Italy

Roma Capitale (Rome Municipality)

500,000 €

GDPR enforcement action by Italian Data Protection Authority (Garante) on 2020-12-17.

Rank · Sector

#14

of 357 in Public Sector and Education

Rank · Italy

#42

of 543

Rank · All fines

#240

of 3,050

Case details

Authority: Italian Data Protection Authority (Garante)
Date: 2020-12-17
Controller / Processor: Roma Capitale (Rome Municipality)
Sector: Public Sector and Education
Quoted Articles: Art. 5 (1) a) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 28 (2), (3) GDPR, Art. 32 GDPR
Type of violation: Non-compliance with general data processing principles

Summary

The Italian DPA (Garante) fined the municipality of Rome EUR 500,000 for the unlawful processing of users' and employees' personal data. The municipality of Rome had been using the "TuPassi" booking system to manage appointments and other services since 2015. In the course of a detailed investigation, the Italian DPA found that the controller had violated several data protection regulations with regard to the processing of personal data of customers and employees with whom they had made appointments. For example, the municipality had not properly informed the data subjects prior to processing their data, nor had it taken appropriate technical and organizational measures to protect the processing.

Open original source Links to the regulator's original publication or another source.