On 23 September 2025, Italy enacted Law no. 132, incorporating EU AI Act principles into the healthcare sector and introducing specific obligations for all professionals using artificial intelligence in clinical practice.[1] Simultaneously, the Garante (Italian data protection authority) published its 2026 inspection plan: at least 40 targeted assessments in the healthcare sector.[5] For Italian physicians, 2026 is not a year of waiting — it is a year of mandatory compliance.
In Italy, the use of AI in medicine is now governed by three overlapping regulatory layers:
The key principle of Law 132/2025 — Art. 7
Healthcare AI systems "must support the physician and never replace human clinical decision-making". The physician must be able to understand the logic of any algorithmic suggestion and override the machine's output at any time. This is the principle of "non-exclusivity of algorithmic decision-making" already established by the Garante in 2023 and now codified by law.
In 2026, thousands of Italian physicians still use personal WhatsApp to communicate test results, ChatGPT to draft clinical notes, unencrypted emails to transmit documentation. Each of these behaviours constitutes a potential GDPR violation.
The Garante has explicitly flagged the risk: "generative AI platform operators may retain uploaded health data to train their own algorithms".[4] A patient who has never consented to their health data ending up in OpenAI or Google training datasets has the right for this not to happen.
A concrete 2026 case: the attack on the 'Paziente Consapevole' platform (Murex Software), used by thousands of Italian general practitioners, exposed sensitive health data used in targeted scams against patients. The Garante reminded that in the event of a data breach, the data controller must notify within 72 hours — and that remediation measures must actually be implemented, not just declared.
See also our articles on medical liability and AI and on how to choose GDPR-compliant medical AI.
Can an Italian physician use ChatGPT for consultation notes?
No, not with real patient data. ChatGPT (OpenAI) is hosted in the United States and subject to the American CLOUD Act, which allows federal authorities to access data even if physically stored elsewhere. Health data is classified as a 'special category' under GDPR Art. 9 — transmitting it to a non-EU provider without adequate guarantees constitutes a GDPR violation sanctionable by the Garante with up to EUR 20 million or 4% of global turnover. The Italian Garante has explicitly warned physicians to 'carefully consider the advisability of sharing health data with generative AI service providers'.
What is Law 132/2025 and what does it change for physicians?
Law 23 September 2025, no. 132 is the Italian law that incorporates and integrates the principles of the EU AI Act into the healthcare sector. Key points for physicians: 1) AI systems must 'support the physician and never replace human clinical decision-making'. 2) Any healthcare AI project processing personal data must be communicated to the Garante in advance. 3) The Garante has 30 days to issue a blocking measure. 4) AGENAS becomes the national agency for digital health and manages the national AI platform integrated with the FSE (Electronic Health Record).
What is a DPIA and when is it mandatory for medical AI?
The DPIA (Data Protection Impact Assessment) is a mandatory preventive assessment whenever processing may pose high risks to individuals' rights. For medical AI in Italy, the DPIA is almost always mandatory, since large-scale processing of health data with automated algorithms typically falls within the cases covered by GDPR Art. 35. Law 132/2025 now also adds the FRIA (Fundamental Rights Impact Assessment) for high-risk AI systems.
Does the Garante's 2026 inspection plan affect general practitioners?
Yes. The Garante's 2026 inspection plan includes the healthcare sector comprehensively, with at least 40 targeted assessments. Focus areas include: management of the Electronic Health Record (access logs, separate consent), data breach notifications, use of diagnostic algorithms, and cybersecurity. General practitioners using management software with AI components are potentially subject to inspections, especially following data breaches like the one affecting the 'Paziente Consapevole' platform by Murex Software in 2026.
Is Switzerland considered safe for hosting Italian patient data?
Yes. The European Commission has recognised Switzerland as a country providing an adequate level of personal data protection (adequacy decision). This means that transfers of personal data — including health data — to Switzerland are authorised without specific contractual clauses, equivalent to an intra-EU transfer. An AI provider hosted in Switzerland by a certified provider such as Infomaniak Geneva therefore offers guarantees equivalent to hosting in Italy or Germany, with the additional benefit of compliance with the nFADP (Swiss federal data protection law).
Sovereign hosting in Switzerland (GDPR adequacy zone recognised by the European Commission), GDPR Art. 9 native, no data sent to OpenAI or non-EU servers, DPA available, E2E encryption.
Try free for 14 days →