argued all mitigating factors, specific to each individual complaint (which overlap with the general mitigating factors listed below, with the exception of the adoption of measures to mitigate the harm suffered by the data subjects (Article 83, paragraph 2, letter c, of the Regulation) with reference to the second, third, and fifth complaints and the absence of any concrete harm to the data subjects (Article 83, paragraph 2, letter a) with reference to the first and fourth complaints) and general mitigating factors that the Authority should consider in determining the amount of the fine, in the unlikely event of violations being ascertained. In particular, the Data Controller emphasized, pursuant to and for the purposes of Article 83, paragraph 2, letter a), f. of the Regulation, its constant and full cooperation with the Authority throughout the entire investigation phase, a collaboration that has served as a catalyst for improving and strengthening practices and measures to protect personal data, especially that of minors; pursuant to and for the purposes of Article 83, paragraph 2, letter a. of the Regulation, the limited duration of the violations; pursuant to and for the purposes of Article 83, paragraph 2, letter b. of the Regulation, the absence of malicious nature of the violations; pursuant to and for the purposes of Article 83, paragraph 2, letter e. of the Regulation, the absence of previous violations; pursuant to and for the purposes of Article 83, paragraph 2, letter k. of the Regulation, the absence of financial benefits resulting from the violations. Character also provided the requested information regarding its annual worldwide turnover for 2025. During the hearing, requested pursuant to Article 166, paragraph 6, of the Code and held on April 15, 2026 (see minutes, file no. 60939/26), the Company's General Counsel illustrated the characteristics of the Service and clarified that Character must still be considered a start-up as it employs ... OMISSIS people and operates in a highly competitive market with high operating costs. The Company's lawyers emphasized Character's spirit of loyal cooperation with the Authority, as well as its gradual, constant, and progressive commitment to compliance with the Regulation, despite the uncertain technical and legal framework, both with regard to generative artificial intelligence and age verification systems. In a note dated April 30, 2026 (ref. no. 71632/26), to resolve the reservation made during the hearing, the Data Controller provided the exact address of VeraSafe and a copy of the February 2023 privacy policy. It also specified that the number of daily active users in Italy is … OMISSIS, a number calculated based on the most recent data and the connection IP address (Italian) (the Company does not require users to indicate their country of residence). Regarding the processing of personal data of EEA users for post-training purposes, Character stated that this processing activity, … OMISSIS. Finally, regarding the current processing of personal data used for LLM pre-training, Character reiterated that the last processing activity took place in … OMISSIS. With a note sent on June 10, 2026 (ref. no. 88645/26), the Company announced that it had notified Italian users of the update to its privacy policy (announced during the hearing), which provides clearer and more detailed information "regarding the Company's practices and the legal bases applicable to the processing performed, also to address the observations made by the Italian Data Protection Authority during the proceedings." The latest version of the privacy policy and the related regional supplement will enter into force on July 1, 2026. 3. AUTHORITY'S ASSESSMENTS 3.1 European Jurisdiction and Competence of the Italian Data Protection Authority First, the Italian Data Protection Authority deems it appropriate to briefly address the issues relating to the applicability of European data protection legislation to the processing operations related to the Service offered by the Company and the competence of the Italian Data Protection Authority, even if not disputed by the Data Controller. Article 13 of Legislative Decree no. Article 3 of the Regulation governs the conditions for the territorial application of its provisions. The first paragraph establishes the criterion of "establishment" and the second, in the case of controllers not established in the European Union, the criterion of targeting. This criterion, in turn, is divided into two scenarios: 1) offering goods or services to data subjects located in the Union, even free of charge, or 2) monitoring the behavior of such data subjects to the extent that such behavior occurs in the Union (see, in this regard, the Guidelines of the European Data Protection Board (hereinafter "EDPB") No. 3/2018 on the territorial scope of the Regulation). Given that the Service has been available in Italy since at least 8 April 2024, the date on which, as stated by the Company during the hearing, the beta version of the Service was discontinued (released on 16 September 2022 in web mode and on 23 May 2023 in app mode) and the top-level domain www.character.ai was launched with the new web version of the service, also in Italian, and that the privacy policy of 25 October 2023 also addressed residents of the EEA area, the Authority considers that European jurisdiction exists, pursuant to Article 3, paragraph 2, of the Regulation. In particular, in the present case, the targeting criterion referred to in Article 3, paragraph 2, letter a) of the Regulation applies. a) of the Regulation, i.e., the offer of goods or services to data subjects in the Union, as the Character AI service is freely available to users located in the European Union, and specifically in Italy, as of April 8, 2024. Considering that the jurisdiction established pursuant to Article 3, paragraph 2, of the Regulation entails a derogation from the one-stop-shop mechanism (Article 56 of the Regulation applies only in cases where the controller has a sole or main establishment in the EU), the competence to exercise the powers referred to in Article 58 of the Regulation lies independently with each European supervisory authority (see EDPB Guidelines No. 8/2022 on the identification of the lead supervisory authority in relation to a specific controller or processor, paragraph 49). Based on these considerations, European jurisdiction and the competence of this Authority are therefore clearly established. 3.2. Breach of Articles 12, paragraphs 1, 13, paragraphs 1 and 2, and 14, paragraphs 1 and 2 of the Regulation The Office charged Character with violating Articles 12, paragraphs 1, 13, paragraphs 1 and 2, and 14, paragraphs 1 and 2 of the Regulation for failing to provide, both in the privacy policy dated October 23, 2023, and in the updated privacy policy dated August 27, 2025, clear, intelligible, and complete information regarding the various processing operations carried out through the Service. Article 12 and Recital 58 of the Regulation require that information intended for the public or the data subject must be concise, easily accessible, and provided in clear and plain language. Pursuant to Articles Pursuant to Articles 13 and 14 of the Regulation, the controller who collects personal data from the data subject or from third parties is required to provide specific information regarding a series of elements characterizing the intended processing. As specified in the transparency guidelines adopted by the Article 29 Working Party on April 11, 2018, and endorsed by the EDPB at its Plenary Session on May 25, 2018 (WP 260 guidelines), the principle of transparency is not legalistic and is embodied in specific information obligations set out in Articles 12 to 14 of the Regulation (see paragraph 4); This information must be provided to data subjects "before or at the beginning of the data processing cycle, i.e. when the personal data are collected from the data subject or otherwise obtained" (this requirement is also confirmed in EDPB Guidelines No. 2/2019 on the processing of personal data pursuant to Article 6(1)(b) of the Regulation in the context of the provision of online services) and upon material changes to the processing (see section 5). The same guidelines further clarify that: i) the information should be concrete and certain, should not be formulated in abstract or ambiguous terms, or leave room for multiple interpretations, particularly with regard to the purposes and legal basis for processing personal data (see section 12); ii) if the controller chooses to use vague language, in accordance with the accountability principle, the controller should be able to demonstrate why such language is unavoidable and why it does not compromise the fairness of the processing (see section 13); iii) information provided to data subjects should not contain excessively legalistic, technical, or specialized language or terminology (see section 13); iv) information should be translated into one or more languages if the controller addresses data subjects who speak different languages (such as a website in a given language). If translated, the controller should ensure that all translations are accurate and the phraseology and syntax are comprehensible, so as not to force the reader to decipher or reinterpret the translated text (see section 13). In light of the principles, regulatory provisions, and the interpretation thereof provided by the EDPB (it should be noted that the guidelines of the European institutions and bodies have been recognized as soft law by the Court of Justice of the EU, in its ruling of July 15, 2021, in case C-911/19), the Authority considers the alleged violation to have occurred with reference to and limited to the following aspects. Regarding the privacy policy dated October 25, 2023, in force until August 27, 2025, in relation to: - its availability exclusively in English from April 8, 2024 (the date of the release of the Service in Italian) until August 27, 2025 (the date of the subsequent version, also available in Italian). On this point, the Authority believes that, in light of the aforementioned interpretation provided by the EDPB in the transparency guidelines, the defense argument that the translation into Italian was unnecessary because average users of the Service are accustomed to accessing services and materials provided primarily in English cannot be accepted; - the unclear indication of the data subjects' right to exercise the right to object, pursuant to Article 21 of the Regulation, with reference to processing operations that, based on the legal bases set out in Article 6, paragraph 1, letter b), are not sufficiently processed. Articles 27(e) and (f) of the Regulation legitimize the exercise of the opt-out. In this regard, the Authority notes that the defense argument that both users and non-users could, as of October 2023, exercise their rights through a ticketing system is irrelevant, as ensuring the effectiveness of the right to object is a legal issue that concerns the substantive protection of this right and not the obligation to provide information regarding the procedures for exercising it; - the failure to indicate the representative in the European Union pursuant to Article 27 of the Regulation in the period after April 8, 2024 (date of release of the Service in Italian) and until August 27, 2025 (date of the subsequent version of the privacy policy). In this regard, the Authority does not share the defense's assumption that, at the material time, the derogation pursuant to Article 27(e) was applicable. 2 of the Regulation, as the possibility that this was an occasional processing of personal data is clearly ruled out by the dual circumstance that the privacy policy was also addressed to users in the EEA (see point 6 regarding Regional Privacy Disclosures) and the Service has been offered in Italian since April 8, 2024; - the misleading and inaccurate indication regarding the processing of personal data of users in the EEA for post-training purposes of the LLM programs underlying the Service; specifically, from the text of the privacy policy, Italian users could have assumed that their personal data was being used for this processing (at least since the launch of the Service in Italy). Recalling the EDPB's interpretation that the information provided to data subjects must be concrete and certain, the Authority rejects the defense's argument that the origin of data subjects involved in post-training activities is irrelevant, especially given that such processing, which is expected for users in the EEA starting from ... OMISSIS, had not yet begun as of ... OMISSIS. Regarding the privacy policy of August 27, 2025, including the regional information notice for the EEA to which it refers: - linguistic inaccuracies in the Italian version render the text unintelligible and misleading with respect to the information the Company intends to provide. In this regard, given the EDPB's interpretation that information to data subjects should not contain excessively legalistic, technical, or specialized language or terminology, the Authority accepts the defense's argument that some terms used in the translation, although not consistent with European legal vocabulary, are nevertheless easily and commonly understood. However, given that the translated text must be clear and not misleading with respect to the substance of the processing performed, it is believed that a violation still exists in relation to the following phrases: i) in the "information you provide us directly" section, inferences are indicated "such as preferences based on account settings or feedback on the Services," where the term "inference" refers to personal data not collected directly from the data subject, resulting in a significant material impact on the actual processing performed; ii) in the information dedicated to the European region, with reference to the information according to which the data subject has the right "to lodge a complaint with the competent supervisory authority", the generic term "complaint" rather than the technical-legal term "complaint" is misleading as the meaning of the term complaint is now well-known and has entered common parlance with the consequence that its absence could negatively interfere with the effective exercise of rights by data subjects (the same term used in reference to the prior request to the data controller is, on the contrary, not a harbinger of misunderstandings); iii) the classification of "login credentials" and "personal communications received or sent" as sensitive information does not preclude the need to clarify, where appropriate, the difference between this type of data and the special categories of data referred to in Articles 9 and 10 of the Regulation; - failure to indicate, with reference to the transfer of data processed outside of Europe, the non-EU countries to which the data could be transferred that would not be "able to ensure an adequate level of protection of personal data under local law" and the adequacy decisions or appropriate or suitable safeguards referred to in Chapter V of the Regulation adopted. On this point, the Authority disagrees with the defense arguments and reiterates that, given that the information provided must be concrete and certain, the use of probabilistic verbs ("your information may be stored and processed in the United States and in other countries outside the United States"), even in the conditional ("which may have data protection laws different from those of your country, and the data may be accessible from (part of law enforcement and national security authorities in certain circumstances) does not comply with European legislation; - misleading indication regarding the concept of anonymous data, connected to the impossibility of de-identifying them "except for the purpose of confirming that they are de-identified." The Authority acknowledges that this term, as clarified during the hearing, derives from the US concept of the anonymization procedure, but notes that its meaning is different from the European one and is therefore unclear to Italian data subjects. Referring to both versions of the privacy policy, the information provided to data subjects regarding the retention period and the categories of personal data processed with respect to the corresponding legal bases and the specific purposes of the processing remains lacking, even after careful examination of the Data Controller's defense. Regarding the first gap, the Authority does not agree with the defense argument that the generic wording used is in line with industry practice: linking retention periods to the purpose of the processing is, in fact, not compliant with the This regulatory provision requires the precise specification of retention periods or, failing that, the criteria used to determine such periods. Furthermore, in this case, as further explained below, in both the October 25, 2023, and August 27, 2025, versions of the privacy policy, the purposes are not associated with the specific categories of data processed, meaning that data subjects are unable to know which data are being processed, for what purpose, and for how long. Furthermore, the phrase "unless the law provides for a shorter retention period" is excessively general and unacceptable if only the retention periods were determined with reference to the specific categories of data processed. Finally, the indication that at the end of the retention period, the information "may" be deleted or aggregated reflects the use of probabilistic terminology that conflicts with the need for the information to be concrete and certain. Regarding the lack of specific information for each category of personal data processed, the corresponding legal bases, and purposes of the processing, the Authority notes that The EDPB guidelines explicitly require that information provided to data subjects not be formulated in abstract or ambiguous terms or be open to multiple interpretations, particularly with regard to the purposes and legal basis for processing personal data. Legal bases and purposes of processing cannot be described in the abstract; they must be described with reference to and in correlation with the specific categories of data processed. Furthermore, the defensive assumption that specifying multiple legal bases for the same processing purpose enhances transparency must be rejected entirely. On the contrary, the legal basis must be single and clearly communicated to data subjects as it impacts their rights under the Regulation. For example, processing for personalized advertising purposes cannot, as indicated in the privacy policy of August 27, 2025, rely on both the legitimate interest basis under Article 6(1)(f) of the Regulation and the consent basis under Article 6(1)(f) of the Regulation. 6, paragraph 1, letter b), of the Regulation. Likewise, processing for the purpose of authenticating account credentials cannot be lawful based on both the contractual legal basis referred to in Article 6, paragraph 1, letter b), of the Regulation and that of legitimate interest. The Data Controller's argument, supported in the response to the second request for information (... OMISSIS), according to which this approach reflects the need to reconcile disclosure obligations with different jurisdictions, is also unconvincing on this point. In this regard, the Authority notes that the multi-legal basis approach was also adopted in the regional information notice dedicated to the EEA area where the Regulation applies, a single and harmonized regulation, and where, therefore, it is unthinkable that the same processing could have different legal bases. To the extent and within the limits of the above, the Authority therefore believes that Character has violated Articles 12, paragraphs 1, 13, paragraphs 1 and 2, and 14, paragraphs 1 and 2 of the Regulation by failing to provide, both in the privacy policy dated October 23, 2023, and in the updated privacy policy dated August 27, 2025, clear, intelligible, and complete information regarding the various processing operations performed through the Service. For the sake of completeness, the Authority acknowledges that the Company, during the hearing, stated that it had adopted a very initial privacy policy in February 2023 in relation to the beta version of the Service, available at the subdomain http://beta.character.ai, a version not offered to Italian users, and that the text of this policy was submitted to the Office together with the notice dated April 30, 2026. The Authority also notes that the Company has i) amended the privacy policy several times in response to and in accordance with significant changes in processing, ii) spontaneously communicated to the Authority the adoption of the third version of the privacy policy on July 29, 2025, and iii) announced, during the hearing, the imminent publication of a new, further updated version of the privacy policy, which was, in fact, adopted effective July 1 and a copy was sent to the Office on June 10, 2026. The latest version of the privacy policy has incorporated some of the critical issues outlined above, and the The text of the privacy policy has been amended accordingly. In particular, the Italian translation has been revised using clearer, more intelligible language that reflects the substance of the processing performed: specifically, i) the improper term "inferences" has been eliminated; ii) the term "complaint" has been replaced with "claim" and the term "divulge" has been replaced with "share" or "communicate," depending on the circumstances; iii) the term "sensitive data" has been better defined and defined, and a specific reference to the processing of special categories of personal data has been inserted separately. In general, the use of uncertain verbs in the conditional tense, such as "could" / "could," has been eliminated. The latest version of the privacy policy associates each category of personal data with the corresponding legal basis and related processing purpose and introduces changes to the description of personal data retention periods and data transfers to non-EU countries. Finally, the updated version of the regional supplement contains a reference at the beginning to the processing of personal data for post-training purposes for the LLM programs supported by the Service, without, however, distinguishing between users in the EEA and users residing in the U.S. 3.3 Violation of Articles 14, paragraphs 1 and 2, and 21, paragraphs 1 and 4, of the Regulation The Office charged Character with violating Articles 14, paragraphs 1 and 2, and 21, paragraphs 1 and 4, of the Regulation for failing to provide adequate information to Italian data subjects regarding the pre-training activities of the proprietary LLM programs supported by the Service, as well as to establish appropriate mechanisms to allow them to exercise their right to object. Article 14 of the Regulation prescribes the information that the data controller is required to provide to the data subject to ensure fair and transparent processing when the personal data have not been obtained from the data subject. Recitals 60 and 61 of the Regulation state, respectively, that the "principles of fair and transparent processing require that the data subject be informed of the existence and purposes of the processing" and that "the data subject should receive information relating to the processing of personal data concerning him or her at the time of collection from the data subject, or, if the data are obtained from another source, within a reasonable period, depending on the circumstances of the case." Article 21(1) and (4) of the Regulation provide that the data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her pursuant to Article 6(1)(e) or (f), and that the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject. The right to object must be explicitly brought to the data subject's attention and presented clearly and separately from any other information at the latest at the time of the first communication with the data subject. The EDPB Transparency Guidelines cited above clarify that transparency obligations apply to the controller before or at the beginning of the data processing cycle, i.e., when the personal data are collected from the data subject or otherwise obtained (see section 5). These guidelines also provide that, if the controller intends to rely on the exception under Article 14(5)(b) of the Regulation because providing the information would involve a disproportionate effort, it should balance the effort required against the impact of the failure to provide the information on the data subject and document this assessment in accordance with accountability requirements. If it is deemed impossible or significantly difficult to communicate the information, the controller must take appropriate measures to protect the data subject's rights, freedoms, and legitimate interests, such as making the information public, for example, by publishing it on its website (see section 64). With regard to the requirement of legitimate interest and the right to object, EDPB Guidelines No. 1/2024 on the processing of personal data based on Article 6(1)(f) of the Regulation reiterate that the data subject has the right to object to such processing in the manner and within the timeframe set out in Article 21 of the Regulation (see section 71). Finally, the EDPB, in Opinion No. 28/2024, states that, where the controller processes personal data in the context of artificial intelligence models based on the legitimate interest, it is required to guarantee the right to object pursuant to Article 6(1)(f) of the Regulation. 21 of the Regulation (see paragraph 65). The aforementioned opinion categorizes the different processing phases that affect the lifecycle of artificial intelligence models, namely the development phase and the deployment phase. The development phase includes all the phases preceding the deployment of the model, including code development, collection of personal training data, pre-processing of training data, and training itself. Regarding the development phase, with particular reference to technical measures, the EDPB specifies that, to mitigate the risks arising from the processing of first- and third-party data, the controller should "offer, from the outset, the possibility of unconditional 'objection,' for example by providing data subjects with a discretionary right to object before the processing takes place, in order to strengthen the control individuals have over their data, which goes beyond the conditions set out in Article 21 of the GDPR" (see paragraph 102). The violations contested by the Office in the document initiating proceedings pursuant to Article 166 of the Code concern the processing operations performed by the Company with reference to the personal data of data subjects located in the European Union for the purposes of pre-training and, therefore, for the development of proprietary LLM programs. During the investigation, in response to the Office's second request for information, the Data Controller declared that it had fulfilled its transparency obligation towards the individuals whose data had been processed for the aforementioned purpose, providing them with information regarding the development phase of its proprietary LLMs through its privacy policy dated October 25, 2023, to the extent that it "described the processing activities and included a section dedicated to both users and non-users residing in the European Economic Area—including Italy—in which the main elements of the processing were indicated," as well as in various public forums hosted on third-party websites (for example, a public Reddit community created on August 26, 2022, and an official Discord server created on September 7, 2023). This position was reiterated in the defense brief pursuant to Article 166, paragraph 1, of the Italian Civil Code. 6 of the Code, in which the Company noted that in recent years—though without providing specific timeframes—it has updated its Terms of Service and Community Guidelines and encouraged feedback on the quality of its models via its Blog. In this regard, the Authority notes that: - the privacy policy of October 25, 2023, refers exclusively to processing activities related to the model dissemination phase, i.e., post-training of the LLMs. Indeed, in the "How We Use the Information We Collect" section, users are informed that their data may be processed to "Analyze, maintain, improve, modify, customize, and measure the Services, including to train our artificial intelligence/machine learning models." Consequently, contrary to the Company's assertions, the information, on the one hand, provides no information regarding processing related to pre-training activities of proprietary LLMs and, on the other, is intended only for users of the Service. To confirm that the privacy policy in question was addressed exclusively to users, the following references are included: "By using the Services, you agree to the practices described in this Policy," and "When you access or otherwise use our Services, we may collect information from you." - Updates on public forums hosted on third-party websites cannot be considered suitable information tools under the Regulation. The cited documentation cannot, in fact, satisfy the transparency obligation that the European legislator has established in the manner provided for in Articles 12, 13, and 14 of the Regulation. Without such documentation, it cannot be demonstrated, even by the Data Controller under an accountability regime, that data subjects, especially non-users, were able to access such documents and, through them, gain knowledge, in particular, of the right to object guaranteed to them by European law. - the collection of feedback on the quality of the LLMs, like the documents mentioned above, refers only to users and to the use (or, more precisely, dissemination) phase of the models, as confirmed by the hyperlink provided by the Company in its response to the second request for information, which directs to a page addressed only to users and is aimed at improving the Characters, certainly not at satisfying the obligation of transparency pursuant to the legislation on personal data. The Authority also finds the additional defense arguments put forward by the Data Controller in the brief pursuant to Article 166 of the Code unacceptable. Regarding the claim that there is no disclosure obligation regarding the processing of personal data for pre-training purposes, as such operations "may not have involved the processing of personal data" because they are based on publicly available datasets found on the internet, consisting of data collected by third parties, on a large scale, open source, and used according to industry practices in the development of LLMs, the Authority notes that verifying the presence or absence of personal data in the training datasets is the primary responsibility of the data controller pursuant to the principle of accountability. To argue, purely hypothetically, that the training datasets may not have contained personal data is to admit that there was no effective verification of the presence or absence of personal data in the training datasets, a failure for which the Data Controller must assume full responsibility. Likewise, the argument that Character did not intentionally process personal data during the development of its LLMs relates only to the subjective element of the conduct and not to its objective characterization. Regarding the final defense argument, regarding the applicability, in this case, of the exception under Article 14, paragraph 5, letter b), of the Regulation, the Authority notes that the impossibility or serious difficulty in communicating information to data subjects, while requiring a specific and documented assessment, does not relieve the controller from the obligation to adopt appropriate measures to protect the rights, freedoms, and legitimate interests of data subjects, otherwise making the necessary information public, as expressly outlined in the EDPB transparency guidelines mentioned above. Regarding the failure to provide opt-out mechanisms, the Authority believes that the Data Controller's defense arguments allow it to overcome the Office's assessments in the dispute. Although it is proven, based on the statements provided in response to the second request for information, that the Company carried out the processing activities aimed at pre-training its proprietary LLMs based on legitimate interest and without informing data subjects of how to exercise their right to object, it should be noted, however, that the specific obligation to provide ad hoc opt-out mechanisms that allow data subjects to object in advance and without stating a reason to this type of processing, pursuant to Article 21 of the Regulation, stems from an interpretation provided by the EDPB in Opinion No. 28/2024. Specifically, the EDPB recommended that data controllers adopt measures that facilitate the exercise of individual rights, including providing data subjects with the possibility of unconditional objection before the processing takes place, in order to strengthen the control individuals have over their data (see paragraph 102.b). This recommendation goes beyond the wording of the regulatory provisions referred to in the combined provisions of Articles 14 and 21 of the Regulation and constitutes a sort of authentic interpretation of the aforementioned provisions arising from the need to adapt the legislation to technological, social, and legal changes related to the implementation of generative artificial intelligence services. Given that the aforementioned opinion was adopted on December 17, 2024, the Data Controller agrees that the recommendations contained therein cannot be applied retroactively, particularly with respect to the pre-training of proprietary LLMs conducted by Character prior to that date. The Authority also acknowledges the circumstance, which emerged during the investigation and was specifically clarified in a note dated April 30, the accuracy of which the Data Controller assumes full responsibility for, that "the last processing of personal data for the purposes of pre-training its proprietary model took place in ... OMISSIS, and therefore prior to the adoption of Opinion No. 28/2024 by the EDPB." Finally, the Authority notes that in its defense brief, Character confirmed what it had already stated in its response to the second request for information regarding the fact that both users and non-users had the opportunity, starting from the launch of the Service in 2023, to exercise their rights, including the right to object, through a ticketing system (i.e., by sending a ticket to the Help Center through the "GDPR request" section) or by sending a request to an email address indicated in the privacy policy. In conclusion, regarding the processing activities aimed at pre-training its LLMs Owners, the Authority believes that Character has violated Article 14, paragraphs 1 and 2 of the Regulation by failing to provide adequate information to Italian data subjects regarding such processing operations, but not Article 21, paragraphs 1 and 4 of the Regulation, given that the exercise of the right to object should not, prior to December 17, 2024, have been guaranteed by the Data Controller in accordance with the procedures set out in EDPB Opinion No. 28/2024. For completeness, the Authority notes the cessation of the processing of personal data for the purposes of developing proprietary LLMs as of ... OMISSIS, as a consequence of ... OMISSIS. 3.4 Violation of Articles 24, paragraph 1 and 25, paragraph 2 of the Regulation The Office has charged Character with violating Articles 24, paragraph 1 and 25, paragraph 2 of the Regulation by failing to adopt measures Appropriate technical and organizational measures, by default, regarding the processing of data of minors prior to the implementation of a neutral age gate mechanism (November 2024) and of minors under 16 years of age for the period following such implementation, at least until April 8, 2025. Article 24, paragraph 1, of the Charter of Fundamental Human Rights establishes that minors have the right to the protection and care necessary for their well-being. Paragraph 2 of the same provision states that in all actions taken by public authorities or private institutions, the child's best interests must be a primary consideration. The same principle is enshrined in Recital 38 of the Regulation, which states: "Children deserve specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned, as well as of their rights in relation to the processing of personal data." European data protection legislation requires data controllers to adopt appropriate technical and organizational measures. Designed to effectively implement data protection principles and integrate the necessary safeguards into the processing to meet the requirements of the Regulation and protect the rights of data subjects. Pursuant to Article 24(1) of the Regulation, the controller is required to implement, and update them where necessary, appropriate technical and organizational measures to ensure that processing is carried out in accordance with the Regulation, taking into account the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. Pursuant to Article 25(2) of the Regulation, the controller must, by default, implement technical and organizational measures to ensure that only personal data necessary for each specific purpose of the processing are processed. The EDPB clarified, in Guidelines No. 4/2019 on Data Protection by Design and by Default, that "the core of the provision [Article 11] is the protection of personal data by design and by default." 25 (Editor's note)] is to ensure adequate and effective data protection by design and by default, which means that controllers should be able to demonstrate that they incorporate appropriate measures and safeguards into their processing to ensure the effectiveness of the data protection principles and the rights and freedoms of data subjects (see paragraph 2). In its recommendations, the Commission also invited controllers to take into account, when designing and configuring data processing with a privacy-oriented approach, the obligations to provide specific protection to minors and other vulnerable groups (see paragraph 96). Character, in its responses to the second and third requests for information, as well as in its defense brief and at the hearing, specified that it has implemented the following progressive measures to verify the age and protect underage users: - by October 2023, adoption of a neutral age verification mechanism during registration that requires new users to declare their date of birth to access the Service; in the case of a user under 16 years of age and residing in the EEA, this mechanism prevents the creation of an account; if the age gate is not passed, ... OMISSIS; - in November 2024, application of the aforementioned age gate mechanism to all users who registered for the Service prior to its adoption; - in November 2024, implementation of a separate LLM dedicated to underage users to create a different experience for these vulnerable users when using the Service designed to reduce the likelihood of minors encountering or generating inappropriate content (limited Characters, more conservative classifiers, notifications about time spent online and time limits, more appropriate outcomes for minors); - in March 2025, introduction of the Parental Insight feature, which provides those with parental responsibility with a summary of the minor's interactions with the Service, including average daily usage time, time spent with each Character, and the Characters with whom the most frequent interactions are found; - in November 2025 (February 2026 in Italy), elimination of the ability for minors to have open conversations with Personas; - in November 2025, implementation of an advanced age assurance system during use of the Service that combines a proprietary age prediction model (which verifies the accounts of users who self-declared themselves as adults using data collected from interactions with the Service) with a verification process entrusted to the third-party provider Persona (a second-level verification that is activated only if the model indicates that the user is likely a minor, with the user immediately being transferred to the Service dedicated to minors under 18 years of age). The third-party's intervention is subject to a user's complaint and consists of two phases: a request to the user to send a selfie and, only if the user's age cannot yet be determined with sufficient reliability, a request to send an identity document (in both cases, the data is retained for seven days). Technical checks conducted by the Office regarding the creation of an account on the web version of the Service on April 8, 2025 (ref. no. 349/25) revealed the following circumstances: - In the case of registration with a birth date of less than 13 years of age, the user is unable to create an account because the system, having detected the anomaly, prevents access and automatically redirects the user to the homepage; - … OMISSIS; - In the case of access to the Service by a person who identifies as a minor, the Service is available in Italian and the user's profile is set to public; the minor user is given the option, but not the obligation, to enter the email address of a person exercising parental responsibility for the sending of weekly statistics on their activity, excluding the content of private chats; - In the event that a person declaring themselves an adult accesses the Service, the Service is available in Italian, the profile is public, there is no option to involve a person with parental responsibility, and the recommended content appears, prima facie, different from that displayed if a minor accesses the Service. The Authority notes first of all that, as of the date of the technical review (April 8, 2025), the age gate mechanism implemented by the Company to prevent access to the Service by minors under 16 years of age located in Europe, specifically in Italy, was found not to be compliant with the Data Controller's declarations. On the one hand, the ... OMISSIS did not work, and on the other, it was possible for a potential Italian user who self-declared himself as a fifteen-year-old (and therefore under 16) to register for the Service. In its defense, the Data Controller did not provide any justification for these factual findings. On the contrary, its defense was purely legal. The Company argued that the Regulation does not impose a "general and autonomous obligation on data controllers to confirm or verify the age of each user through rigorous identification mechanisms," that there is currently no harmonized and binding European standard for verifying the age of users when accessing and using online services, and that Article 25 cannot be interpreted "as requiring the implementation of an identity check in the absence of a specific legal obligation," an interpretation that "would effectively create a new substantive obligation not provided for by the GDPR, while Articles 24 and 25 cannot be used to impose obligations that the legislator has not foreseen." In this regard, the Authority agrees that Articles 24 and 25 of the Regulation do not oblige data controllers to adopt specific age verification measures (which, as correctly pointed out, have not yet been developed at the European level), but notes that these provisions oblige data controllers to adopt adequate measures to ensure that processing is carried out in compliance with the Regulation. In other words, the fact that a harmonized and binding standard for age verification does not yet exist does not exempt a data controller, in this case Character, from adopting appropriate measures (and demonstrating their adequacy), taking into account the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. It is also noted that the Office's verification revealed that the profile of the alleged minor user who registered with the Service was set, by default, to public. This circumstance violates EDPB Guidelines No. 4/2019, which states that "making personal data available to an indefinite number of individuals could lead to even broader disclosures than initially intended, which is particularly relevant in the context of the internet and search engines; therefore, controllers should, by default, give data subjects the opportunity to intervene before personal data are made publicly available on the internet. This is particularly important in the case of minors and vulnerable groups" (see paragraph 57). The EDPB, in its binding decision no. 2/2023, regarding the dispute filed by the Irish supervisory authority against TikTok Technology Ltd., stated that: "Although Article 25(1) of the GDPR does not require the implementation of specific technical and organizational measures and the controller has discretion in choosing the measures and safeguards, the measures and safeguards chosen by the controller must be designed to be robust, taking into account the risks associated with the processing. The EDPB considers that, pursuant to Article 25(1) of the GDPR, the requirement of adequacy is therefore closely linked to the requirement of effectiveness. Whether or not the measures chosen by the controller are appropriate in the specific case depends on the assessment of the elements listed in Article 25(1) of the GDPR" (see paragraph 180). Translating this principle to the case at hand, based on the partially overlapping parameters set out in Articles 25 and 26 of the GDPR, the EDPB considers that: Pursuant to Articles 24 and 25, paragraph 2, of the Regulation, the Authority notes the following. Regarding the nature, scope, context, and purpose of the processing, it is noted that, in this case: i) the processing of personal data of minors is related to the provision of a service that, although not specifically aimed at minors, is widely used by them due to its intrinsic characteristics; ii) the technical assessment revealed that, in a registration attempt, the stated age limit for entry to the EEA area of sixteen was not met; iii) the technical assessment revealed that the account of a supposedly minor user who registered for the Service was public by default; and iv) until November 2025, conversations with the Personal Data Subjects were also open. Regarding risks of varying likelihood and severity for the rights and freedoms of natural persons, it is noted that, as correctly acknowledged by the Company itself in its defense brief, the data controller must assess the adequacy of the age verification measures to be adopted based on the concept of risk. In this regard, the aforementioned Guidelines No. 4/2019 establish that the data controller is responsible not only for identifying risks to the rights of data subjects but also for determining their likelihood and severity in order to adopt appropriate measures to effectively mitigate the identified risks (see paragraph 30). In this case, the Authority first notes that Character conducted a risk assessment of the use of the Service by minors only in the version of the DPIA updated to September 30, 2025, attached to the response to the second request for information (there is no trace of this in the DPIA of November 14, 2024). The aforementioned DPIA details the measures described above and the fact that the Company has collaborated with several online safety experts for adolescents to ensure that the experience for minors is designed with safety as a top priority (among the experts, ConnectSafely, an organization with twenty years of experience in educating individuals on online safety, privacy, protection, and digital well-being). ... OMISSIS. The Authority acknowledges the assessment conducted by the Company in the DPIA of September 30, 2025, and believes that the age gate system based on a simple self-declaration, applied in combination with the age assurance system adopted during the use of the Service, as well as the additional security measures for limiting content and interactions implemented in November 2025, allow it to consider a level of protection adequate to the identified risks to be achieved, ensuring that personal data processing is proportionate to the offering of the Service (including to minors), while respecting the rights and primary interests of minors. The above-mentioned DPIA and the data controller's defense arguments, however, do not overcome the assessments made by the Office in the dispute with regard to the age gate system in the period between April 8, 2024 (the date of release of the service in Italy) and November 2024 (the month in which the age gate was applied to all registered users and a specific version of the Service dedicated to minors was implemented), as well as with regard to Italian users under the age of sixteen even after such implementation, at least until April 8, 2025, the date on which the Office ascertained the failure of certain age gate measures, specifically the European age threshold of sixteen and the ... OMISSIS. The Company's failure to adopt appropriate measures to safeguard access to and use of the Service, and the partial failure of the measures subsequently implemented, as described above, resulted not only in the systematic processing of personal data beyond that actually necessary to achieve the purpose of the processing (offering the Service to users over sixteen years of age in the EEA), but also in the excessive processing of data relating to vulnerable individuals (minors, potentially even under 13). These vulnerable individuals, due to the identified deficiencies, the innovative technology underlying the Service, and the sensitive nature of the conversations with Character.AI, were exposed to a particularly high risk. News reports of self-harm by minors in connection with interactions with artificial intelligence chatbots, … OMISSIS, support the Office's assessments. In conclusion, the Authority finds that Character violated Articles 24, paragraph 1, and 25, paragraph 2, of the GDPR. 2 of the Regulation for failing to adopt adequate technical and organizational measures, by default, to verify age between April 8, 2024, and November 2024, as well as with regard to Italian users under the age of sixteen, between April 8, 2024, and April 8, 2025. For completeness, the Authority acknowledges that the Company has progressively increased measures to protect minors and vulnerable individuals and that, as reported during the hearing, the decision taken in November 2025 (effective in Italy from February 2026) to limit the ability of users under the age of 18 to participate in open conversations with Character AI characters represents a significant step towards protecting the privacy and safety of such users, bordering on counterproductive for the company's business in a highly shameless and competitive market. 3.5 Violation of Articles 5, par. 2 and 35 of the Regulation The Office charged Character with violating Articles 5(2) and 35(1) of the Regulation for having belatedly adopted, despite its obligation to do so, a data protection impact assessment (first version dated November 14, 2024, last updated on September 30, 2025). Article 5(2) of the Regulation establishes the principle of accountability, meaning the obligation for data controllers to demonstrate proactive behavior to demonstrate compliance with the Regulation based on the risk inherent in the processing. This risk must be assessed against the freedoms and rights of data subjects, which must be understood not only in relation to the right to data protection and the right to privacy, but also to other fundamental rights such as freedom of speech, freedom of thought, freedom of movement, the prohibition of discrimination, and the right to freedom of conscience and religion. The key tool for assessing the risk impact of processing on the rights and freedoms of data subjects is the data protection impact assessment document referred to in Article 35 of the Regulation. Article 35 of the Regulation requires the data controller to conduct, prior to processing, an assessment of the impact of the envisaged processing on the protection of personal data where the processing, in particular using new technologies and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. The EDPB, in its Guidelines on Data Protection Impact Assessments (DPIAs), adopted by the Article 29 Working Party on October 4, 2017, and validated at the first Plenary Session on May 25, 2028 (WP 248 Guidelines), clarified that "DPIAs are important tools for accountability as they support controllers not only in meeting the requirements of the GDPR, but also in demonstrating that appropriate measures have been taken to ensure compliance with the Regulation (see also Article 24). In other words, a DPIA is a process intended to ensure and demonstrate compliance." It further clarified, citing both the wording of Article 35 and Recitals 90 and 93 of the Regulation, that "DPIAs should be initiated as early as possible in the design phase of the processing operation, even if some of the processing operations are not yet known." With Order No. 467 of October 11, 2018, published in the Official Journal, General Series, No. 269 of November 19, 2018, the Authority approved the list of types of processing subject to the requirement of a data protection impact assessment, pursuant to Article 35, paragraph 4, of the Regulation, expressly including, in point 7, processing carried out through the use of innovative technologies, including artificial intelligence systems. In this case, the Data Controller submitted to the Office, together with the response to the first request for information, a data protection impact assessment (DPIA), which appears to have been drafted on November 14, 2024, and, together with the response to the second request for information, an update thereof, signed on September 30, 2025. In the DPIA dated November 14, 2024, the Company expressly declares that it has identified the need to conduct an impact assessment due to the use of generative artificial intelligence technology to provide the Service. In the November 14, 2024, version of the DPIA, as explained above, Character did not conduct any impact assessment regarding the risk associated with offering the Service to minors (which was present in the September 30, 2025, version). Both versions also indicate that the Company did not conduct any assessment regarding processing operations for pre-training purposes of proprietary LLMs, merely reporting that the LLMs were not "pre-trained" on user conversations or data. In its defense brief, the Company emphasized that the obligation to draft a DPIA exists only when the processing poses a high risk to the rights and freedoms of natural persons and, therefore, is not an automatic requirement but rather is related to the risk assessment. It also argued that the fact that the first DPIA was formalized only in November 2024, following receipt of the Office's first request for information, "does not mean that a risk assessment had not been conducted before that date." The Authority notes that, in this case, a high risk to the rights and freedoms of natural persons must be presumed based on the wording of Article 35 and its interpretation provided by the EDPB and the Garante in their respective documents cited above. Specifically, in the aforementioned guidelines, the EDPB has identified nine criteria to be considered for the purpose of identifying processing operations likely to present a "high risk": 1) assessment or scoring, including profiling and prediction, taking into account, in particular, "aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements"; 2) automated decision-making that produces legal effects or similarly significantly affects individuals; 3) systematic monitoring of data subjects; 4) sensitive data or data of a highly personal nature; 5) large-scale data processing; 6) matching or combining data sets; 7) data relating to vulnerable data subjects; 8) innovative use or implementation of new technological or organizational solutions; 9) when the processing itself "prevents data subjects from exercising a right or from availing themselves of a service or a contract": The EDPB has clarified that the existence of two or more of the aforementioned criteria indicates processing that presents a high risk to the rights and freedoms of data subjects and therefore requires a data protection impact assessment. However, it has added that, in some cases, "a controller may consider that processing that meets only one of these criteria requires a data protection impact assessment" (see Guidelines, pages 9-12). The list (not exhaustive, as the EDPB's guidance above remains valid) of the types of processing subject to the consistency mechanism and to be subject to an impact assessment, annexed to Decision No. 467 of 11 October 2018, adopted pursuant to Article 35, paragraph 1, of the GDPR, includes: 4 of the Regulation, the Garante expressly stated that an impact assessment is mandatory for processing operations carried out using innovative technologies (e.g., IoT; artificial intelligence systems; use of online voice assistants through voice and text scanning; monitoring performed by wearable devices; proximity tracking such as Wi-Fi tracking) whenever at least one of the other criteria identified by the EDBP is met. In this case, the Garante believes that Character should have conducted the impact assessment before the launch of the Service in September 2022, as the risk to the freedoms and rights of natural persons should be presumed to be high given that the processing involved the use of a particularly innovative technology such as generative artificial intelligence (a sufficient criterion in itself), large-scale data processing (for the development of proprietary LLMs), and personal data relating to vulnerable data subjects (minors). Furthermore, even accepting the defense's argument that the risk assessment was necessary and was conducted through undocumented internal risk assessments involving various interdisciplinary teams starting in 2022 (and only formalized on November 14, 2024), the Authority believes that the defense's arguments are unacceptable for two reasons. First, the principle of accountability applies precisely in circumstances such as that described by Character, in order to allow the data controller to demonstrate compliance with the Regulation by preparing a DPIA and not through unspecified and undocumented internal company assessments. Secondly, the fact that the first DPIA—late, even assuming April 8, 2024, the date of the Service's launch in Italy, as the starting date of the obligation—was deficient both with regard to the processing of minors' data and the processing for pre-training purposes of proprietary LLMs demonstrates that the Company had not properly conducted the risk assessment. Based on the above, the Authority believes that Character violated Articles 5(2) and 35(1) of the Regulation by belatedly adopting the data protection impact assessment, even though it was required to do so. For completeness, the Authority notes that the Company, during the hearing, stated that it had updated the DPIA on February 7 and September 30, 2025, and therefore had progressively improved its compliance with the Regulation, including in this regard. 3.6 Violation of Article 5(2) of the Regulation Article 27, paragraphs 1 and 4, of the Regulation The Office charged Character with violating Article 27, paragraphs 1 and 4, of the Regulation for having belatedly designated VeraSafe Ireland Ltd. as its representative in the European Union, pursuant to and for the purposes of Article 27 of the Regulation, even though it was required to do so. Furthermore, it also included a contact link in its privacy policy of August 27, 2025, that redirected to an unaccessible web page, thus effectively rendering any online communication with the designated representative impossible. Article 27, paragraph 1, of the Regulation requires the controller, if not established in the European Union, to designate in writing a representative in the Union who, pursuant to paragraph 4, acts as an interlocutor, in addition to or in place of the controller, for the supervisory authorities and data subjects. From the documentation attached to the Company's second response, specifically the Verasafe Master Services Agreement, it appears that the written designation of the Irish company VeraSafe as the representative pursuant to Article 27 of the Regulation was finalized on May 31, 2025. The Authority therefore notes that the Company fulfilled its obligation under Article 27 of the Regulation only on May 31, 2025, despite having previously offered the Service to data subjects in the EEA, a circumstance that can be deduced from the preparation of a European regional supplement to the privacy policy dated October 27, 2023, and having offered it specifically to Italian data subjects since April 8, 2024, a circumstance the Company itself stated at the hearing. The Data Controller's argument in the defense brief that, in this case, the provisions of Article 27, paragraph 1, of the Regulation apply is not supported by the provisions of the Privacy Policy. Article 2(2) of the Regulation, which excludes the requirement to designate a representative in the case of occasional processing, does not overcome the assessments made by the Office in the dispute. The Authority believes, in fact, that this exception cannot be applied to the case at hand because i) the processing of personal data related to a Service provided in Italian after 8 April 2024 cannot be considered occasional (a circumstance also found by the Office during the technical assessment carried out on 8 April 2025); ii) the processing of personal data for pre-training purposes of proprietary LLMs must be classified as large-scale; and finally, iii) by not contesting the existence of European jurisdiction and therefore the applicability of Article 3(2)(a) of the Regulation, the Company has implicitly endorsed the applicability of Article 27 of the Regulation. As regards the violation of Article 27(1)(a), the Company has implicitly endorsed the applicability of Article 27 of the Regulation. 4, the Office verified, as evidenced by the online inspection report dated November 7, 2025 (ref. no. 148338/25), that the VeraSafe online contact link included in the privacy policy dated August 27, 2025, redirected to an unreachable web page (technical error: "404 page not found"), thus effectively making any online communication with the designated representative impossible. The Company, in its defense brief, confirmed the existence of a technical problem with the hyperlink included in the privacy policy, but disputed the Office's assessment, noting, on the one hand, that data subjects were still able to contact the representative via the email address and telephone number listed at the bottom of the web page accessed via the incorrect link, and, on the other, that the failure of the contact could be considered a "minor material error" that had no impact on the substance and accessibility of the information. The Authority believes that the defense's arguments can be upheld given that, despite being deprived of the most convenient means of communication, data subjects could still contact VeraSafe by regular mail at the physical address or by telephone at the number published in the privacy policy on August 27, 2025. The alleged violation, therefore, does not meet the threshold of objective integration, as it concerns a material error in the transcription of the http address that did not affect the substance of the rights of Character.AI users and cannot be subjectively attributed to the Data Controller, even through negligence. Based on the above, and also given that the Company immediately corrected the material error, the Authority believes that Character has not violated Article 27, paragraph 4, of the Regulation. In conclusion, with regard to the appointment of the representative in the European Union, pursuant to and for the purposes of Article 27 of the Regulation, the Authority believes that Character has violated Article 27, paragraph 1, of the Regulation. 1 of the Regulation for having belatedly designated VeraSafe Ireland Ltd. as its representative in the European Union, although it was required to do so, but not Article 27, paragraph 4, of the Regulation, given that the deficiency noted must be considered a mere material error that did not substantially affect the rights of the data subjects and was promptly corrected by the Data Controller. 4. CONCLUSIONS In light of the above considerations, the issues raised in the initiation of the proceedings under Article 166 of the Code are confirmed, as the statements made during the investigation and the defenses presented were not deemed adequate to overcome the findings made by the Office (and none of the cases provided for in Article 11 of Regulation No. 1/2019 apply) with reference to the violations referred to in Articles 5, paragraph 2; 12, paragraph 1; 13, paragraphs 1 and 2; 14, paragraphs 1 and 2; 1 and 2; 24, paragraph 1; 25, paragraph 2; 27, paragraph 1; and 35, paragraph 1, of the Regulation. Therefore, the Authority finds the Data Controller's conduct unlawful for having: 1) failed to provide, both in the privacy policy of October 23, 2023 and in the updated privacy policy of August 27, 2025, clear, intelligible, and complete information regarding the various processing operations, in violation of Articles 12, paragraph 1, 13, paragraphs 1 and 2, and 14, paragraphs 1 and 2 of the Regulation; 2) failed to provide adequate information to Italian data subjects regarding the processing operations aimed at the pre-training of proprietary LLMs, in violation of Articles 14, paragraphs 1 and 2 of the Regulation; 3) failed to adopt adequate technical and organizational measures, by default, to verify age between April 8, 2024, and November 2024, as well as with regard to Italian users under the age of sixteen, between April 8, 2024, and April 8, 2025, in violation of Articles 24(1) and 25(2) of the Regulation; 4) belatedly adopted the data protection impact assessment, although it was required to do so, in violation of Articles 5(2) and 35(1) of the Regulation; 5) belatedly designated VeraSafe Ireland Ltd. as its representative in the European Union, although it was required to do so, in violation of Article 27(1) of the Regulation. The Authority, however, does not consider the alleged violations referred to in Article 21(1) to be established. 1 and 4 and pursuant to Article 27, paragraph 4, of the Regulation. 5. CORRECTIVE MEASURES The determination of a violation of the aforementioned provisions of the Regulation requires, in relation to certain specific conduct that has not exhausted its effects as of the date of this provision, the adoption of certain corrective measures pursuant to Article 58, paragraph 2, of the Regulation, specifically an order for compliance pursuant to Article 58, paragraph 2, letter d), of the Regulation. It also makes the administrative pecuniary sanction provided for by Article 83, paragraphs 3 and 5, of the Regulation applicable, pursuant to Articles 58, paragraph 2, letter i), of the Regulation. In this case, the conditions for classifying the violations as "minor" pursuant to Recital 148 of the Regulation and the most recent case law of the Court of Justice of the European Union cannot be identified. Article 58, paragraph 2, of the Regulation grants the Garante a series of corrective powers, both prescriptive and punitive, to be exercised in the event that unlawful processing of personal data is ascertained. Among these powers, Article 58, paragraph 2, letter d), of the Regulation provides the power to "order the controller ... to bring processing operations into conformity with the provisions of this Regulation, where appropriate, in a specific manner and within a specific period." From the findings and considerations in the preceding paragraphs, it has emerged that Character has violated Articles 5, paragraph 2; 12, paragraph 1; 13, paragraphs 1 and 2; 14, paragraphs 1 and 2; 24, paragraph 1; 25, paragraph 2; 27, paragraph 1; and 35, paragraph 2. 1 of the Regulation, but which, during the investigation, spontaneously adopted certain measures aimed at addressing the critical issues raised by the Authority in the three requests for information and in the initiation of the proceeding pursuant to Article 166 of the Code. Other measures, notably certain amendments to the privacy policy, were spontaneously adopted subsequent to the initiation of the proceeding pursuant to Article 166 of the Code and pending the adoption of this provision. These measures, which ensure partial compliance of the processing with the legislation on personal data protection, will be duly taken into account in the following paragraph relating to the determination of the administrative sanction. However, the following conduct remains ineffective and requires the prescription of appropriate corrective measures. With reference to the violation of Articles 12, paragraph 1, 13, paragraphs 1 and 2, and 14, paragraphs 1 and 2, regarding the disclosure requirements regarding the various processing operations performed through the Service for users, the Authority believes that, despite recent revisions to the privacy policy and the related regional supplement, which have undoubtedly improved clarity and usability, the privacy policy in force as of the date of this provision (effective from July 1, 2026) continues to not comply with personal data protection legislation, to the extent that: i) although it clearly associates each category of personal data processed with the corresponding legal basis and the respective processing purpose, some legal bases still appear unclear or misleading (for example, the reference to consent "required by law," or the legal basis for consent for sending personalized communications, which is nevertheless included in the table relating to the personalization of services, based on legitimate interest, or the legal basis for processing for the purpose of verifying age when using the Service, based on fulfilling a legal obligation); ii) although it more clearly indicates the criteria used to determine data retention periods, as they are linked to the purposes of processing, which have themselves been more precisely outlined, it still lacks information on the retention criteria for each purpose (for example, the retention periods for chats or data used to verify age) as well as the consequences of ceasing data retention (for example, any technical retention periods after deletion by the user or any forms of anonymization or aggregation of data whose processing has ceased); the inclusion of specific examples would allow users to more clearly understand the retention periods, in the absence of precise time data; iii) despite the amendments, it is still lacking in information regarding the non-EU countries to which users' personal data may be transferred and on the basis of which adequacy decisions or other appropriate safeguards pursuant to Chapter V of the Regulation; In particular, given that a transfer of personal data to the U.S. seems likely, the applicable adequacy decision is lacking in expressly indicating it; the inclusion of a contact link would make it easier for users to request further information regarding the safeguards adopted in the event of data transfer to third countries; iv) misleadingly indicates, as it is likely to create a false impression among Italian data subjects, the existence of personal data processing for post-training purposes of the LLMs underlying the service, failing to distinguish between users from the EEA and users residing in the U.S., even though such processing, as of ... OMISSIS, had not yet begun; v) in any case, in the event that the aforementioned processing has begun in the meantime, it does not clearly and easily indicate for Italian users the procedures for exercising the right to object to processing for post-training purposes, since this right is described in the initial section of the regional supplement, which is also addressed to users residing in the U.S. and the landing page of the link provided therein is published exclusively in English. Therefore, pursuant to Article 58, paragraph 2, letter d), of the Regulation, the Authority orders the Data Controller to bring its privacy policy into line with the Regulation, specifically Articles 12, paragraphs 1, 13, paragraphs 1 and 2, and 14, paragraphs 1 and 2, thereof, addressing the shortcomings indicated above. With reference to the violation of Articles 14, paragraphs 1 and 2 of the Regulation regarding the information obligations towards Italian data subjects regarding processing operations aimed at the pre-training of proprietary LLMs, noting that such processing ceased as of ... OMISSIS, the Authority orders the Data Controller, pursuant to Article 58, paragraph 2, letter d), 6, paragraph 4, letter d), of the Regulation, to align the retention of personal data relating to Italian data subjects collected for the aforementioned purpose with the Regulation, assessing the possible existence of a different but compatible purpose with that for which the personal data were collected, pursuant to and under the conditions set forth in Article 6, paragraph 4, of the Regulation or, in its absence, ordering their complete erasure. With reference to the violation of Articles 24, paragraph 1, and 25, paragraph 2, of the Regulation regarding technical and organizational measures for age verification, having acknowledged the significant changes made by the Company in the meantime, the Authority orders the Data Controller, pursuant to Article 58, paragraph 2, letter d), of the Regulation, to comply with the Regulation by ensuring (i) the correct functioning of the age gate for access to the Service at the age of sixteen for Italian users, as provided for users in the EEA area; ii) the correct functioning of the period ... OMISSIS to prevent further registration attempts by minors who were blocked upon first access because they declared themselves under the minimum age required in the EEA area (sixteen years); iii) the default private mode for minors' profiles. 6. INJUNCTION ORDER Pursuant to Articles 58, paragraph 2, letter i), of the Regulation and 166 of the Code, the Garante has the power to impose an administrative fine pursuant to Article 83 of the Regulation, by issuing an injunction order (see Articles 18, Law No. 689 of 24 November 1981 and 16, paragraph 1, of the Garante's Regulation No. 1/2019). In determining the fine, the Authority takes into account the principles and interpretation provided by the EDPB in its Guidelines No. 4/2022 on the calculation of administrative pecuniary sanctions, version 2.1, adopted on May 24, 2023. 6.1. Assessment of Conduct and Identification of the Applicable Sanction Based on the arguments put forward above, the Authority has determined a violation of the following provisions of the Regulation: Articles 5, paragraph 2; 12, paragraph 1; 13, paragraphs 1 and 2; 14, paragraphs 1 and 2; 24, paragraph 1; 25, paragraph 2; 27, paragraph 1; and 35, paragraph 1 of the Regulation. In this case, it should first be noted that the Company engaged in a series of conducts that constituted multiple violations, as specifically outlined and justified in the previous paragraphs. The violation of the aforementioned provisions occurred as a result of interrelated processing operations (see EDPB Guidelines No. 4/2022, paragraph 28) and can therefore be brought, due to the principle of unity of action, under the aegis of Article 83, paragraph 3, of the Regulation, pursuant to which, in the event of multiple violations, relating to the same or related processing operations, the total amount of the administrative pecuniary sanction cannot exceed the amount set for the most serious violation. In this case, the most serious violation among those mentioned above must be identified as the violation of transparency obligations, given that Articles 12, 13, and 14 (rights of data subjects) are sanctioned pursuant to Article 83, paragraph 5, which sets the maximum pecuniary sanction at €20 million or, for companies, 4% of the annual worldwide turnover of the preceding financial year, whichever is higher. 6.2. Quantification of the administrative pecuniary sanction (Article 83(2) of the Regulation) Pursuant to Article 83(1) of the Regulation, the administrative sanction must be effective, proportionate, and dissuasive in relation to the individual case. In the aforementioned guidelines, the EDPB clarified that the calculation of administrative pecuniary sanctions must begin from a harmonized starting point, which constitutes the initial basis for the further calculation of the amount of the sanction, taking into account and weighing all the circumstances of the case (see paragraph 46). The harmonized starting point must take into account three factors: 1) the nature of the infringement; 2) the seriousness of the infringement; and 3) the company's turnover (see paragraph 48). Starting from the first aspect, relating to the nature of the breach (abstract severity), in this case, of the five breaches identified, three are more serious (Article 83(5) of the Regulation) as they relate to a basic principle of processing (accountability in connection with the preparation of the DPIA) and to the data subjects' rights (to information), while two are less serious (Article 83(4) of the Regulation) as they relate to the data controller's obligations (security measures and designation of a representative). With regard to the seriousness of the breach (in concrete terms), the elements to be considered are: a) nature, severity, and duration of the breach, taking into account the nature, scope, and purpose of the processing, the number of data subjects affected by the damage, and the level of damage they suffered (Article 83(2)(a) of the Regulation); b) whether the breach was intentional or negligent (Article 83(2)(b) of the Regulation); c) categories of personal data affected by the breach (Article 83, paragraph 2, letter g), of the Regulation). In the case at hand, with regard to point a), the Authority notes the following: i) the nature of the processing at issue entails high risks to the rights and freedoms of natural persons, as it is connected to an innovative technology such as generative artificial intelligence applied to an entertainment service, also offered to minors; ii) the processing is cross-border in nature, with global reach and effects that are virtually uncontrollable by the data subjects; iii) all the purposes of the processing at issue in this proceeding fall within the Company's core business; iv) the number of data subjects involved must be limited to the number of daily active Italian users, quantified by the Company itself, in a note dated April 30, 2026, as ... users OMISSIS; v) no concrete damage to the Italian data subjects has been proven with regard to the first and fourth complaints; vi) the duration of the breach is long-lasting with reference to the processing for pre-training purposes of the Company's proprietary LLMs, but limited with reference to the other four breaches given that the Service has been made available to Italian data subjects since 8 April 2024. Regarding point (b), the Authority believes that all identified violations should be considered negligent. As stated by the Article 29 Working Party in its guidelines on the application and provision of administrative pecuniary sanctions pursuant to Regulation (EU) No. 2016/679, adopted on October 3, 2017, and implemented by the EDPB on May 25, 2018 (WP 253 guidelines), intentional conduct refers to both the knowledge and intent (consciousness and will) to commit an unlawful act, whereas negligent conduct lacks the intent to cause the violation despite a failure to comply with a duty of care. The Court of Justice of the European Union (CJEU), in its ruling of December 5, 2023 (Case C-807/21), established that the supervisory authority has the burden of establishing whether a breach was committed intentionally or negligently by the data controller, as only unlawful breaches can lead to the imposition of an administrative fine. In this regard, it should be noted that the CJEU established in the aforementioned decision that Article 83 of the Regulation does not permit the imposition of an administrative fine unless it is established that the breach was committed intentionally or negligently by the data controller (see paragraph 75). The Court itself upheld the fundamental principle of “ignorantia legis non excusat”, stating that “a data controller may be sanctioned for conduct falling within the scope of the GDPR if the controller could not have been unaware of the unlawful nature of his or her conduct, regardless of whether he or she was aware of violating the provisions of the GDPR” (see paragraph 76). This principle had already been enunciated by the Court of Justice in another case (judgment C-601/16 of 25 March 2021, paras. 97 and 98) in which it had established that “an undertaking may be penalised for conduct falling within the scope of Article 101(1) TFEU where that undertaking could not have been unaware of the anti-competitive nature of its conduct, regardless of whether or not it was aware that it was infringing the competition rules of the Treaty” (see, in a similar vein, also CJEU, judgment C-681/11 of 18 June 2013, para. 37). In this case, therefore, the defense arguments expressed on the matter cannot be accepted since Character could not, at the time its Service was launched, and especially when it was expressly offered (also) to users located in the European Union and specifically in Italy, exempt itself from a duty to be aware of and apply the Regulation. This Regulation, as is well known, protects a fundamental right provided for and protected by Article 8 of the Charter of Fundamental Rights of the European Union, given that the processing of personal data represents the company's core business. Evidence of the Company's awareness of its duty of diligence in complying with the Regulation is evident, de plano, from the inclusion, in the privacy policy dated October 25, 2023, of a regional appendix to the main text of the notice, which specifically included European data protection legislation. In light of the circumstances of the specific case, the context in which the Data Controller operates, and the disruptive and rapidly expanding technology underlying its business activities, the Authority believes that the failure to process personal data in compliance with EU legislation constitutes negligence, which is the basis of the concept of fault, and demonstrates the existence of this subjective element on the part of the Company. This fault must, however, be considered non-serious given the attention and resources allocated to progressively improving compliance with the Regulation, which were not only declared during the hearing but also demonstrated by the documentation (and updates thereto) submitted, including spontaneously, during the investigation and after the initiation of the proceedings pursuant to Article 166 of the Code. Regarding point c), the Authority notes that the investigation did not reveal, in particular, the processing of special categories of data. However, it notes that, in the absence of effective age verification mechanisms during registration and during use of the Service, until November 2025, personal data relating to minors and vulnerable individuals were processed without the appropriate security measures. Taking into account the above-mentioned elements, which can be traced back to Article 83, paragraph 2, letters a), b), and g), of the Regulation, it is believed that, in this case, the level of severity (in concrete terms) of the violation committed by the data controller should be considered medium (see Guidelines No. 4/2022, paragraph 60). That said, the Authority further notes that Character can be classified as a start-up that employs ... OMISSIS people, operates in a highly competitive and particularly "aggressive" market occupied by companies with much larger dimensions and resources, and has an annual turnover ... OMISSIS. Finally, for the purposes of quantifying the fine, the Authority believes that the following mitigating factors should be taken into consideration. - mitigating circumstance pursuant to Article 83, paragraph 2, letter c), of the Regulation, for the Data Controller having adopted measures to mitigate the damage with regard to age verification through the adoption and progressive strengthening of the implemented measures, in particular the introduction of a Service dedicated to minors and an age assurance system with age verification, in the second instance, entrusted to a third-party provider; - mitigating circumstance pursuant to Article 83, paragraph 2, letter e), of the Regulation, for the Data Controller not having reported previous relevant violations; - mitigating circumstance pursuant to Article 83, letter f), of the Regulation, due to the Data Controller's cooperation with the Authority throughout the entire investigation phase and even after the initiation of the proceedings pursuant to Article 166 of the Code, in order to remedy the alleged violations, in an innovative, challenging, and evolving technical and legal framework. This circumstance, while not excluding any liability, certainly makes any initiative aimed at improving compliance with the Regulation highly commendable. Specifically, specific and relevant elements considered to supplement the mitigating factor in question are: i) the changes made to the privacy policy aimed at addressing, although not entirely, the critical issues identified by the Office; ii) the information provided to data subjects in the EEA region regarding the processing of their personal data for post-training purposes of the LLM programs supported by the Service, with the right to exercise their right to object in advance, in accordance with the recommendations expressed by the EDPB in Opinion No. 28/24; and iii) the spontaneous communications sent to the Office. Finally, in this case, it is believed that the financial circumstances of the Data Controller are relevant, in light of the amount ... OMISSIS. In light of the above factors, assessed as a whole and based on the principles of effectiveness, proportionality, and dissuasiveness set forth in Article 83, paragraph 1, of the Regulation, it is deemed appropriate to set the fine at €158,000.00 (one hundred and fifty-eight thousand) for the violation of Articles 5, paragraph 2; 12, paragraph 1; 13, paragraphs 1 and 2; 14, paragraphs 1 and 2; 24, paragraph 1; 25, paragraph 2; 27, paragraph 1; and 35, paragraph 1, of the Regulation. It is believed that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Italian Data Protection Authority Regulation No. 1/2019, the additional sanction of publishing this section of the provision containing the injunction on the Italian Data Protection Authority's website should be applied, given the risks to personal data protection associated with making available to the public a service based on an innovative and complex technology such as generative artificial intelligence, in the absence of the necessary safeguards, as well as the existence of a general interest in the topic in question, which requires the widest possible disclosure of the Authority's position on the matter. FOR THESE REASONS - Pursuant to Articles 57 and 83 of the Regulation, the conduct of Character Technologies, Inc., with registered office at #1152, 700 El Camino Real, Suite 120, Menlo Park CA 94025, USA, is declared unlawful for violation of Articles 57 and 58 of the Regulation; 12, paragraph 1; 13, paragraphs 1 and 2; 14, paragraphs 1 and 2; 24, paragraph 1; 25, paragraph 2; 27, paragraph 1; and 35, paragraph 1, of the Regulation, within the terms set out in the reasons; - Pursuant to Article 58, paragraph 2, letter d), of the Regulation, the Data Controller is required to comply with the provisions set out in paragraph 5 of this provision within 120 days of notification of this provision. - Pursuant to Article 157 of the Code, the Data Controller is required to notify the Authority, within 120 days of notification of this provision, of the initiatives undertaken to implement the corrective measures referred to in the preceding point; Failure to comply with the provisions of this section may result in the application of the administrative fine provided for in Article 83, paragraph 5, of the Regulations. IT IS ORDERED Pursuant to Articles 58, paragraph 2, letter i), and 83 of the Regulations, as well as Article 166 of the Code, the aforementioned Data Controller is ordered to pay the sum of €158,000.00 (one hundred and fifty-eight thousand) as an administrative fine for the violations indicated in the grounds. IT IS ORDERED The aforementioned Data Controller, in the event of failure to resolve the dispute, pursuant to Article 166, paragraph 8, of the Code, to pay the sum of €158,000.00 (one hundred and fifty-eight thousand), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is hereby stated that, pursuant to Article 166, paragraph 8, of the Code, the offender retains the right to settle the dispute by paying—in accordance with the procedures indicated in the attachment—an amount equal to half the fine imposed within the deadline set out in Article 10, paragraph 3, of Legislative Decree No. 150 of September 1, 2011, for filing an appeal as indicated below. IT IS HEREBY ORDERED pursuant to Article 154-bis, paragraph 3, of the Code and Article 37 of the Italian Data Protection Authority Regulation No. 1/2019, this provision be published on the Italian Data Protection Authority's website; pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Italian Data Protection Authority Regulation No. 1/2019, the publication of the injunction order on the Garante's website; pursuant to Article 17 of the Garante's Regulation No. 1/2019, the recording of violations and measures adopted pursuant to Article 58, paragraph 2, of the Regulation in the Authority's internal register provided for by Article 57, paragraph 1, letter u), of the Regulation. Pursuant to Article 78 of the Regulation, as well as Articles 152 of the Code and 10 of Legislative Decree No. 150 of September 1, 2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same Article 10, under penalty of inadmissibility, within thirty days of the date of notification of the provision, or within sixty days if the appellant resides abroad. Rome, July 3, 2026 THE PRESIDENT Stanzione THE SPEAKER Stanzione THE SECRETARY GENERAL Montuori SEE ALSO Press release of July 9, 2026 [web doc. no. 10269571] Measure of July 3, 2026 Register of Measures no. 487 of July 3, 2026 THE DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Member, and Dr. Luigi Montuori, Secretary General; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter the "Regulation"); HAVING REGARD to the Personal Data Protection Code (Legislative Decree No. 196 of 30 June 2003) (hereinafter the "Code"); HAVING REGARD to Regulation No. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Italian Data Protection Authority, approved with Resolution No. 98 of 4 April 2019, published in the Official Journal No. 106 of 8 May 2019 and on www.gpdp.it, web doc. No. 9107633 (hereinafter "Regulation of the Guarantor No. 1/2019"); SEEN the documentation in the file; SEEN the observations made by the Secretary General pursuant to Article 15 of Regulation No. 1/2000 of the Guarantor on the organization and functioning of the Office of the Guarantor for the Protection of Personal Data, adopted by resolution of June 28, 2000 (web doc. No. 1098801); REPORTER: Professor Pasquale Stanzione; 1. BACKGROUND AND PROCEDURE OF THE INVESTIGATION 1.1. Origin of the preliminary investigation The proceeding arose from an investigation initiated by the Authority in November 2024, following the determination that the generative artificial intelligence service Character.AI (hereinafter "Character.AI" or the "Service"), offered by the US company Character Technologies, Inc. (hereinafter "Character," the "Data Controller," or the "Company"), headquartered in Menlo Park, California, was available in Italy via a mobile app and web platform, that the privacy policy in effect at the time was aimed at data subjects in the EEA region, and that the Service was also offered in Italian. Character.AI is a generative artificial intelligence service that allows users to create and interact, via chat, with existing or custom-created virtual characters (hereinafter "Characters"), enabling them, through interactive entertainment and technology, to express themselves, explore ideas, and unleash their imagination and creativity. Character, a company incorporated on November 3, 2021, launched the beta version of the Service in web mode on September 16, 2022, and in app mode on May 23, 2023. On April 8, 2024, the beta version was replaced by the final version, available at the top-level domain www.character.ai and also offered in Italian. In November 2024, a dedicated version of the Service was launched, reserved for minors. Character uses a generative artificial intelligence system based on proprietary large language models (hereinafter also "LLMs"), refined through user interaction with the Service (as of April 30, 2026, users in the EEA are not included). These LLMs were no longer pre-trained... REDACTED. For the purposes of this provision, "generative artificial intelligence" means the field of artificial intelligence dedicated to the creation of new and original content based on user prompts, through the use of predominantly neural algorithms and typically based on large-scale linguistic models. For the purposes of this provision, LLM also means a probabilistic model of a natural language, such as Italian, based on the assumption that all natural languages are highly redundant and correlated; hence, the LLM's ability to identify the word or symbol that, probabilistically, immediately follows a given piece of data. 1.2. Activities carried out 1.2.1 The first request for information On November 7, 2024, the Office notified Character (ref. no. 131170/24) of a request for information pursuant to Article 57, paragraph 1, letter b) of the Italian Legislative Decree. a) of the Regulation, requesting clarification from the Company regarding the existence of an establishment or the appointment, pursuant to and for the purposes of Article 27 of the Regulation, of a representative in the European Union, the measures adopted to verify the age of Service users, and the processing activities performed, including, in particular, those aimed at training the artificial intelligence models underlying the Service. On December 20, 2024, the Office granted (ref. no. 150217/24) a request for an extension of the deadline to provide a response, submitted by the Company on the same date (ref. no. 150737/24), due to the scope of the request and the difficulty in obtaining the necessary information during the Christmas period. On January 21, 2025, the Company responded to the request for information (ref. no. 6935/25), providing a copy of the impact assessment (hereinafter also "DPIA") pursuant to Article 35 of the Regulation and the assessment of legitimate interest (hereinafter also "LIA") pursuant to Article 6, paragraph 1, letter f) of the Regulation. Regarding the Service, the Data Controller stated: • that it had developed its proprietary LLMs by training them primarily with data publicly available on the internet; • that it had carried out the post-training phase using ...OMISSIS. Regarding age verification, Character stated that in the fall of 2023 it had introduced a system to block use of the Service based on a neutral so-called "legal" mechanism. An age gate that requires users to enter their date of birth and that, in November 2024, users who had registered before the system was introduced had to verify their age in order to continue using the Service. It also reported that, in November 2024, it had implemented a separate version of the Service based on a specifically trained LLM for users under the age of eighteen and had prevented them from indiscriminately accessing all Characters and making their Characters public. In an update, spontaneously submitted on July 29, 2025 (ref. no. 106560/25), the Company announced that it had designated VeraSafe Ireland Ltd. (hereinafter also "VeraSafe"), based in Cork, Ireland, as its representative in the European Union, and that it had updated the Service's privacy policy, effective August 27, 2025. 1.2.2 The Second Request for Information On August 6, 2025, the Office sent Character a supplementary request for information (ref. no. 109878/25), requesting clarifications regarding the processing of personal data related to: i) the operation of the generative artificial intelligence models underlying the Service; ii) the provision of the Service; and iii) the transfer of personal data outside the European Union. The Office also requested clarification regarding some of the security measures indicated in the DPIA, as well as a copy of the document designating the representative pursuant to Article 27 of the Regulation. On September 30, 2025, the Company responded to the second request for information (ref. no. 129329/25), within the timeframe allowed, providing a copy of the privacy policy updated to August 27, 2025, a copy of the DPIA updated to September 30, 2025, a copy of the LIA updated to September 29, 2025, and a copy of the document designating the representative pursuant to Article 27 of the Regulation. In this response, the Company confirmed that the Service was based on large, proprietary models, but that these models had not been pre-trained in the year prior to the response. 1.2.3 The third request for information On November 4, 2025, following the publication of press reports suggesting that the Company was planning to block underage users from accessing the Service's open chats starting November 25, 2025, the Office sent a third request for information (ref. no. 146211/25) requesting clarification on the aforementioned issue as well as on the plan, announced by the Company in its response note of September 30, 2025, to begin processing the personal data of EEA users for post-training purposes of its generative artificial intelligence systems. The Company responded with a letter dated December 9, 2025 (ref. no. 171362/25) confirming, with regard to the profile of underage users, the veracity of the information regarding the plan to eliminate the ability of minors under 18 to participate in open conversations with Service Personalities, starting November 24, 2025 in the United States and by the end of February 2026 in Italy. Furthermore, the Company informed the Office that it had introduced an age verification system that operates during the use of the Service in order to offer underage users an age-appropriate experience. This age assurance mechanism complements the technical age verification measures already adopted to prevent access to individuals under the age of 13, through a proprietary age verification model combined with the intervention of a third-party company, Persona Identities, Inc. (hereinafter "Persona"). … OMISSIS. 2. INITIATION OF THE PROCEEDINGS FOR THE ADOPTION OF CORRECTIVE AND PENALTY MEASURES AND THE PARTY'S DEFENSES 2.1. Initiation of the proceedings (Article 166, paragraph 5, of the Code) Based on the information acquired during the preliminary investigation described above, with a note dated January 26, 2026 (ref. no. 10830/26), notified pursuant to Article 166, paragraph 5, of the Code, the Office initiated the proceedings for the adoption of the measures referred to in Article 58, paragraph 1, of the Code. 2 of the Regulation against the Data Controller, inviting the Data Controller to submit written defences or documents to the Data Protection Authority or to request a hearing with the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as Article 18, paragraph 1, of Law No. 689 of 24 November 1981). The alleged violations are: 1) Articles 12, paragraph 1, 13, paragraphs 1 and 2, and 14, paragraphs 1 and 2 of the Regulation for Character's failure to provide, both in the privacy policy dated October 23, 2023, and in the updated privacy policy dated August 27, 2025, clear, intelligible, and complete information regarding the various processing operations performed through the Service; 2) Articles 14, paragraphs 1 and 2, and 21, paragraphs 1 and 2 of the Regulation. 1 and 4 of the Regulation for having Character failed to provide adequate information to Italian data subjects regarding the pre-training activities of the proprietary LLMs underlying the Service and to establish appropriate mechanisms to allow them to exercise their right to object; 3) Articles 24, paragraph 1 and 25, paragraph 2, of the Regulation for having Character failed to adopt adequate technical and organizational measures, by default, in relation to the processing of data of minor users relating to the period prior to the implementation of an age gate mechanism (November 2024) and of minor users under the age of sixteen relating to the period following such implementation, at least until 8 April 2025; 4) Articles 5, paragraph 2 and 35, paragraph 3. 1 of the Regulation for Character's late adoption of the data protection impact assessment (first version dated November 14, 2024, updated September 30, 2025), while it was required to do so; 5) Art. 27, paragraphs 1 and 4 of the Regulation for Character's late designation of VeraSafe Ireland Ltd. as its representative in the European Union pursuant to and for the purposes of Article 27 of the Regulation, and for having included in its privacy policy of August 27, 2025, a contact link that redirects to an unaccessible web page, thus effectively rendering any online communication with the designated representative impossible. 2.2. Defenses of the Party (Article 166, paragraph 6, of the Code) On March 31, 2026 (ref. no. 49636/26), Character filed a defense brief requesting a hearing, pursuant to Article 166, paragraph 6, of the Code. In this brief, the Company rejected all objections and, believing it had fulfilled all obligations under the Regulation, requested dismissal of the proceedings. From an objective standpoint, the Data Controller rejected all objections as follows. With regard to the alleged failure to comply with transparency obligations towards users, the Company deemed the objections raised by the Office with regard to both versions of the privacy policy to be unfounded. Specifically, regarding the complaints regarding the privacy policy dated October 25, 2023, the Data Controller deemed its availability only in English irrelevant and rejected the Office's accusations of incompleteness, lack of intelligibility, and lack of clarity. Likewise, regarding the privacy policy dated August 27, 2025, the Company rejected the complaint regarding the syntactical and terminological deficiencies of the Italian version, the methods of indicating data retention periods, legal bases, transfers outside the EU, and the process of de-identification of personal data. The Company also announced, in a spirit of cooperation with the Authority and in accordance with the principle of accountability, an imminent further update to the privacy policy. Regarding the alleged failure to comply with transparency obligations and the right to object to processing by European data subjects, particularly Italians, regarding the personal data used in the pre-training activities of the proprietary LLMs underlying Chararacte.AI, the Data Controller highlighted the legal uncertainty surrounding the application of data protection legislation in the context of artificial intelligence services at the time of the company's incorporation (November 2021) and the start of its operations (September 2022) and declared that it had ceased all pre-training of its LLMs ... OMISSIS. On the merits, the Data Controller stated that the presence of personal data within the training datasets, "generally consisting of large-scale, open-source third-party data collections," publicly available datasets commonly used in the industry, must be considered incidental and the related processing unintentional. It also stated that in the specific case, the exception under Article 14, paragraph 1, of the GDPR would apply. 5 of the Regulation (impossibility or disproportionate effort in communicating information) and, in any case, to have complied with the obligations set forth in Article 14 of the Regulation by publishing updates on its blog, in the Help Center, and on forums hosted by third-party websites (e.g., Reddit and Discord). Regarding the right to object, the Company reiterated i) that, starting with the official version of the Service launched in 2023, even non-users have had the opportunity to object to the processing of their personal data by sending a request (ticket) via the Help Center or by email to the address indicated in the privacy policy (dated October 23, 2023) and ii) that the Office's further arguments on this point cannot be accepted as they refer to Opinion No. 28/2024 of the European Data Protection Board (hereinafter "EDPB"), adopted after the pre-training process and therefore not applicable retroactively. Regarding the contested failure to adopt an appropriate age verification system, after arguing that the Regulation does not impose a specific legal obligation to verify the age of users and that such verification must be implemented on the basis of a risk-based assessment, the Company stated that the initial adoption of a neutral age gate was in line with the state of the art at the time (October 2023) in the technical and regulatory context of generative artificial intelligence and the subsequent introduction (November 2025) of a multi-level age assurance system is to be considered in line with subsequent industry practices, a sector which is still developing given that, to date, there is no single, binding technical standard. The Data Controller also emphasized that in November 2024, it implemented a dedicated version of the Service for minors, "designed to reduce the likelihood that minors will encounter or generate sensitive or suggestive content." This version is based on a dedicated LLM and features enhanced security measures such as limiting the number of available Characters, limiting interaction time, using more conservative content classifiers, and introducing a tool called "Parental Insight" that provides parental guardians with information on minors' activity on Character.AI. Finally, the Company noted that in November 2025, it excluded minors from participating in open conversations with Characters and implemented an age assurance system that combines a proprietary age prediction model developed by Character (which evaluates a combination of signals collected from user interactions with the Service) with a third-party age verification process. Third-party intervention is activated only if the internal system's findings are contested and consists of two phases: the user submits a selfie and, only if the user's age cannot yet be determined with sufficient reliability, an identity document (both data are retained for only seven days). Regarding the disputed late preparation of the data protection impact assessment, after arguing that the obligation to prepare a DPIA presupposes an assessment of the existence of a high risk to the rights and freedoms of natural persons and that the principle of accountability does not impose strict liability, the Company stated that it had conducted internal risk assessments gradually and using a multidisciplinary approach since the launch of the Service (September 2022) but that it formalized these assessments in a structured form in a DPIA only following the Authority's first request for information (November 8, 2024). The document was subsequently updated in February 2025 and September 2025. Finally, regarding the contested late designation of a representative in the European Union pursuant to Article 27 of the Regulation and, subsequently, the lack of valid online contact information, the Company argued that it had no obligation to designate until May 31, 2025 (the date of VeraSafe's appointment) because, in the prior period, its processing activities fell within the exemption under Article 27, paragraph 2, of the Regulation, as the processing was occasional and did not pose a probable risk to the rights and freedoms of natural persons, given that the EEA market was not a priority compared to Character's commercial activities. Regarding the malfunctioning VeraSafe contact link, the Data Controller argued that it was due to a "minor material error in the hyperlink," which, as such, had no impact on the substance and accessibility of the information, which has since been corrected, including in the privacy policy. From a subjective perspective, in its defense brief, Character argued that the initiation of the proceedings does not demonstrate that the alleged violations were committed intentionally or negligently, as required by the Court of Justice of the European Union in its ruling of December 5, 2023, Case C-807/21. For its part, the Data Controller considered that there was no evidence of intentional or negligent conduct because, when it began offering its Service to users in the EEA, it "promptly adopted measures to improve its data protection practices." Finally, in its brief dated March 31, 2026, Character identified and argued all mitigating factors, specific to each individual charge (which overlap with the general mitigating factors listed below, with the exception of the adoption of measures to mitigate the damage suffered by the data subjects – Article 83, paragraph 2, letter c, of the Regulation – with reference to the second, third, and fifth charges and the absence of any concrete damage to the data subjects – Article 83, paragraph 2, letter a – with reference to the first and fourth charges) and general ones that the Authority should take into consideration when determining the amount of the fine, in the unlikely event of ascertaining the violations. In particular, the Data Controller emphasized, pursuant to and for the purposes of Article 83, paragraph 2, letter a), f. of the Regulation, its constant and full cooperation with the Authority throughout the entire investigation phase, a collaboration that has served as a catalyst for improving and strengthening practices and measures to protect personal data, especially that of minors; pursuant to and for the purposes of Article 83, paragraph 2, letter a. of the Regulation, the limited duration of the violations; pursuant to and for the purposes of Article 83, paragraph 2, letter b. of the Regulation, the absence of malicious nature of the violations; pursuant to and for the purposes of Article 83, paragraph 2, letter e. of the Regulation, the absence of previous violations; pursuant to and for the purposes of Article 83, paragraph 2, letter k. of the Regulation, the absence of financial benefits resulting from the violations. Character also provided the requested information regarding its annual worldwide turnover for 2025. During the hearing, requested pursuant to Article 166, paragraph 6, of the Code and held on April 15, 2026 (see minutes, file no. 60939/26), the Company's General Counsel illustrated the characteristics of the Service and clarified that Character must still be considered a start-up as it employs ... OMISSIS people and operates in a highly competitive market with high operating costs. The Company's lawyers emphasized Character's spirit of loyal cooperation with the Authority, as well as its gradual, constant, and progressive commitment to compliance with the Regulation, despite the uncertain technical and legal framework, both with regard to generative artificial intelligence and age verification systems. In a note dated April 30, 2026 (ref. no. 71632/26), to resolve the reservation made during the hearing, the Data Controller provided the exact address of VeraSafe and a copy of the February 2023 privacy policy. It also specified that the number of daily active users in Italy is … OMISSIS, a number calculated based on the most recent data and the connection IP address (Italian) (the Company does not require users to indicate their country of residence). Regarding the processing of personal data of EEA users for post-training purposes, Character stated that this processing activity, … OMISSIS. Finally, regarding the current processing of personal data used for LLM pre-training, Character reiterated that the last processing activity took place in … OMISSIS. With a note sent on June 10, 2026 (ref. no. 88645/26), the Company announced that it had notified Italian users of the update to its privacy policy (announced during the hearing), which provides clearer and more detailed information "regarding the Company's practices and the legal bases applicable to the processing performed, also to address the observations made by the Italian Data Protection Authority during the proceedings." The latest version of the privacy policy and the related regional supplement will enter into force on July 1, 2026. 3. AUTHORITY'S ASSESSMENTS 3.1 European Jurisdiction and Competence of the Italian Data Protection Authority First, the Italian Data Protection Authority deems it appropriate to briefly address the issues relating to the applicability of European data protection legislation to the processing operations related to the Service offered by the Company and the competence of the Italian Data Protection Authority, even if not disputed by the Data Controller. Article 13 of Legislative Decree no. Article 3 of the Regulation governs the conditions for the territorial application of its provisions. The first paragraph establishes the criterion of "establishment" and the second, in the case of controllers not established in the European Union, the criterion of targeting. This criterion, in turn, is divided into two scenarios: 1) offering goods or services to data subjects located in the Union, even free of charge, or 2) monitoring the behavior of such data subjects to the extent that such behavior occurs in the Union (see, in this regard, the Guidelines of the European Data Protection Board (hereinafter "EDPB") No. 3/2018 on the territorial scope of the Regulation). Given that the Service has been available in Italy since at least 8 April 2024, the date on which, as stated by the Company during the hearing, the beta version of the Service was discontinued (released on 16 September 2022 in web mode and on 23 May 2023 in app mode) and the top-level domain www.character.ai was launched with the new web version of the service, also in Italian, and that the privacy policy of 25 October 2023 also addressed residents of the EEA area, the Authority considers that European jurisdiction exists, pursuant to Article 3, paragraph 2, of the Regulation. In particular, in the present case, the targeting criterion referred to in Article 3, paragraph 2, letter a) of the Regulation applies. a) of the Regulation, i.e., the offer of goods or services to data subjects in the Union, as the Character AI service is freely available to users located in the European Union, and specifically in Italy, as of April 8, 2024. Considering that the jurisdiction established pursuant to Article 3, paragraph 2, of the Regulation entails a derogation from the one-stop-shop mechanism (Article 56 of the Regulation applies only in cases where the controller has a sole or main establishment in the EU), the competence to exercise the powers referred to in Article 58 of the Regulation lies independently with each European supervisory authority (see EDPB Guidelines No. 8/2022 on the identification of the lead supervisory authority in relation to a specific controller or processor, paragraph 49). Based on these considerations, European jurisdiction and the competence of this Authority are therefore clearly established. 3.2. Breach of Articles 12, paragraphs 1, 13, paragraphs 1 and 2, and 14, paragraphs 1 and 2 of the Regulation The Office charged Character with violating Articles 12, paragraphs 1, 13, paragraphs 1 and 2, and 14, paragraphs 1 and 2 of the Regulation for failing to provide, both in the privacy policy dated October 23, 2023, and in the updated privacy policy dated August 27, 2025, clear, intelligible, and complete information regarding the various processing operations carried out through the Service. Article 12 and Recital 58 of the Regulation require that information intended for the public or the data subject must be concise, easily accessible, and provided in clear and plain language. Pursuant to Articles Pursuant to Articles 13 and 14 of the Regulation, the controller who collects personal data from the data subject or from third parties is required to provide specific information regarding a series of elements characterizing the intended processing. As specified in the transparency guidelines adopted by the Article 29 Working Party on April 11, 2018, and endorsed by the EDPB at its Plenary Session on May 25, 2018 (WP 260 guidelines), the principle of transparency is not legalistic and is embodied in specific information obligations set out in Articles 12 to 14 of the Regulation (see paragraph 4); This information must be provided to the data subject “before or at the beginning of the data processing cycle, that is, when the personal data are collected from the data subject or otherwise obtained” (this requirement is also confirmed in the EDPB Guidelines No. 2/2019 on the processing of personal data pursuant to Article 6, paragraph 1, letter b), of the Regulation in the context of the provision of online services) and in the event of significant changes to the processing (see paragraph 5). The same guidelines further clarify that: i) information should be concrete and specific, and should not be couched in abstract or ambiguous terms or leave room for multiple interpretations, particularly with regard to the purposes and legal basis for processing personal data (see section 12); ii) if the controller chooses to use vague language, in accordance with the accountability principle, the controller should be able to demonstrate why such language is unavoidable and why it does not compromise the fairness of the processing (see section 13); iii) information provided to data subjects should not contain excessively legalistic, technical, or specialized language or terminology (see section 13); (iv) the information should be translated into one or more languages if the data controller addresses data subjects who speak different languages (such as a website in a given language). If translated, the data controller should ensure that all translations are accurate and the phraseology and syntax are comprehensible, so as not to force the reader to decipher or reinterpret the translated text (see section 13). In light of the principles, regulatory provisions, and the interpretation thereof provided by the EDPB (it should be noted that the guidelines of the European institutions and bodies have been recognized as soft law by the Court of Justice of the EU, in its ruling of July 15, 2021, in case C-911/19), the Authority considers the alleged violation to have occurred with reference to and limited to the following aspects. Regarding the privacy policy dated October 25, 2023, in force until August 27, 2025, in relation to: - its availability exclusively in English from April 8, 2024 (the date of the release of the Service in Italian) until August 27, 2025 (the date of the subsequent version, also available in Italian). On this point, the Authority believes that, in light of the aforementioned interpretation provided by the EDPB in the transparency guidelines, the defense argument that the translation into Italian was unnecessary because average users of the Service are accustomed to accessing services and materials provided primarily in English cannot be accepted; - the unclear indication of the data subjects' right to exercise the right to object, pursuant to Article 21 of the Regulation, with reference to processing operations that, based on the legal bases set out in Article 6, paragraph 1, letter b), are not sufficiently based on the purposes for which they are processed. Articles 27(e) and (f) of the Regulation legitimize the exercise of the opt-out. In this regard, the Authority notes that the defense argument that both users and non-users could, as of October 2023, exercise their rights through a ticketing system is irrelevant, as ensuring the effectiveness of the right to object is a legal issue that concerns the substantive protection of this right and not the obligation to provide information regarding the procedures for exercising it; - the failure to indicate the representative in the European Union pursuant to Article 27 of the Regulation in the period after April 8, 2024 (date of release of the Service in Italian) and until August 27, 2025 (date of the subsequent version of the privacy policy). In this regard, the Authority does not share the defense's assumption that, at the material time, the derogation pursuant to Article 27(e) was applicable. 2 of the Regulation, as the possibility that this was an occasional processing of personal data is clearly ruled out by the dual circumstance that the privacy policy was also addressed to users in the EEA (see point 6 regarding Regional Privacy Disclosures) and the Service has been offered in Italian since April 8, 2024; - the misleading and inaccurate indication regarding the processing of personal data of users in the EEA for post-training purposes of the LLM programs underlying the Service; specifically, from the text of the privacy policy, Italian users could have assumed that their personal data was being used for this processing (at least since the launch of the Service in Italy). Recalling the EDPB's interpretation that the information provided to data subjects must be concrete and certain, the Authority rejects the defense's argument that the origin of data subjects involved in post-training activities is irrelevant, especially given that such processing, which is expected for users in the EEA starting from ... OMISSIS, had not yet begun as of ... OMISSIS. Regarding the privacy policy of August 27, 2025, including the regional information notice for the EEA to which it refers: - linguistic inaccuracies in the Italian version render the text unintelligible and misleading with respect to the information the Company intends to provide. In this regard, given the EDPB's interpretation that information to data subjects should not contain excessively legalistic, technical, or specialized language or terminology, the Authority accepts the defense's argument that some terms used in the translation, although not consistent with European legal vocabulary, are nevertheless easily and commonly understood. However, given that the translated text must be clear and not misleading with respect to the substance of the processing performed, it is believed that a violation still exists in relation to the following phrases: i) in the "information you provide us directly" section, inferences are indicated "such as preferences based on account settings or feedback on the Services," where the term "inference" refers to personal data not collected directly from the data subject, resulting in a significant material impact on the actual processing performed; ii) in the information dedicated to the European region, with reference to the information according to which the data subject has the right "to lodge a complaint with the competent supervisory authority", the generic term "complaint" rather than the technical-legal term "complaint" is misleading as the meaning of the term complaint is now well-known and has entered common parlance with the consequence that its absence could negatively interfere with the effective exercise of rights by data subjects (the same term used in reference to the prior request to the data controller is, on the contrary, not a harbinger of misunderstandings); iii) the classification of "login credentials" and "personal communications received or sent" as sensitive information does not preclude the need to clarify, where appropriate, the difference between this type of data and the special categories of data referred to in Articles 9 and 10 of the Regulation; - failure to indicate, with reference to the transfer of data processed outside of Europe, the non-EU countries to which the data could be transferred that would not be "able to ensure an adequate level of protection of personal data under local law" and the adequacy decisions or appropriate or suitable safeguards referred to in Chapter V of the Regulation adopted. On this point, the Authority disagrees with the defense arguments and reiterates that, given that the information provided must be concrete and certain, the use of probabilistic verbs ("your information may be stored and processed in the United States and in other countries outside the United States"), even in the conditional ("which may have data protection laws different from those of your country, and the data may be accessible from (part of law enforcement and national security authorities in certain circumstances) does not comply with European legislation; - misleading indication regarding the concept of anonymous data, connected to the impossibility of de-identifying them "except for the purpose of confirming that they are de-identified." The Authority acknowledges that this term, as clarified during the hearing, derives from the US concept of the anonymization procedure, but notes that its meaning is different from the European one and is therefore unclear to Italian data subjects. Referring to both versions of the privacy policy, the information provided to data subjects regarding the retention period and the categories of personal data processed with respect to the corresponding legal bases and the specific purposes of the processing remains lacking, even after careful examination of the Data Controller's defense. Regarding the first gap, the Authority does not agree with the defense argument that the generic wording used is in line with industry practice: linking retention periods to the purpose of the processing is, in fact, not compliant with the A regulatory provision that requires the precise specification of retention periods or, in their absence, the criteria used to determine such periods. Furthermore, in this case, as further explained below, in both the October 25, 2023, and August 27, 2025, versions of the privacy policy, the purposes are not associated with the specific categories of data processed, meaning that data subjects are unable to know which data is being processed, for what purpose, and for how long. Furthermore, the phrase "unless the law provides for a shorter retention period" is excessively general and unacceptable if only the retention periods were determined with reference to the specific categories of data processed. Finally, the indication that at the end of the retention period, the information "may" be deleted or aggregated reflects the use of probabilistic terminology that conflicts with the need for the information to be concrete and certain. Regarding the lack of specific information for each category of personal data processed, the corresponding legal bases, and the purposes of processing, the Authority notes that the EDPB guidelines explicitly require that information provided to data subjects not be formulated in abstract or ambiguous terms or be open to multiple interpretations, particularly with regard to the purposes and legal basis for processing personal data. The legal bases and purposes of processing cannot be described in the abstract; they must be described with reference to and in correlation with the specific categories of data processed. Furthermore, the defensive assumption that specifying multiple legal bases for the same processing purpose enhances transparency must be entirely rejected. On the contrary, the legal basis must be single and clearly communicated to data subjects, as it impacts their rights under the Regulation. For example, processing for personalized advertising purposes cannot, as indicated in the privacy policy of August 27, 2025, be based on both the legal basis of legitimate interest pursuant to Article 6, paragraph 1, letter f), of the Regulation and the consent basis pursuant to Article 6, paragraph 1, letter a), of the Regulation. Likewise, processing for the purpose of authenticating account credentials cannot be lawful based on both the contractual legal basis pursuant to Article 6, paragraph 1, letter b), of the Regulation and the legitimate interest basis. The Data Controller's argument, supported in the response to the second request for information (… OMISSIS), according to which this approach reflects the need to reconcile information obligations with different jurisdictions, is also unconvincing on this point. In this regard, the Authority notes that the multi-legal basis approach has also been adopted in the regional information notice dedicated to the EEA area where the Regulation applies, a single and harmonized regulation, and where, therefore, it is not conceivable that the same processing could have different legal bases. To the extent and within the limits of the above, the Authority therefore believes that Character has violated Articles 12, paragraph 1, 13, paragraphs 1 and 2, and 14, paragraphs 1 and 2 of the Regulation by failing to provide, both in the privacy policy dated October 23, 2023, and in the updated privacy policy dated August 27, 2025, clear, intelligible, and complete information regarding the various processing operations performed through the Service. For the sake of completeness, the Authority acknowledges that the Company, during the hearing, stated that it had adopted a very initial privacy policy in February 2023 in relation to the beta version of the Service, available at the subdomain http://beta.character.ai, a version not offered to Italian users, and that the text of this policy was submitted to the Office together with the notice dated April 30, 2026. The Authority also notes that the Company has i) amended the privacy policy several times in response to and in accordance with significant changes in processing, ii) spontaneously communicated to the Authority the adoption of the third version of the privacy policy on July 29, 2025, and iii) announced, during the hearing, the imminent publication of a new, further updated version of the privacy policy, which was, in fact, adopted effective July 1 and a copy was sent to the Office on June 10, 2026. The latest version of the privacy policy has incorporated some of the critical issues outlined above, and the The text of the privacy policy has been amended accordingly. In particular, the Italian translation has been revised using clearer, more intelligible language that reflects the substance of the processing performed: specifically, i) the improper term "inferences" has been eliminated; ii) the term "complaint" has been replaced with "claim" and the term "divulge" has been replaced with "share" or "communicate," depending on the circumstances; iii) the term "sensitive data" has been better defined and defined, and a specific reference to the processing of special categories of personal data has been inserted separately. In general, the use of uncertain verbs in the conditional tense, such as "could" / "could," has been eliminated. The latest version of the privacy policy associates each category of personal data with the corresponding legal basis and related processing purpose and introduces changes to the description of personal data retention periods and data transfers to non-EU countries. Finally, the updated version of the regional supplement contains a reference at the beginning to the processing of personal data for post-training purposes for the LLM programs supported by the Service, without, however, distinguishing between users in the EEA and users residing in the U.S. 3.3 Violation of Articles 14, paragraphs 1 and 2, and 21, paragraphs 1 and 4, of the Regulation The Office charged Character with violating Articles 14, paragraphs 1 and 2, and 21, paragraphs 1 and 4, of the Regulation for failing to provide adequate information to Italian data subjects regarding the pre-training activities of the proprietary LLM programs supported by the Service, as well as to establish appropriate mechanisms to allow them to exercise their right to object. Article 14 of the Regulation prescribes the information that the data controller is required to provide to the data subject to ensure fair and transparent processing when the personal data have not been obtained from the data subject. Recitals 60 and 61 of the Regulation state, respectively, that the "principles of fair and transparent processing require that the data subject be informed of the existence and purposes of the processing" and that "the data subject should receive information relating to the processing of personal data concerning him or her at the time of collection from the data subject, or, if the data are obtained from another source, within a reasonable period, depending on the circumstances of the case." Article 21(1) and (4) of the Regulation provide that the data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her pursuant to Article 6(1)(e) or (f), and that the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject. The right to object must be explicitly brought to the data subject's attention and presented clearly and separately from any other information at the latest at the time of the first communication with the data subject. The EDPB Transparency Guidelines cited above clarify that transparency obligations apply to the controller before or at the beginning of the data processing cycle, i.e., when the personal data are collected from the data subject or otherwise obtained (see section 5). These guidelines also provide that, if the controller intends to rely on the exception under Article 14(5)(b) of the Regulation because providing the information would involve a disproportionate effort, it should balance the effort required against the impact of the failure to provide the information on the data subject and document this assessment in accordance with accountability requirements. If it is deemed impossible or significantly difficult to communicate the information, the controller must take appropriate measures to protect the data subject's rights, freedoms, and legitimate interests, such as making the information public, for example, by publishing it on its website (see section 64). With regard to the requirement of legitimate interest and the right to object, EDPB Guidelines No. 1/2024 on the processing of personal data based on Article 6(1)(f) of the Regulation reiterate that the data subject has the right to object to such processing in the manner and within the timeframe set out in Article 21 of the Regulation (see section 71). Finally, the EDPB, in Opinion No. 28/2024, states that, where the controller processes personal data in the context of artificial intelligence models based on the legitimate interest, it is required to guarantee the right to object pursuant to Article 6(1)(f) of the Regulation. 21 of the Regulation (see paragraph 65). The aforementioned opinion categorizes the different processing phases that affect the lifecycle of artificial intelligence models, namely the development phase and the deployment phase. The development phase includes all the phases preceding the deployment of the model, including code development, collection of personal training data, pre-processing of training data, and training itself. Regarding the development phase, with particular reference to technical measures, the EDPB specifies that, to mitigate the risks arising from the processing of first- and third-party data, the controller should "offer, from the outset, the possibility of unconditional 'objection,' for example by providing data subjects with a discretionary right to object before the processing takes place, in order to strengthen the control individuals have over their data, which goes beyond the conditions set out in Article 21 of the GDPR" (see paragraph 102). The violations contested by the Office in the document initiating proceedings pursuant to Article 166 of the Code concern the processing operations carried out by the Company with reference to the personal data of data subjects located in the European Union for the purposes of pre-training the proprietary LLM programs and therefore for their development. During the investigation, in response to the Office's second request for information, the Data Controller declared that it had fulfilled its transparency obligation towards the individuals whose data had been processed for the aforementioned purpose, providing them with information regarding the development phase of its proprietary LLMs through its privacy policy dated October 25, 2023, to the extent that it "described the processing activities and included a section dedicated to both users and non-users residing in the European Economic Area—including Italy—in which the main elements of the processing were indicated," as well as in various public forums hosted on third-party websites (for example, a public Reddit community created on August 26, 2022, and an official Discord server created on September 7, 2023). This position was reiterated in the defense brief pursuant to Article 166, paragraph 1, of the Italian Civil Code. 6 of the Code, in which the Company noted that in recent years—though without providing specific timeframes—it has updated its Terms of Service and Community Guidelines and encouraged feedback on the quality of its models via its Blog. In this regard, the Authority notes that: - the privacy policy of October 25, 2023, refers exclusively to processing activities related to the model dissemination phase, i.e., post-training of the LLMs. Indeed, in the "How We Use the Information We Collect" section, users are informed that their data may be processed to "Analyze, maintain, improve, modify, customize, and measure the Services, including to train our artificial intelligence/machine learning models." Consequently, contrary to the Company's assertions, the information, on the one hand, provides no information regarding processing related to pre-training activities of proprietary LLMs and, on the other, is intended only for users of the Service. To confirm that the privacy policy in question was addressed exclusively to users, the following references are included: "By using the Services, you agree to the practices described in this Policy," and "When you access or otherwise use our Services, we may collect information from you." - Updates on public forums hosted on third-party websites cannot be considered suitable information tools under the Regulation. The cited documentation cannot, in fact, satisfy the transparency obligation that the European legislator has established in the manner provided for in Articles 12, 13, and 14 of the Regulation. Without such documentation, it cannot be demonstrated, even by the Data Controller under an accountability regime, that data subjects, especially non-users, were able to access such documents and, through them, gain knowledge, in particular, of the right to object guaranteed to them by European law. - The collection of feedback on the quality of the LLMs, like the documents mentioned above, refers only to users and the use (or, more precisely, dissemination) phase of the models, as confirmed by the hyperlink provided by the Company in its response to the second request for information, which directs to a page addressed only to users and is intended to improve the Characters, certainly not to meet the transparency requirement under personal data protection legislation. The Authority also deems the additional defense arguments presented by the Data Controller in the brief pursuant to Article 166 of the Code unacceptable. Regarding the assumption that there is no disclosure obligation regarding the processing of personal data for pre-training purposes, as such operations "may not have involved the processing of personal data" because they are based on publicly available datasets found on the Internet, consisting of data collected by third parties, on a large scale, open source, and used according to industry practices in the development of LLMs, the Authority notes that verifying the presence or absence of personal data in the training datasets is the primary responsibility of the data controller pursuant to the principle of accountability. To argue, purely hypothetically, that the training datasets may not have contained personal data is to admit that there was no effective verification of the presence or absence of personal data in the training datasets, a failure for which the Data Controller must assume full responsibility. Likewise, the argument that Character did not intentionally process personal data during the development phase of its LLMs pertains only to the subjective element of the conduct and not to its objective characterization. Regarding the final defense argument, regarding the applicability, in this case, of the exception under Article 14, paragraph 5, letter b), of the Regulation, the Authority notes that the impossibility or serious difficulty in communicating information to data subjects, while requiring a specific and documented assessment, does not relieve the controller from the obligation to adopt appropriate measures to protect the rights, freedoms, and legitimate interests of data subjects by otherwise disclosing the necessary information, as expressly outlined in the EDPB transparency guidelines cited above. Regarding the failure to implement opt-out mechanisms, the Authority believes that the Data Controller's defense arguments allow it to overcome the Office's assessments in the dispute. Although it is proven, based on the statements provided in response to the second request for information, that the Company carried out the processing activities aimed at pre-training its proprietary LLMs based on legitimate interest and without informing data subjects of how to exercise their right to object, it should be noted, however, that the specific obligation to provide ad hoc opt-out mechanisms that allow data subjects to object in advance and without stating a reason to this type of processing, pursuant to Article 21 of the Regulation, stems from an interpretation provided by the EDPB in Opinion No. 28/2024. Specifically, the EDPB recommended that data controllers adopt measures that facilitate the exercise of individual rights, including providing data subjects with the possibility of unconditional objection before the processing takes place, in order to strengthen the control individuals have over their data (see paragraph 102.b). This recommendation goes beyond the wording of the regulatory provisions referred to in the combined provisions of Articles 14 and 21 of the Regulation and constitutes a sort of authentic interpretation of the aforementioned provisions arising from the need to adapt the legislation to technological, social, and legal changes related to the implementation of generative artificial intelligence services. Given that the aforementioned opinion was adopted on December 17, 2024, the Data Controller agrees that the recommendations contained therein cannot be applied retroactively, particularly with respect to the pre-training of proprietary LLMs conducted by Character prior to that date. The Authority also acknowledges the circumstance, which emerged during the investigation and was specifically clarified in a note dated April 30, the accuracy of which the Data Controller assumes full responsibility for, that "the last processing of personal data for the purposes of pre-training its proprietary model took place in ... OMISSIS, and therefore prior to the adoption of Opinion No. 28/2024 by the EDPB." Finally, the Authority notes that in its defense brief, Character confirmed what it had already stated in its response to the second request for information regarding the fact that both users and non-users had the opportunity, starting from the launch of the Service in 2023, to exercise their rights, including the right to object, through a ticketing system (i.e., by sending a ticket to the Help Center through the "GDPR request" section) or by sending a request to an email address indicated in the privacy policy. In conclusion, regarding the processing activities aimed at pre-training its LLMs Owners, the Authority believes that Character has violated Article 14, paragraphs 1 and 2 of the Regulation by failing to provide adequate information to Italian data subjects regarding such processing operations, but not Article 21, paragraphs 1 and 4 of the Regulation, given that the exercise of the right to object should not, prior to December 17, 2024, have been guaranteed by the Data Controller in accordance with the procedures set out in EDPB Opinion No. 28/2024. For completeness, the Authority notes the cessation of the processing of personal data for the purposes of developing proprietary LLMs as of ... OMISSIS, as a consequence of ... OMISSIS. 3.4 Violation of Articles 24, paragraph 1 and 25, paragraph 2 of the Regulation The Office has charged Character with violating Articles 24, paragraph 1 and 25, paragraph 2 of the Regulation by failing to adopt measures Appropriate technical and organizational measures, by default, regarding the processing of data of minors prior to the implementation of a neutral age gate mechanism (November 2024) and of minors under 16 years of age for the period following such implementation, at least until April 8, 2025. Article 24, paragraph 1, of the Charter of Fundamental Human Rights establishes that minors have the right to the protection and care necessary for their well-being. Paragraph 2 of the same provision states that in all actions taken by public authorities or private institutions, the best interests of the child must be a primary consideration. The same principle is enshrined in Recital 38 of the Regulation, which states: "Children deserve specific protection with regard to their personal data, as they may be less aware of the risks, consequences, and safeguards for them, as well as of their rights in relation to the processing of personal data." European data protection legislation requires data controllers to adopt appropriate technical and organizational measures to effectively implement data protection principles and to integrate the necessary safeguards into the processing to meet the requirements of the Regulation and protect the rights of data subjects. Pursuant to Article 24(1) of the Regulation, data controllers are required to implement, and update, where necessary, appropriate technical and organizational measures to ensure that processing is performed in accordance with the Regulation, taking into account the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. Pursuant to Article 25(1) of the Regulation, data controllers are required to implement, and update, if necessary, appropriate technical and organizational measures to ensure that processing is performed in accordance with the Regulation, taking into account the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. 2 of the Regulation, the controller must, by default, implement technical and organizational measures to ensure that only personal data necessary for each specific processing purpose is processed. The EDPB clarified, in Guidelines No. 4/2019 on Data Protection by Design and by Default, that "the core of the provision [Article 25 - editor's note] is to ensure adequate and effective data protection by design and by default, meaning that controllers should be able to demonstrate that they incorporate appropriate measures and safeguards into their processing to ensure the effectiveness of the data protection principles and the rights and freedoms of data subjects" (see paragraph 2). In its recommendations, it also called on controllers to take into account, when designing and configuring data processing with a privacy-oriented approach, the obligations to provide specific protection to minors and other vulnerable groups (see paragraph 96). Character, in its responses to the second and third requests for information, as well as in its defense brief and at the hearing, specified that it has implemented the following progressive measures to verify the age of minors and protect them: - in October 2023, adoption of a neutral age verification mechanism during registration, requiring new users to declare their date of birth to access the Service; for users under 16 years of age residing in the EEA, this mechanism prevents the creation of an account; if the age gate is not passed, ... OMISSIS; - in November 2024, application of the aforementioned age gate mechanism to all users who had registered for the Service prior to its adoption; - In November 2024, implementation of a separate LLM dedicated to underage users to create a different experience for these vulnerable users when using the Service, designed to reduce the likelihood that minors will encounter or generate inappropriate content (limited Personas, more conservative categorizers, notifications about and time spent online, more appropriate outcomes for minors); - In March 2025, introduction of the Parental Insight feature, which provides parents with a summary of the minor's interactions with the Service, including average daily usage time, time spent with each Persona, and the Personas with whom the most frequent interactions are found; - In November 2025 (February 2026 in Italy), elimination of the ability for minors to have open conversations with Personas; - By November 2025, implementation of an advanced age assurance system during use of the Service. This system combines a proprietary age prediction model (which verifies the accounts of users who self-declared themselves as adults using data collected from interactions with the Service) with a verification process entrusted to the third-party provider Persona (a second-level verification that is activated only if the model indicates that the user is likely a minor, with the user immediately being transferred to the Service dedicated to minors under 18). The third-party's intervention is subject to a user's complaint and consists of two phases: a request to the user to send a selfie and, only if the user's age cannot yet be determined with sufficient reliability, a request to send an identity document (in both cases, the data is retained for seven days). Technical checks conducted by the Office regarding the creation of an account on the web version of the Service on April 8, 2025 (ref. no. 349/25) revealed the following circumstances: - In the event of registration with a birth date of less than 13 years of age, the user is unable to create an account because the system, having detected the anomaly, prevents access and automatically redirects the user to the homepage; - … OMISSIS; - In the event of access to the Service by a person who identifies as a minor, the Service is available in Italian and the user's profile is set to public; the minor user is given the option, but not the obligation, to enter the email address of a person exercising parental responsibility for the sending of weekly statistics on their activity, excluding the content of private chats; - In the event that a person declaring themselves an adult accesses the Service, the Service is available in Italian, the profile is public, there is no option to involve a person with parental responsibility, and the recommended content appears, prima facie, different from that displayed if a minor accesses the Service. The Authority notes first of all that, as of the date of the technical review (April 8, 2025), the age gate mechanism implemented by the Company to prevent access to the Service by minors under 16 years of age located in Europe, specifically in Italy, was found not to be compliant with the Data Controller's declarations. On the one hand, the ... OMISSIS did not work, and on the other, it was possible for a potential Italian user who self-declared himself as a fifteen-year-old (and therefore under 16) to register for the Service. In its defense, the Data Controller did not provide any justification for these factual findings. On the contrary, its defense was purely legal. The Company argued that the Regulation does not impose a "general and autonomous obligation on data controllers to confirm or verify the age of each user through rigorous identification mechanisms," that there is currently no harmonized and binding European standard for verifying the age of users when accessing and using online services, and that Article 25 cannot be interpreted "as requiring the implementation of an identity check in the absence of a specific legal obligation," an interpretation that "would effectively create a new substantive obligation not provided for by the GDPR, while Articles 24 and 25 cannot be used to impose obligations that the legislator has not foreseen." In this regard, the Authority agrees that Articles 24 and 25 of the Regulation do not oblige data controllers to adopt specific age verification measures (which, as correctly pointed out, have not yet been developed at the European level), but notes that these provisions oblige data controllers to adopt adequate measures to ensure that processing is carried out in compliance with the Regulation. In other words, the fact that a harmonized and binding standard for age verification does not yet exist does not exempt a data controller, in this case Character, from adopting appropriate measures (and demonstrating their adequacy), taking into account the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. It is also noted that the Office's verification revealed that the profile of the alleged minor user who registered with the Service was set, by default, to public. This circumstance violates EDPB Guidelines No. 4/2019, which states that "making personal data available to an indefinite number of individuals could lead to even broader disclosures than initially intended, which is particularly relevant in the context of the internet and search engines; therefore, controllers should, by default, give data subjects the opportunity to intervene before personal data are made publicly available on the internet. This is particularly important in the case of minors and vulnerable groups" (see paragraph 57). The EDPB, in its binding decision no. 2/2023, regarding the dispute lodged by the Irish supervisory authority against TikTok Technology Ltd., stated that: "Although Article 25(1) of the GDPR does not require the implementation of specific technical and organizational measures and the controller has discretion in choosing the measures and safeguards, the measures and safeguards chosen by the controller must be designed to be robust, taking into account the risks associated with the processing. The EDPB considers that, pursuant to Article 25(1) of the GDPR, the requirement of adequacy is therefore closely linked to the requirement of effectiveness. Whether or not the measures chosen by the controller are appropriate in a specific case depends on the assessment of the elements listed in Article 25(1) of the GDPR" (see paragraph 180). Applying this principle to the case at hand, based on the partially overlapping parameters set forth in Articles 24 and 25, paragraph 2, of the Regulation, the Authority notes the following. Regarding the nature, scope, context, and purpose of the processing, it is noted that, in the case at hand: i) the processing of minors' personal data is related to the provision of a service that, although not specifically aimed at minors, is widely used by them due to its intrinsic characteristics; ii) the technical assessment revealed that, in a registration attempt, the stated age limit of sixteen for entry into the EEA was not met; iii) the technical assessment revealed that the account of a supposedly minor user who registered for the Service was public by default; and iv) until November 2025, conversations with the Personal Data Subjects were also open. Regarding risks of varying likelihood and severity for the rights and freedoms of natural persons, it is noted that, as correctly acknowledged by the Company itself in its defense brief, the data controller must assess the adequacy of the age verification measures to be adopted based on the concept of risk. In this regard, the aforementioned Guidelines No. 4/2019 establish that the data controller is responsible not only for identifying risks to the rights of data subjects but also for determining their likelihood and severity in order to adopt appropriate measures to effectively mitigate the identified risks (see paragraph 30). In this case, the Authority first notes that Character conducted a risk assessment of the use of the Service by minors only in the version of the DPIA updated to September 30, 2025, attached to the response to the second request for information (there is no trace of this in the DPIA of November 14, 2024). The aforementioned DPIA details the measures described above and the fact that the Company has collaborated with several online safety experts for adolescents to ensure that the experience for minors is designed with safety as a top priority (among the experts, ConnectSafely, an organization with twenty years of experience in educating individuals on online safety, privacy, protection, and digital well-being). ... OMISSIS. The Authority acknowledges the assessment conducted by the Company in the DPIA of September 30, 2025, and believes that the age gate system based on a simple self-declaration, applied in combination with the age assurance system adopted during the use of the Service, as well as the additional security measures for limiting content and interactions implemented in November 2025, allow it to consider a level of protection adequate to the identified risks to be achieved, ensuring that personal data processing is proportionate to the offering of the Service (including to minors), while respecting the rights and primary interests of minors. The above-mentioned DPIA and the data controller's defense arguments, however, do not overcome the assessments made by the Office in the dispute with regard to the age gate system in the period between April 8, 2024 (the date of release of the service in Italy) and November 2024 (the month in which the age gate was applied to all registered users and a specific version of the Service dedicated to minors was implemented), as well as with regard to Italian users under the age of sixteen even after such implementation, at least until April 8, 2025, the date on which the Office ascertained the failure of certain age gate measures, specifically the European age threshold of sixteen and the ... OMISSIS. The Company's failure to adopt appropriate measures to safeguard access to and use of the Service, and the partial failure of the measures subsequently implemented, as described above, resulted not only in the systematic processing of personal data beyond that actually necessary to achieve the purpose of the processing (offering the Service to users over sixteen years of age in the EEA), but also in the excessive processing of data relating to vulnerable individuals (minors, potentially as young as 13). These vulnerable individuals, due to the identified deficiencies, the innovative technology underlying the Service, and the sensitive nature of the conversations with Character.AI, were exposed to a particularly high risk. News reports of self-harm by minors in connection with interactions with artificial intelligence chatbots, ... OMISSIS, support the Office's findings. In conclusion, the Authority believes that Character violated Articles 24, paragraph 1, and 25, paragraph 2, of the GDPR. 2 of the Regulation for failing to adopt adequate technical and organizational measures, by default, to verify age between April 8, 2024, and November 2024, as well as with regard to Italian users under the age of sixteen, between April 8, 2024, and April 8, 2025. For completeness, the Authority acknowledges that the Company has progressively increased measures to protect minors and vulnerable individuals and that, as reported during the hearing, the decision taken in November 2025 (effective in Italy from February 2026) to limit the ability of users under the age of 18 to participate in open conversations with Character AI characters represents a significant step towards protecting the privacy and safety of such users, bordering on counterproductive for the company's business in a highly shameless and competitive market. 3.5 Violation of Articles 5, par. 2 and 35 of the Regulation The Office charged Character with violating Articles 5(2) and 35(1) of the Regulation for having belatedly adopted, despite its obligation to do so, a data protection impact assessment (first version dated November 14, 2024, last updated on September 30, 2025). Article 5(2) of the Regulation establishes the principle of accountability, meaning the obligation for data controllers to demonstrate proactive behavior to demonstrate compliance with the Regulation based on the risk inherent in the processing. This risk must be assessed against the freedoms and rights of data subjects, which must be understood not only in relation to the right to data protection and the right to privacy, but also to other fundamental rights such as freedom of speech, freedom of thought, freedom of movement, the prohibition of discrimination, and the right to freedom of conscience and religion. The key tool for assessing the risk impact of processing on the rights and freedoms of data subjects is the data protection impact assessment document referred to in Article 35 of the Regulation. Article 35 of the Regulation requires the data controller to conduct, prior to processing, an assessment of the impact of the envisaged processing on the protection of personal data where the processing, in particular using new technologies and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. The EDPB, in its Guidelines on Data Protection Impact Assessments (DPIAs), adopted by the Article 29 Working Party on October 4, 2017, and validated at the first Plenary Session on May 25, 2028 (WP 248 Guidelines), clarified that "DPIAs are important tools for accountability as they support controllers not only in meeting the requirements of the GDPR, but also in demonstrating that appropriate measures have been taken to ensure compliance with the Regulation (see also Article 24). In other words, a DPIA is a process intended to ensure and demonstrate compliance." It further clarified, citing both the wording of Article 35 and Recitals 90 and 93 of the Regulation, that "DPIAs should be initiated as early as possible in the design phase of the processing operation, even if some of the processing operations are not yet known." With Order No. 467 of October 11, 2018, published in the Official Journal, General Series, No. 269 of November 19, 2018, the Authority approved the list of types of processing subject to the requirement of a data protection impact assessment, pursuant to Article 35, paragraph 4, of the Regulation, expressly including, in point 7, processing carried out through the use of innovative technologies, including artificial intelligence systems. In this case, the Data Controller submitted to the Office, together with the response to the first request for information, a data protection impact assessment (DPIA), which appears to have been drafted on November 14, 2024, and, together with the response to the second request for information, an update thereof, signed on September 30, 2025. In the DPIA dated November 14, 2024, the Company expressly declares that it has identified the need to conduct an impact assessment due to the use of generative artificial intelligence technology to provide the Service. In the November 14, 2024 version of the DPIA, as stated above, it appears that Character has not carried out any impact assessment regarding the risk associated with offering the Service to minors (which is present, however, in the September 30, 2025 version) and in both versions it appears that the Company has not carried out any assessment regarding the processing operations for the purposes of pre-training the proprietary LLMs, limiting itself to reporting that the LLMs have not been "pre-trained" on user conversations or data. In its defense brief, the Company emphasized that the obligation to conduct a DPIA exists only when the processing involves a high risk to the rights and freedoms of natural persons and, therefore, is not an automatic requirement but rather is linked to a risk assessment. It also argued that the fact that the first DPIA was formalized only in November 2024, following receipt of the Office's first request for information, "does not mean that a risk assessment had not been conducted before that date." The Authority notes that, in this case, the high risk to the rights and freedoms of natural persons must be considered presumed by virtue of the wording of Article 35 and its interpretation provided by the EDPB and the Garante in their respective documents cited above. In particular, in the aforementioned guidelines, the EDPB has identified nine criteria to be taken into account for the purpose of identifying processing operations that may present a "high risk": 1) assessment or scoring, including profiling and prediction, in particular taking into account "aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements"; 2) automated decision-making that produces legal effects or similarly significantly affects individuals; 3) systematic monitoring of data subjects; 4) sensitive data or data of a highly personal nature; 5) large-scale data processing; 6) matching or combining data sets; 7) data relating to vulnerable data subjects; 8) innovative use or application of new technological or organizational solutions; 9) when the processing itself "prevents data subjects from exercising a right or from availing themselves of a service or a contract": The EDPB has clarified that the existence of two or more of the aforementioned criteria indicates processing that presents a high risk to the rights and freedoms of data subjects and therefore requires a data protection impact assessment. However, it has added that, in some cases, "a controller may consider that processing that meets only one of these criteria requires a data protection impact assessment" (see Guidelines, pages 9-12). The list (not exhaustive, as the EDPB's guidance above remains valid) of the types of processing subject to the consistency mechanism and to be subject to an impact assessment, annexed to Decision No. 467 of 11 October 2018, adopted pursuant to Article 35, paragraph 1, of the GDPR, includes: 4 of the Regulation, the Garante expressly stated that an impact assessment is mandatory for processing operations carried out using innovative technologies (e.g., IoT; artificial intelligence systems; use of online voice assistants through voice and text scanning; monitoring performed by wearable devices; proximity tracking such as Wi-Fi tracking) whenever at least one of the other criteria identified by the EDBP is met. In this case, the Garante believes that Character should have conducted the impact assessment before the launch of the Service in September 2022, as the risk to the freedoms and rights of natural persons should be presumed to be high given that the processing involved the use of a particularly innovative technology such as generative artificial intelligence (a sufficient criterion in itself), large-scale data processing (for the development of proprietary LLMs), and personal data relating to vulnerable data subjects (minors). Furthermore, even accepting the defense's argument that the risk assessment was necessary and was conducted through undocumented internal risk assessments involving various interdisciplinary teams starting in 2022 (and only formalized on November 14, 2024), the Authority believes that the defense's arguments are unacceptable for two reasons. First, the principle of accountability applies precisely in circumstances such as those described by Character, in order to allow the data controller to demonstrate compliance with the Regulation by preparing a DPIA and not through unspecified and undocumented internal company assessments. Second, the fact that the first DPIA—late even assuming April 8, 2024, the date of the Service's launch in Italy, as the starting date of the obligation—was deficient both with regard to the processing of minors' data and the processing for pre-training purposes of proprietary LLMs demonstrates that the Company had not properly conducted the risk assessment. Based on the above, the Authority finds that Character violated Articles 5(2) and 35(1) of the Regulation by belatedly adopting the data protection impact assessment, even though it was required to do so. For completeness, the Authority notes that the Company, during the hearing, stated that it had updated the DPIA on February 7 and September 30, 2025, and therefore had progressively improved its compliance with the Regulation, including in this regard. 3.6 Violation of Article 27(1) and (4) of the Regulation The Office charged Character with violating Article 27(1) and (4) of the Regulation by belatedly designating VeraSafe Ireland Ltd. as its representative in the European Union, even though it was required to do so, pursuant to Article 27(1) and (4) of the Regulation. 27 of the Regulation and for having included in the privacy policy of August 27, 2025, a contact link that leads to an unreachable web page, thus effectively making any online communication with the designated representative impossible. Article 27, paragraph 1, of the Regulation requires that the controller, if not established in the European Union, is required to designate in writing a representative in the Union who, pursuant to paragraph 4, acts as an interlocutor, in addition to or in place of the controller, for the supervisory authorities and the data subjects. From the documentation attached to the Company's second response, specifically the Verasafe Master Services Agreement, it appears that the written designation of the Irish company VeraSafe as the representative pursuant to Article 27 of the Regulation was finalized on May 31, 2025. The Authority therefore finds that the Company has fulfilled its obligation under Article 27. 27 of the Regulation only on May 31, 2025, although it had unequivocally offered the Service to data subjects in the EEA area previously, a fact that can be deduced from the preparation of a European regional supplement to the privacy policy dated October 27, 2023, and had specifically offered it to Italian data subjects since April 8, 2024, a fact the Company itself reported at the hearing. The Data Controller's argument in its defense that, in this case, the provisions of Article 27, paragraph 2, of the Regulation, which excludes the obligation to designate a representative in the case of occasional processing, apply does not overcome the Office's findings in the dispute. The Authority believes, in fact, that this exception cannot be applied to the case at hand because i) the processing of personal data related to a Service provided in Italian as of April 8, 2024, cannot be considered occasional (a circumstance also found by the Office during the technical assessment carried out on April 8, 2025); ii) the processing of personal data for pre-training purposes of proprietary LLMs must be considered large-scale; and finally, iii) having not contested the existence of European jurisdiction and therefore the applicability of Article 3, paragraph 2, letter a), of the Regulation, the Company has implicitly endorsed the applicability of Article 27 of the Regulation. As for the violation of Article 27, paragraph 2, letter a), of the Regulation, the Company has implicitly endorsed the applicability of Article 27 of the Regulation. 4, the Office verified, as evidenced by the online inspection report dated November 7, 2025 (ref. no. 148338/25), that the VeraSafe online contact link included in the privacy policy dated August 27, 2025, redirected to an unreachable web page (technical error: "404 page not found"), thus effectively making any online communication with the designated representative impossible. The Company, in its defense brief, confirmed the existence of a technical problem with the hyperlink included in the privacy policy, but disputed the Office's assessment, noting, on the one hand, that data subjects were still able to contact the representative via the email address and telephone number listed at the bottom of the web page accessed via the incorrect link, and, on the other, that the failure of the contact could be considered a "minor material error" that had no impact on the substance and accessibility of the information. The Authority believes that the defense arguments can be accepted given that, although deprived of the easiest means of communication, the interested parties could still contact VeraSafe by regular mail at the physical address or by telephone at the telephone number published in the privacy policy of August 27, 2025. The contested violation, therefore, does not meet the threshold of objective integration, as it concerns a material error in the transcription of the http address that did not affect the substance of the rights of Character.AI users and which cannot be subjectively attributed to the Data Controller, not even through negligence. Based on the above, and also given that the Company immediately corrected the material error, the Authority believes that Character did not violate Article 27, paragraph 4, of the Regulation. In conclusion, regarding the appointment of the representative in the European Union, pursuant to and for the purposes of Article 27 of the Regulation, the Authority believes that Character violated Article 27, paragraph 1, of the Regulation by belatedly appointing VeraSafe Ireland Ltd. as its representative in the European Union, even though it was required to do so. However, it does not violate Article 27, paragraph 4, of the Regulation, given that the deficiency identified must be considered a mere material error that did not substantially impact the rights of the data subjects and was promptly corrected by the Data Controller. 4. CONCLUSIONS In light of the above considerations, the issues contested in the initiation of the proceeding pursuant to Article 27 are confirmed. 166 of the Code, as the statements made during the investigation and the defenses presented were not deemed adequate to overcome the findings made by the Office (and none of the cases provided for in Article 11 of Regulation No. 1/2019 apply) with reference to the violations referred to in Articles 5, paragraph 2; 12, paragraph 1; 13, paragraphs 1 and 2; 14, paragraphs 1 and 2; 24, paragraph 1; 25, paragraph 2; 27, paragraph 1; and 35, paragraph 1, of the Regulation. Therefore, the Authority finds the Data Controller's conduct unlawful for having: 1) failed to provide, both in the privacy policy of October 23, 2023, and in the updated privacy policy of August 27, 2025, clear, intelligible, and complete information regarding the various processing operations, in violation of Articles 12, paragraphs 1, 13, paragraphs 1 and 2, and 14, paragraphs 1 and 2 of the Regulation; 2) failed to provide adequate information to Italian data subjects regarding the processing operations aimed at the pre-training of proprietary LLMs, in violation of Articles 14, paragraphs 1 and 2 of the Regulation; 3) failed to adopt adequate technical and organizational measures, by default, to verify age between April 8, 2024, and November 2024, as well as with regard to Italian users under the age of sixteen, between April 8, 2024, and April 8, 2025, in violation of Articles 24(1) and 25(2) of the Regulation; 4) belatedly adopted the data protection impact assessment, although it was required to do so, in violation of Articles 5(2) and 35(1) of the Regulation; 5) belatedly designated VeraSafe Ireland Ltd. as its representative in the European Union, although it was required to do so, in violation of Article 27(1) of the Regulation. The Authority, however, does not consider the alleged violations referred to in Article 21(1) to be established. 1 and 4 and pursuant to Article 27, paragraph 4, of the Regulation. 5. CORRECTIVE MEASURES The determination of a violation of the aforementioned provisions of the Regulation requires, in relation to certain specific conduct that has not exhausted its effects as of the date of this provision, the adoption of certain corrective measures pursuant to Article 58, paragraph 2, of the Regulation, specifically an order for compliance pursuant to Article 58, paragraph 2, letter d), of the Regulation. It also makes the administrative pecuniary sanction provided for by Article 83, paragraphs 3 and 5, of the Regulation applicable, pursuant to Articles 58, paragraph 2, letter i), of the Regulation. In this case, the conditions for classifying the violations as "minor" pursuant to Recital 148 of the Regulation and the most recent case law of the Court of Justice of the European Union cannot be identified. Article 58, paragraph 2, of the Regulation grants the Garante a series of corrective powers, both prescriptive and punitive, to be exercised in the event that unlawful processing of personal data is ascertained. Among these powers, Article 58, paragraph 2, letter d), of the Regulation provides the power to "order the controller ... to bring processing operations into conformity with the provisions of this Regulation, where appropriate, in a specific manner and within a specific period." From the findings and considerations in the preceding paragraphs, it has emerged that Character has violated Articles 5, paragraph 2; 12, paragraph 1; 13, paragraphs 1 and 2; 14, paragraphs 1 and 2; 24, paragraph 1; 25, paragraph 2; 27, paragraph 1; and 35, paragraph 2. 1 of the Regulation, but which, during the investigation, spontaneously adopted certain measures aimed at addressing the critical issues raised by the Authority in the three requests for information and in the initiation of the proceeding pursuant to Article 166 of the Code. Other measures, notably certain amendments to the privacy policy, were spontaneously adopted subsequent to the initiation of the proceeding pursuant to Article 166 of the Code and pending the adoption of this provision. These measures, which ensure partial compliance of the processing with the legislation on personal data protection, will be duly taken into account in the following paragraph regarding the determination of the administrative sanction. However, the following conduct remains, which has not exhausted its effects and requires the prescription of appropriate corrective measures. With reference to the violation of Articles 12, paragraph 1, 13, paragraphs 1 and 2, and 14, paragraphs 1 and 2, of the Regulation, the following measures are considered: 1 and 2, regarding the disclosure requirements regarding the various processing operations performed through the Service for users, the Authority believes that, despite recent revisions to the privacy policy and the related regional supplement, which have undoubtedly improved clarity and usability, the privacy policy in force as of the date of this provision (effective from July 1, 2026) continues to not comply with personal data protection legislation, to the extent that: i) although it clearly associates each category of personal data processed with the corresponding legal basis and the respective processing purpose, some legal bases still appear unclear or misleading (for example, the reference to consent "required by law," or the legal basis for consent for sending personalized communications, which is nevertheless included in the table relating to the personalization of services, based on legitimate interest, or the legal basis for processing for the purpose of verifying age when using the Service, based on fulfilling a legal obligation); ii) although it more clearly indicates the criteria used to determine data retention periods, as they are linked to the purposes of processing, which have themselves been more precisely outlined, it still lacks information on the retention criteria for each purpose (for example, the retention periods for chats or data used to verify age) as well as the consequences of ceasing data retention (for example, any technical retention periods after deletion by the user or any forms of anonymization or aggregation of data whose processing has ceased); the inclusion of specific examples would allow users to more clearly understand the retention periods, in the absence of precise time data; iii) despite the amendments, it is still lacking in information regarding the non-EU countries to which users' personal data may be transferred and on the basis of which adequacy decisions or other appropriate safeguards pursuant to Chapter V of the Regulation; In particular, given that a transfer of personal data to the U.S. seems likely, the applicable adequacy decision is lacking in expressly indicating it; the inclusion of a contact link would make it easier for users to request further information regarding the safeguards adopted in the event of data transfer to third countries; iv) misleadingly indicates, as it is likely to create a false impression among Italian data subjects, the existence of personal data processing for post-training purposes of the LLMs underlying the service, failing to distinguish between users from the EEA and users residing in the U.S., even though such processing, as of ... OMISSIS, had not yet begun; v) in any case, in the event that the aforementioned processing has begun in the meantime, it does not clearly and easily indicate for Italian users the procedures for exercising the right to object to processing for post-training purposes, since this right is described in the initial section of the regional supplement, which is also addressed to users residing in the U.S. and the landing page of the link provided therein is published exclusively in English. Therefore, pursuant to Article 58, paragraph 2, letter d), of the Regulation, the Authority orders the Data Controller to bring its privacy policy into line with the Regulation, specifically Articles 12, paragraphs 1, 13, paragraphs 1 and 2, and 14, paragraphs 1 and 2, thereof, addressing the shortcomings indicated above. With reference to the violation of Articles 14, paragraphs 1 and 2 of the Regulation regarding the information obligations towards Italian data subjects regarding processing operations aimed at the pre-training of proprietary LLMs, noting that such processing ceased as of ... OMISSIS, the Authority orders the Data Controller, pursuant to Article 58, paragraph 2, letter d), d) of the Regulation, to align the retention of personal data relating to Italian data subjects collected for the aforementioned purpose with the Regulation, assessing the possible existence of a different but compatible purpose with that for which the personal data were collected, pursuant to and under the conditions set forth in Article 6, paragraph 4, of the Regulation or, in the absence thereof, ordering their complete deletion. With reference to the violation of Articles 24, paragraph 1, and 25, paragraph 2, of the Regulation regarding technical and organizational measures for age verification, having acknowledged the significant changes made by the Company in the meantime, the Authority orders the Data Controller, pursuant to Article 58, paragraph 2, letter d), of the Regulation, to comply with the Regulation by ensuring i) the correct functioning of the age gate for Italian users at the age of sixteen, as provided for users in the EEA area; ii) the correct functioning of the period ... OMISSIS to prevent further registration attempts by minors who were blocked upon their first access because they declared their age below the minimum age required in the EEA area (sixteen years); iii) the default setting of minors' profiles in private mode. 6. INJUNCTION ORDER Pursuant to Articles 58, paragraph 1, and 58, paragraph 2, letter d), of the Regulation, 2, letter i), of the Regulation and Article 166 of the Code, the Garante has the power to impose an administrative pecuniary sanction pursuant to Article 83 of the Regulation, by issuing an injunction (see Articles 18 of Law No. 689 of 24 November 1981 and Article 16, paragraph 1, of the Garante's Regulation No. 1/2019). In determining the sanction, the Authority takes into account the principles and interpretation provided by the EDPB in Guidelines No. 4/2022 on the calculation of administrative pecuniary sanctions, version 2.1, adopted on May 24, 2023. 6.1. Assessment of the conduct and identification of the applicable sanction Based on the arguments put forward above, the Authority has ascertained the violation of the following provisions of the Regulation: Articles 5, paragraph 2; 12, paragraph 1; 13, paragraphs 1 and 2; 14, paragraphs 1 and 2; 24, paragraph 1; 25, paragraph 2; 27, paragraph 1; and 35, paragraph 1, of the Regulation. In this case, it should first be noted that the Company engaged in a series of conducts that constituted multiple violations, as specifically outlined and explained in the previous paragraphs. The violation of the aforementioned provisions occurred as a result of interconnected processing operations (see EDPB Guidelines No. 4/2022, paragraph 28) and can therefore be brought, due to the principle of unity of action, under the aegis of Article 83, paragraph 3, of the Regulation, pursuant to which, in the event of multiple violations, relating to the same processing or to connected processing operations, the total amount of the administrative pecuniary sanction cannot exceed the amount provided for the most serious violation. In this case, the most serious violation of the aforementioned must be identified as the violation of transparency obligations, given that Articles 12, 13, and 14 (rights of data subjects) are sanctioned pursuant to Article 83, paragraph 5, which sets the maximum fine at €20 million or, for undertakings, 4% of the annual worldwide turnover of the preceding financial year, whichever is higher. 6.2. Quantification of the administrative fine (Article 83, paragraph 2, of the Regulation) Pursuant to Article 83, paragraph 1, of the Regulation, the administrative fine must be effective, proportionate, and dissuasive in relation to the individual case. In the aforementioned guidelines, the EDPB clarified that the calculation of administrative fines must begin from a harmonized starting point, which constitutes the initial basis for the further calculation of the fine, taking into account and weighing all the circumstances of the case (see paragraph 46). The harmonized starting point must take into account three factors: 1) nature of the violation; 2) seriousness of the violation; and 3) the company's turnover (see paragraph 48). Starting from the first aspect, relating to the nature of the violation (abstract severity), in this case, of the five violations found, three are more serious (Article 83(5) of the Regulation) as they relate to a basic principle of processing (accountability in connection with the preparation of the DPIA) and to the data subjects' rights (to information), while two are less serious (Article 83(4) of the Regulation) as they relate to the data controller's obligations (security measures and designation of a representative). With regard to the severity of the breach (specifically), the following factors must be taken into consideration: a) the nature, severity, and duration of the breach, taking into account the nature, scope, and purpose of the processing, the number of data subjects affected by the damage, and the level of damage they have suffered (Article 83(2)(a) of the Regulation); b) the intentional or negligent nature of the breach (Article 83(2)(b) of the Regulation); c) the categories of personal data affected by the breach (Article 83(2)(g) of the Regulation). In the case at hand, with regard to point (a), the Authority notes the following: i) the nature of the related processing at issue entails high risks to the rights and freedoms of natural persons, as it is connected to an innovative technology such as generative artificial intelligence applied to an entertainment service, also offered to minors; ii) the object of the processing is cross-border in nature, with a global scope and effects that are virtually beyond the control of the data subjects; iii) all the purposes of the processing covered by this proceeding fall within the Company's core business; iv) the number of data subjects involved must be limited to the number of daily active Italian users, as quantified by the Company itself, in a note dated April 30, 2026, as ... users OMISSIS; v) no concrete damage has been proven to the Italian data subjects with respect to the first and fourth allegations; vi) the duration of the violation is long-term with respect to the processing for pre-training purposes of the Company's proprietary LLMs, but limited with respect to the other four violations, given that the Service has been available to Italian data subjects since April 8, 2024. With regard to point (b), the Authority believes that all the violations identified must be considered negligent. As stated by the Article 29 Working Party, in its guidelines regarding the application and provision of administrative pecuniary sanctions for the purposes of Regulation (EU) No. 2016/679, adopted on 3 October 2017 and implemented by the EDPB on 25 May 2018 (WP 253 Guidelines), intentional conduct refers to both the knowledge and intent (consciousness and will) to commit an unlawful act, while negligent conduct lacks the intent to cause the infringement despite the failure to comply with a duty of care. The Court of Justice of the European Union (CJEU), in its ruling of 5 December 2023 (Case C-807/21), established that the supervisory authority has the burden of establishing whether a breach was committed intentionally or negligently by the data controller, as only unlawful breaches can lead to the imposition of an administrative fine. In this regard, it should be noted that the CJEU established in the aforementioned decision that Article 17 of the GDPR provides for the imposition of a fine. Article 83 of the Regulation does not allow for the imposition of an administrative fine unless it is established that the violation was committed intentionally or negligently by the data controller (see paragraph 75). The Court itself upheld the fundamental principle of "ignorantia legis non excusat," stating that "a data controller may be sanctioned for conduct falling within the scope of the GDPR if the controller could not have been unaware of the unlawful nature of its conduct, regardless of whether it was aware of violating the provisions of the GDPR" (see paragraph 76). This principle had already been enunciated by the Court of Justice in another case (judgment C-601/16 of 25 March 2021, paras. 97 and 98) in which it had established that “an undertaking may be penalised for conduct falling within the scope of Article 101(1) TFEU where that undertaking could not have been unaware of the anti-competitive nature of its conduct, regardless of whether or not it was aware that it was infringing the competition rules of the Treaty” (see, in a similar vein, also CJEU, judgment C-681/11 of 18 June 2013, para. 37). In this case, therefore, the defense arguments expressed on the matter cannot be accepted since Character could not, at the time its Service was launched, and especially when it was expressly offered (also) to users located in the European Union and specifically in Italy, exempt itself from a duty to be aware of and apply the Regulation. This Regulation, as is well known, protects a fundamental right provided for and protected by Article 8 of the Charter of Fundamental Rights of the European Union, given that the processing of personal data represents the company's core business. Evidence of the Company's awareness of its duty of diligence in complying with the Regulation is evident, de plano, from the inclusion, in the privacy policy dated October 25, 2023, of a regional appendix to the main text of the notice, which specifically included European data protection legislation. In light of the specific circumstances of the case, the context in which the Data Controller operates, and the disruptive and rapidly expanding technology underlying its business activities, the Authority believes that the failure to process personal data in compliance with EU legislation constitutes negligence, which is the basis of the concept of fault, and demonstrates the existence of this subjective element on the part of the Company. This fault must, however, be considered non-serious given the attention and resources allocated to progressively improving compliance with the Regulation, which were not only declared during the hearing but also demonstrated by the documentation (and updates thereto) submitted, including spontaneously, during the investigation and after the initiation of the proceedings pursuant to Article 166 of the Code. Regarding point c), the Authority notes that the investigation did not reveal, in particular, the processing of special categories of data. However, it notes that, in the absence of effective age verification mechanisms during registration and during use of the Service, until November 2025, personal data relating to minors and vulnerable individuals were processed without the appropriate security measures. Taking into account the above-mentioned elements, which can be traced back to Article 83, paragraph 2, letters a), b), and g), of the Regulation, it is believed that, in this case, the level of severity (in concrete terms) of the violation committed by the data controller should be considered medium (see Guidelines No. 4/2022, paragraph 60). That said, the Authority further notes that Character can be classified as a start-up that employs ... OMISSIS people, operates in a highly competitive and particularly "aggressive" market occupied by companies with much larger dimensions and resources, and has an annual turnover ... OMISSIS. Finally, for the purposes of quantifying the fine, the Authority believes that the following mitigating factors should be taken into consideration. - mitigating circumstance pursuant to Article 83, paragraph 2, letter c), of the Regulation, for the Data Controller having adopted measures to mitigate the damage with regard to age verification through the adoption and progressive strengthening of the implemented measures, in particular the introduction of a Service dedicated to minors and an age assurance system with age verification, in the second instance, entrusted to a third-party provider; - mitigating circumstance pursuant to Article 83, paragraph 2, letter e), of the Regulation, for the Data Controller not having reported previous relevant violations; - mitigating circumstance pursuant to Article 83, letter f), of the Regulation, due to the Data Controller's cooperation with the Authority throughout the entire investigation phase and even after the initiation of the proceedings pursuant to Article 166 of the Code, in order to remedy the alleged violations, in an innovative, challenging, and evolving technical and legal framework. This circumstance, while not excluding any liability, certainly makes any initiative aimed at improving compliance with the Regulation highly commendable. Specifically, specific and relevant elements considered to supplement the mitigating factor in question are: i) the changes made to the privacy policy aimed at addressing, although not entirely, the critical issues identified by the Office; ii) the information provided to data subjects in the EEA region regarding the processing of their personal data for post-training purposes of the LLM programs supported by the Service, with the right to exercise their right to object in advance, in accordance with the recommendations expressed by the EDPB in Opinion No. 28/24; and iii) the spontaneous communications sent to the Office. Finally, in this case, it is believed that the financial circumstances of the Data Controller are relevant, in light of the amount ... OMISSIS. In light of the above factors, assessed as a whole and based on the principles of effectiveness, proportionality, and dissuasiveness set forth in Article 83, paragraph 1, of the Regulation, it is deemed appropriate to set the fine at €158,000.00 (one hundred and fifty-eight thousand) for the violation of Articles 5, paragraph 2; 12, paragraph 1; 13, paragraphs 1 and 2; 14, paragraphs 1 and 2; 24, paragraph 1; 25, paragraph 2; 27, paragraph 1; and 35, paragraph 1, of the Regulation. It is believed that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Italian Data Protection Authority Regulation No. 1/2019, the additional sanction of publishing this section of the provision containing the injunction on the Italian Data Protection Authority's website should be applied, given the risks to personal data protection associated with making available to the public a service based on an innovative and complex technology such as generative artificial intelligence, in the absence of the necessary safeguards, as well as the existence of a general interest in the topic in question, which requires the widest possible disclosure of the Authority's position on the matter. FOR THESE REASONS - Pursuant to Articles 57 and 83 of the Regulation, the conduct of Character Technologies, Inc., with registered office at #1152, 700 El Camino Real, Suite 120, Menlo Park CA 94025, USA, is declared unlawful for violation of Articles 57 and 58 of the Regulation; 12, paragraph 1; 13, paragraphs 1 and 2; 14, paragraphs 1 and 2; 24, paragraph 1; 25, paragraph 2; 27, paragraph 1; and 35, paragraph 1, of the Regulation, within the terms set out in the reasons; - Pursuant to Article 58, paragraph 2, letter d), of the Regulation, the Data Controller is required to comply with the provisions set out in paragraph 5 of this provision within 120 days of notification of this provision. - Pursuant to Article 157 of the Code, the Data Controller is required to notify the Authority, within 120 days of notification of this provision, of the initiatives undertaken to implement the corrective measures referred to in the preceding point; Failure to comply with the provisions of this section may result in the application of the administrative fine provided for in Article 83, paragraph 5, of the Regulations. IT IS ORDERED Pursuant to Articles 58, paragraph 2, letter i), and 83 of the Regulations, as well as Article 166 of the Code, the aforementioned Data Controller is ordered to pay the sum of €158,000.00 (one hundred and fifty-eight thousand) as an administrative fine for the violations indicated in the grounds. IT IS ORDERED The aforementioned Data Controller, in the event of failure to resolve the dispute, pursuant to Article 166, paragraph 8 of the Code, to pay the sum of €158,000.00 (one hundred and fifty-eight thousand), according to the methods indicated in the attachment, within 30 days of notification of this order, under penalty of the adoption of the subsequent enforcement proceedings pursuant to Art. 27 of Law No. 689/1981. It is hereby stated that, pursuant to Art. 166, paragraph 8, of the Code, the offender retains the right to settle the dispute by paying—again according to the methods indicated in the attachment—an amount equal to half of the fine imposed within the deadline set out in Art. 10, paragraph 3, of Legislative Decree No. 150 of September 1, 2011, established for filing an appeal as indicated below. IT IS ORDERED pursuant to Art. 154-bis, paragraph 3, of the Code and Art. 37 of the Italian Data Protection Authority Regulation No. 1/2019, the publication of this provision on the Italian Data Protection Authority's website; pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Italian Data Protection Authority Regulation No. 1/2019, the publication of the injunction order on the Italian Data Protection Authority's website; pursuant to Article 17 of the Italian Data Protection Authority Regulation No. 1/2019, the recording of violations and measures adopted pursuant to Article 58, paragraph 2, of the Regulation in the Authority's internal register provided for by Article 57, paragraph 1, letter u), of the Regulation. Pursuant to Article 78 of the Regulation, as well as Articles 152 of the Code and Article 10 of Legislative Decree No. 1 of September 1, 2011. 150, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same Article 10, under penalty of inadmissibility, within thirty days from the date of notification of the provision, or within sixty days if the appellant resides abroad. Rome, July 3, 2026 THE PRESIDENT Stanzione THE REPORTER Stanzione THE SECRETARY GENERAL Montuori

---
Generated by overview.legal · https://overview.legal/posts/108999 · 2026-07-16
