Italy
Autostrade per l'Italia spa
GDPR enforcement action by Italian Data Protection Authority (Garante) on 2023-06-22.
Case details
- Authority
- Italian Data Protection Authority (Garante)
- Date
- 2023-06-22
- Controller / Processor
- Autostrade per l'Italia spa
- Sector
- Transportation and Energy
- Quoted Articles
- Art. 5 (1) a) GDPR, Art. 13 GDPR, Art. 28 GDPR
- Type of violation
- Non-compliance with general data processing principles
Summary
The Italian DPA has fined Autostrade per l'Italia spa ("ASPI") EUR 1 million for unlawfully processing the data of approx. 100,000 registered users of the toll reimbursement app "Free to X."
A consumer organization reported problems with the service, which provides toll refunds for delays caused by roadworks, to the DPA.
The DPA found that Autostrade held the position of the data controller, instead of a processor, as stated in the documents governing the relationship between "ASPI" and "Free to X", the company that develops and operates the app, as well as in the information notice given to users.
In fact, "ASPI", as the operator of the highway network, was responsible for determining the reimbursement mechanism, the type of compensation measures, the processing and the causes of delays due to road works. "Free to X" was only tasked with implementing the service. This incorrect assignment of privacy roles resulted in the notice to users being incorrect. The notice should have included the actual identity of the controller, namely ASPI, as well as all the necessary information for proper and transparent processing in accordance with data protection laws. The DPA finally found that ASPI also violated the GDPR by not designating Free to X as a processor.
Related fines