Italy
Roma Capitale
GDPR enforcement action by Italian Data Protection Authority (Garante) on 2021-02-11.
Case details
- Authority
- Italian Data Protection Authority (Garante)
- Date
- 2021-02-11
- Controller / Processor
- Roma Capitale
- Sector
- Public Sector and Education
- Quoted Articles
- Art. 5 GDPR, Art. 6 GDPR, Art. 28 GDPR, Art. 32 GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The Italian DPA (Garante) fined the city of Rome EUR 350,000 for failing to take adequate technical and organizational measures regarding the data of citizens who had obtained permits to access restricted traffic areas. The permits were verified by scanning QR codes located on badges affixed to windshields. This allowed city staff to verify in real time whether the particular vehicle was allowed to be in the zone and to whom the permit had been issued. However, according to the DPA, not only city staff, but anyone could scan the codes and access the information, as it only required an ordinary QR scanner. The information stored in the system, included, for example, the name of the user or the license plate number of the vehicle. In addition, the DPA found that the city of Rome had used the services of a provider for the hosting and maintenance of databases without a proper agreement as required by Art. 28 GDPR.
Related fines