Privacy and gender identity: regulations and protections
Privacy protection represents a crucial issue in the lives of transgender and non-binary people. Gender identity, when it does not correspond to the sex assigned at birth, generates a series of legal implications that touch on personal data protection, document management, and defense against discrimination. This article analyzes the Italian and European regulatory framework on the matter, from the guarantees offered by the GDPR to protections in workplace and school contexts.
The right to privacy in gender identity
Legal foundations
The right to privacy in relation to gender identity is rooted in various supranational legal sources. At the European level, Article 8 of the European Convention on Human Rights (ECHR) enshrines the right to respect for private and family life. The European Court of Human Rights has progressively brought the rights of transgender people within the scope of this article, recognizing that the sexual sphere, encompassing sexual orientation and gender identity, defines personal identity and thus falls within the notion of “private life” [8].
The case law of the Strasbourg Court has established that the failure to legally recognize gender identity after transition constitutes a violation of Article 8, as it undermines respect for human dignity and freedom [8]. In various rulings, the Court has also reduced the margin of appreciation granted to Member States precisely because of the central role that gender identity plays in individuals’ private lives.
The Italian Constitution
In the Italian context, the protection of gender identity is connected to Articles 2 and 3 of the Constitution, which guarantee the inviolable rights of the person and the principle of substantive equality. The Constitutional Court has recognized, beginning with ruling no. 161/1985, that the right to gender identity falls within the broader right to the realization of one’s own personality, protected by Article 2.
Law No. 164 of 1982 represented the first specific legislative intervention, governing the rectification of sex attribution [4]. This law, while not explicitly discussing privacy, introduced the principle that, following rectification, no trace of the original gender and name of the person should remain, precisely to safeguard confidentiality [5].
GDPR and sensitive data
Classification of data related to gender identity
The General Data Protection Regulation (GDPR, EU Regulation 2016/679) classifies information relating to gender identity among the special categories of personal data, commonly defined as “sensitive data.” Article 9 of the Regulation expressly includes data concerning sexual life and sexual orientation among those deserving enhanced protection. The European Commission has clarified that personal data considered sensitive include those revealing racial or ethnic origin, political opinions, religious convictions, genetic and biometric data, as well as data concerning health and sexual life [3].
Although the GDPR does not explicitly mention gender identity as an autonomous category, data relating to a person’s transgender condition falls within this enhanced protection on multiple grounds: as data capable of revealing health status (when linked to a medical pathway), as data relating to sexual life or sexual orientation, and in any case as data whose unlawful processing could expose the data subject to discrimination [1].
Processing and consent
The processing of data relating to gender identity requires compliance with particularly stringent conditions. Under Article 9 of the GDPR, the processing of such data is prohibited unless one of the specified conditions applies, including the explicit consent of the data subject for one or more specific purposes, the necessity to fulfill obligations in the field of employment law and social security, the protection of a vital interest of the data subject, or processing necessary for reasons of substantial public interest [1].
In practice, this means that a person’s transgender condition and, in general, a person’s gender identity must be known exclusively to those who have been expressly informed by the person concerned or authorized through their consent. Any unauthorized disclosure of such information constitutes a GDPR violation.
Right to rectification and erasure
Article 16 of the GDPR recognizes the right to rectification of inaccurate personal data. This right assumes particularly significant meaning for transgender people, as it allows requesting the correction of personal data in registers and databases [10].
The Deldits ruling (Case C-247/23) by the Court of Justice of the European Union in March 2025 strengthened this principle, establishing that a national authority responsible for a public register has the obligation to correct, without undue delay, any errors in the registration of a transgender person’s gender [2][10]. The Court specified that data updating does not constitute a mere administrative act, but rather a fundamental protection of the right to identity and dignity, and that it cannot be made conditional upon proof of a completed gender reassignment surgery [2].
Article 17 of the GDPR, known as the “right to be forgotten,” further allows requesting the erasure of one’s personal data when they are no longer necessary for the purposes for which they were collected. For transgender people, this right can be invoked to request the removal of references to the previous legal name (the so-called deadname) from databases, digital archives, and registers that are no longer current [1].
Deadnaming and outing: legal implications
Definitions
Deadnaming consists of using the birth name (called “dead name” or deadname) of a transgender person who has adopted a different name, consistent with their gender identity. Outing is the disclosure, without the consent of the person concerned, of their transgender condition or transition pathway.
Both practices can have severe consequences on a psychological, social, and professional level. When committed intentionally, they may constitute unlawful conduct under various legal grounds.
European regulatory framework
At the European level, there is no unified regulation yet that specifically sanctions deadnaming and outing. However, some Member States have adopted specific provisions.
In Germany, the Selbstbestimmungsgesetz (Self-Determination Act), which came into force on November 1, 2024, provides for pecuniary penalties of up to 10,000 euros for anyone who intentionally and with harmful intent reveals the previous legal name or the sex assigned at birth of a person who has completed the name change procedure [6]. The law does not establish a general prohibition on deadnaming or misgendering, but specifically sanctions the malicious disclosure of confidential information with harmful purpose [6].
Implications under Italian law
In Italy, there is no specific law that sanctions deadnaming as an autonomous offense. However, the conduct can be traced to various legal figures [1]. The unauthorized disclosure of a person’s transgender condition may constitute a violation of the GDPR, with the relevant administrative sanctions provided by Articles 83 and 84 of the Regulation. In particularly serious cases, it may constitute the crime of unlawful processing of personal data under Article 167 of the Personal Data Protection Code (Legislative Decree 196/2003, as amended by Legislative Decree 101/2018).
Furthermore, deadnaming and outing may constitute cases of defamation (Art. 595 of the Penal Code) when the disclosure occurs in public contexts and in a manner that damages the person’s reputation, or harassment (Art. 660 of the Penal Code) when the conduct is repeated and aimed at disturbing the person.
Documented harms
Scientific research has documented the negative effects of deadnaming and outing on the mental health of transgender people. Forced exposure to the deadname is associated with increased levels of anxiety, depression, and suicidal ideation. In the workplace, non-consensual outing can lead to marginalization, harassment by colleagues, and, in the most serious cases, job loss.
A particularly sensitive aspect concerns the birth certificates of children of transgender people: such documents may bear the parent’s previous name, causing forced outing every time the document is presented to authorities, schools, or healthcare facilities [5].
Documents and civil registry
Legal rectification in Italy
The procedure for rectifying legal sex in Italy is governed by Law No. 164/1982 and subsequent amendments [4]. The proceeding takes place before the competent Court and, following the final judgment, the person obtains the right to modify all identity documents [4][12].
Italian case law has significantly evolved the interpretation of the law over the years. The Court of Cassation and the Constitutional Court have established that gender reassignment surgery is no longer an indispensable requirement for obtaining legal rectification. Ruling no. 221/2015 of the Constitutional Court clarified that the correct interpretation of Law 164 excludes the necessity of surgical treatments for the purposes of rectification [4].
The “double name” problem
During the transition pathway and before the final rectification ruling, transgender people often find themselves possessing documents bearing a legal name and gender that do not correspond to their identity [5]. This situation creates daily difficulties in numerous contexts: from airport checks to medical visits, from accessing banking services to signing contracts.
The period of documentary transition represents a phase of particular vulnerability from a privacy perspective, as the discrepancy between the person’s physical appearance and the data on their documents can result in involuntary outing in any circumstance requiring the presentation of an identity document.
Identity card and passport
Following the rectification ruling, the person has the right to obtain the issuance of a new identity card and a new passport with updated data [5]. The municipality of residence is required to issue the new documents, and the principle established by Law 164 provides that no trace of the previous name and gender should remain.
However, in practice, difficulties may arise related to documents already issued that are not automatically updated. Academic diplomas, for example, are in many cases difficult to modify after issuance, meaning that their presentation may result in forced outing, especially in professional contexts. Similarly, certificates and attestations issued by public and private entities may continue to bear the previous name.
Regarding the tax code (codice fiscale), the Revenue Agency proceeds with modification following communication from the Municipality of the completed rectification [5]. However, the tax code contains a gender indicator in its alphanumeric structure, which requires the assignment of a completely new code and the need to update all connected registers and computer systems.
The European context
The Court of Justice of the EU has established that Member States must recognize gender transitions legally completed in any other Member State [2]. This decision has significant implications for the free movement of transgender people within the Union, ensuring that legal recognition of gender identity is not lost when crossing an internal border.
Protections in workplaces and schools
European employment legislation
The protection of transgender people in the workplace is primarily based on Directive 2006/54/EC (known as the Gender Recast Directive), concerning the implementation of the principle of equal opportunities and equal treatment of men and women in matters of employment and occupation. Recital 3 of the preamble to this directive introduced, for the first time in EU law, an explicit reference to discrimination based on gender reassignment [9].
The directive applies to all workers in the public and private sectors and covers access to employment, vocational training, working conditions, pay, and affiliation with workers’ or employers’ organizations. However, as noted by ILGA-Europe, the implementation of the directive by Member States presents significant gaps regarding transgender people: at least eleven Member States do not treat discrimination against transgender people either as gender discrimination or as discrimination based on sexual orientation, creating a situation of legal uncertainty [9].
Directive 2000/78/EC, which establishes a general framework for equal treatment in employment and working conditions, prohibits discrimination based on sexual orientation, but does not explicitly mention gender identity. The proposal for a horizontal anti-discrimination directive, advanced by the European Commission in 2008, which would have extended protection beyond the employment context, did not obtain the necessary approval due to opposition from several Member States [9].
Italian employment legislation
In Italy, Legislative Decree 216/2003, implementing Directive 2000/78/EC, prohibits discrimination in employment and vocational training based, among other things, on sexual orientation. Italian case law has in several cases categorized discrimination against transgender people as sex-based discrimination.
The Ministry of Justice issued a circular in September 2024 containing provisions for the activation and management of an alias identity for employees of the Judicial Administration, marking an important step toward the recognition of gender identity in public employment [12].
Best corporate practices for protecting the privacy of transgender people include: the adoption of alias identity policies that allow the use of the chosen name in internal communications, identification tags, and email addresses [7]; training of human resources staff on the confidential management of gender identity data; the establishment of reporting procedures for deadnaming or outing episodes in the workplace; and the guarantee of access to restrooms and changing rooms consistent with the person’s gender identity.
The school environment
In the Italian school context, the main tool for protecting the privacy of transgender people is the alias career (carriera alias). This is a temporary bureaucratic profile that replaces the student’s legal name with the one corresponding to their gender identity in the electronic register, school booklet, internal communications, and, in general, in the daily life of the institution [11].
The alias career has been present in Italian universities since 2003 and has progressively spread to secondary schools as well [11]. It has no legal value and does not replace legal rectification, but represents an act of recognition and privacy protection that allows the person to be identified by their chosen name in daily school life.
The activation of the alias career generally occurs through a confidentiality agreement between the institution, the student, and, in the case of minors, the family [11]. No medical or psychological certification should be required, as gender variance does not constitute a pathology. However, in practice, some school regulations still require medical-psychological documentation for activation.
The alias career protects the transgender student’s privacy in several ways: it avoids forced outing during roll call in class, in communications between school and family, in internal documents, and in interactions with classmates and teachers. At the same time, official documents with legal value (such as the diploma) continue to bear the legal name until any judicial rectification.
Open challenges in the school context concern the absence of a uniform national regulation on the alias career, which leaves the matter to the discretion of individual institutions; the need for teacher training on the correct management of gender identity and privacy; and the protection of transgender students in environments that, in the absence of specific policies, may expose them to bullying, deadnaming, and non-consensual outing.
Toward more complete protection
The regulatory framework on privacy and gender identity is constantly evolving. The case law of the Court of Justice of the EU and the European Court of Human Rights is progressively strengthening protections, as demonstrated by the Deldits ruling of 2025 [2][10] and the numerous rulings on the scope of Article 8 ECHR [8]. However, significant gaps remain, both at the European level (the absence of a horizontal anti-discrimination directive, the fragmented implementation of the Gender Recast Directive [9]) and at the national level (the lack of specific legislation on deadnaming, the absence of a uniform regulation on the alias career).
The effective protection of the privacy of transgender people requires an integrated approach that combines regulatory, jurisprudential, and organizational tools: from the correct application of the GDPR to the training of those who process sensitive data, from the adoption of alias identity policies in workplaces and schools to raising public awareness of the meaning and consequences of deadnaming and outing.