A practical guide for foreign companies structuring their presence in Italy and trying to understand how operational models translate into GDPR and Italian privacy obligations.

This article is the second in P&S Legal’s series on GDPR and foreign companies in Italy.
Our previous instalment — Gdpr and foreign companies in Italy: territorial scope explained —  addresses the foundational question of territorial scope under Articles 3(1) and 3(2).

Why corporate labels are a poor starting point

Foreign companies entering the Italian market often begin with the wrong question. They ask whether a branch, a local unit, a sales office or a distributor is the “right” structure from a privacy perspective, as if the corporate label itself predetermined the answer. In practice, that is rarely how the analysis works.

From a data protection standpoint, the real issues are more concrete.
Who actually collects personal data in Italy? Which entity determines the purposes and means of the relevant processing? Is there a stable operational presence in Italy or elsewhere in the Union? Are Italian customers, candidates, employees, suppliers or other individuals being targeted, monitored or managed through group systems? And once a territorial hook exists, which obligations follow in operational terms?

That is why foreign companies can misread their exposure in both directions.
Some assume that a distributor structure keeps them safely outside the GDPR, even though they continue to shape lead generation, CRM logic, customer service or workforce flows affecting Italy. Others assume that opening a branch automatically makes every processing stream across the group subject to exactly the same Italian compliance obligations. Both shortcuts are unreliable.

The better legal approach is to treat branch, local unit, sales office and distributor models as different factual configurations that can trigger different obligations, depending on how data actually moves and who actually controls the relevant processing.

A branch or local unit usually changes the analysis materially

Where a foreign company operates in Italy through a branch or another stable local presence, the first issue is usually Article 3(1) GDPR. The Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing itself takes place in the Union. The idea of “establishment” is functional, not merely formal. A stable arrangement that supports real economic activity can be enough, even if key systems, servers or headquarters sit elsewhere.

That practical reading has been shaped by the case law of the Court of Justice and by the European Data Protection Board. Google Spain (C-131/12) confirmed that EU data protection rules can apply where local commercial activity is sufficiently connected with the relevant processing. Weltimmo (C-230/14) reinforced the point that establishment is not limited to formal incorporation and can arise from a real and effective activity exercised through stable arrangements. (paragraph 31 of https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62014CJ0230)


The EDPB’s Guidelines 3/2018 on territorial scope adopt the same operational logic.

For foreign groups, this means that a branch or local unit in Italy often triggers much more than a need to update privacy notices.
Once personal data is processed in the context of that establishment’s activities, the organisation should normally assess at least its governance model, Article 30 records of processing activities, transparency documentation, lawful bases, processor contracts under Article 28, security measures, retention logic, data subject rights handling, and — where the processing presents high risks for individuals — data protection impact assessments under Article 35.
Where data flows back to group headquarters outside the EEA, transfer mechanisms must also be reviewed.

This is one reason why “local unit” language can be misleading when used informally by business teams. Even if the local presence is not described internally as a full branch, privacy exposure can still be significant if the Italian operation performs stable, revenue-supporting or workforce-related activities linked to the processing at issue.

A sales office may be enough even where the back office sits elsewhere

A sales office is often underestimated because it may appear commercially limited: market development, client relationship support, lead nurturing, first-line contact, meetings, and coordination with distributors or headquarters. Yet from a privacy perspective, those functions can be highly relevant.

If an Italian sales structure contributes in a stable way to the commercial exploitation of products or services and the related personal-data processing, the analysis can move quickly toward Article 3(1). This is particularly true where the sales office feeds leads into a central CRM, participates in contract onboarding, gathers business-card data, handles contact requests, manages prospect follow-up, supports local events, or coordinates account-management activity involving identifiable individuals.

In that context, foreign companies should not focus only on where the CRM is technically hosted. They should ask whether the Italian sales activity forms part of the factual context in which the processing occurs. If it does, the resulting obligations are not confined to a local privacy notice. They may extend to role allocation between entities, intra-group data sharing, appropriate processor or controller-to-controller arrangements, marketing consent architecture, retention periods, and, where applicable, accountability for technologies used to track prospect behaviour.

The position becomes even more sensitive if the sales office also interfaces with recruitment, whistleblowing, compliance investigations or local service issues. At that stage, what started as a purely commercial footprint may already be generating employee, candidate, supplier and complaint-handling data streams that require a more structured compliance design under both the GDPR and the Italian framework.

A distributor model does not automatically keep the foreign company outside scope

Distributor structures are one of the most common sources of confusion. Many foreign companies assume that if an Italian distributor sells the product in its own name, the upstream manufacturer or principal remains outside the local privacy picture. That assumption can be badly wrong.

Sometimes the distributor is genuinely acting as an independent controller for its own sales and customer management activities. In that case, the foreign company may have a more limited direct role. But many real-world arrangements are not that simple. The foreign principal may still influence who is targeted, how leads are generated, what customer data must be collected, how after-sales support is escalated, what analytics are performed, how warranty claims are handled, or how marketing and CRM workflows are structured across the network.

Once that happens, several privacy questions arise immediately.
Is the foreign company acting as an independent controller for some upstream or downstream processing?
Are the parties joint controllers under Article 26 for particular streams, such as shared marketing initiatives or embedded lead-routing systems?
Is one party processing on behalf of the other under an Article 28 processor agreement for specific support functions?
Are transparency obligations aligned with the actual allocation of roles?
Are there lawful sharing mechanisms and documented responsibilities for data subject rights, retention and security?

Fashion ID (C-40/17) remains instructive here. It shows that participation in determining purposes and means can create joint controllership for a specific processing operation even if a party does not control the entire downstream chain. For foreign companies relying on Italian distributors, this is a critical point.
A distributor model may reduce certain compliance burdens, but it does not eliminate the need to analyse concrete data flows and role allocation with precision.

Which obligations are commonly triggered in practice

Once the operational model has been analysed correctly, the next question is not simply whether the GDPR applies, but which obligations are likely to be activated first.
The sequence matters: some obligations arise immediately upon establishing territorial scope, others follow as the operating model and data flows become clearer. In practice, foreign companies entering Italy through a branch, local unit, sales office or distributor should usually assess at least six areas:

  1. Territorial scope and role allocation, mapped processing by processing. The same business structure can generate different answers for HR, B2B sales, marketing, complaints handling, after-sales service and distributor management.
  2. Transparency and lawful-basis documentation, checked against the real operating model. Companies often rely on group templates that do not accurately reflect Italian-facing processing activities or multi-entity data sharing.
  3. Article 30 records, internal governance and accountability measures. A light-touch market-entry structure can still trigger record-keeping, access-control, retention and incident-management obligations that the business had not yet operationalised locally.
  4. Contracts and data-sharing arrangements, aligned with operational reality. Distributor agreements, CRM access rights, service-level arrangements, customer support workflows and intra-group support functions often require clearer privacy allocation — under Articles 26 and 28 — than the parties initially assume.
  5. International data transfers, reviewed as soon as Italian or wider EU territorial scope is established. If personal data from Italian operations is accessed or exported to headquarters or support teams outside the EEA, the question of lawful transfer mechanisms becomes immediately relevant.
  6. Local Italian rules and regulatory expectations. The Italian Privacy Code (Legislative Decree 196/2003, as amended by Legislative Decree 101/2018) and the practice of the Garante per la protezione dei dati personali add practical complexity in employment-related processing, marketing, cookies and other high-friction operational contexts.

Where processing presents high risks for individuals — particularly in workforce monitoring or large-scale profiling — a data protection impact assessment under Article 35 should also be considered at this stage.

The right analysis is functional, not formalistic

The strategic mistake is to treat branch, local unit, sales office and distributor as four boxes with four predetermined legal answers. For privacy purposes, the real exercise is functional. The label matters less than the factual combination of presence, targeting, data flows, decision-making power and operational integration.

That is also why privacy should be assessed before or at least alongside market-entry design. If the structure is chosen first and the data flows are analysed only later, the company often discovers that contractual documents, notices, role allocation, marketing workflows, user tracking, internal reporting lines and cross-border transfers were all built on assumptions that do not match the legal reality.

For foreign companies with interests in Italy, the better question is therefore not “Which structure has fewer privacy obligations?” The better question is “Given this structure, which processing streams are being activated, which territorial hooks are being created, and which governance decisions must follow now rather than after launch?”

Conclusion

A branch, local unit, sales office or distributor does not trigger privacy obligations in the same way or to the same extent in every case. But none of those labels should be treated as a shortcut to the answer. Under the GDPR, and in light of the Italian privacy framework, obligations are triggered by operational reality: factual presence, targeting, monitoring, role allocation, data sharing and business integration.

For foreign companies, the real issue is not simply identifying which formal structure is present in Italy, but translating that structure into the right allocation of privacy roles, governance choices and operational responsibilities. The businesses that manage this well are usually the ones that analyse territorial scope and data architecture before local operations become harder to unwind.

If your company is entering or expanding in Italy through a branch, local unit, sales structure or distributor network, privacy issues should be assessed before legal assumptions become embedded in contracts, workflows and reporting lines.

P&S Legal works with foreign companies and international groups to map the privacy exposure created by their Italian operating model and design the governance architecture needed to address it.

Where appropriate, we help clients identify exposure areas, build compliant frameworks and address the privacy implications of commercial activity, workforce-related processing and cross-border data flows.