Roma Capitale (Rome Municipality) – €500,000 Fine (Italy, 2020)

€500,000Garante per la protezione dei dati personali17 December 2020Italy
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The municipality of Rome was fined EUR 500,000 for mishandling personal data through its appointment booking system. They failed to inform users and employees about how their data was used and didn't protect it properly. This case stresses the need for transparency and security in public services.

What happened

Rome's municipality improperly processed personal data using the 'TuPassi' booking system.

Who was affected

Users and employees whose data was processed without proper information or protection.

What the authority found

The Italian DPA found Rome's municipality violated GDPR by not informing data subjects and failing to secure their data.

Why this matters

This ruling highlights the importance of transparency and data protection in public services. It serves as a warning for organizations to ensure they inform users about data usage and implement strong security measures.

GDPR Articles Cited

AI-verified

Art. 13 GDPR
Art. 14 GDPR
Art. 28 GDPR
Art. 32 GDPR
Art. 5(1)(a) GDPR
View original scraped data
Art. 5(1)(a) GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 28(2) GDPR
(3) GDPR
Art. 32 GDPR

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Art. 13 Codice Privacy
Art. 29 Codice Privacy
Source verified 6 March 2026
articles corrected
national law identified
Italy enforcementGarante per la protezione dei dati personali actionsAll Roma Capitale (Rome Municipality) actions
Full Legal Summary
Detailed

The Italian DPA (Garante) fined the municipality of Rome EUR 500,000 for the unlawful processing of users' and employees' personal data. The municipality of Rome had been using the 'TuPassi' booking system to manage appointments and other services since 2015. In the course of a detailed investigation, the Italian DPA found that the controller had violated several data protection regulations with regard to the processing of personal data of customers and employees with whom they had made appointments. For example, the municipality had not properly informed the data subjects prior to processing their data, nor had it taken appropriate technical and organizational measures to protect the processing.

Related Enforcement Actions (0)

No other enforcement actions found for Roma Capitale (Rome Municipality) in IT

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

17 December 2020

Authority

Garante per la protezione dei dati personali

Fine Amount

€500,000

Enforcement Tracker ID

ETid-531

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Roma Capitale (Rome Municipality) - Italy (2020). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: