Roma Capitale – €350,000 Fine (Italy, 2021)

€350,000Garante per la protezione dei dati personali11 February 2021Italy
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The city of Rome was fined €350,000 for not securing citizens' data on traffic permits. Anyone could scan the QR codes on permits and access personal information. This case shows that cities must protect personal data even in everyday systems like traffic management.

What happened

Rome's traffic permit system allowed anyone to scan QR codes and access personal data.

Who was affected

Citizens with permits to access restricted traffic areas in Rome.

What the authority found

The Italian DPA ruled that Rome failed to protect personal data by not securing QR codes and lacking a proper agreement with their service provider.

Why this matters

This highlights the need for municipalities to implement strong data protection measures and proper agreements with service providers, even for routine services like traffic management.

GDPR Articles Cited

AI-verified

Art. 28 GDPR
Art. 32 GDPR
Art. 5(1)(f) GDPR
Art. 6(1) GDPR
View original scraped data
Art. 5 GDPR
Art. 6 GDPR
Art. 28 GDPR
Art. 32 GDPR

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Art. 122 Codice Privacy
Source verified 6 March 2026
articles corrected
national law identified
Italy enforcementGarante per la protezione dei dati personali actionsAll Roma Capitale actions
Full Legal Summary
Detailed

The Italian DPA (Garante) fined the city of Rome EUR 350,000 for failing to take adequate technical and organizational measures regarding the data of citizens who had obtained permits to access restricted traffic areas. The permits were verified by scanning QR codes located on badges affixed to windshields. This allowed city staff to verify in real time whether the particular vehicle was allowed to be in the zone and to whom the permit had been issued. However, according to the DPA, not only city staff, but anyone could scan the codes and access the information, as it only required an ordinary QR scanner. The information stored in the system, included, for example, the name of the user or the license plate number of the vehicle. In addition, the DPA found that the city of Rome had used the services of a provider for the hosting and maintenance of databases without a proper agreement as required by Art. 28 GDPR.

Related Enforcement Actions (2)

Other enforcement actions involving Roma Capitale in IT

Current
Feb 2021

Fine

€350K

Fine
Jul 2021· Garante per la protezione dei dati personali

The Italian DPA (Garante) has imposed a fine of EUR 800,000 on Roma Capitale. The Garante had launched an investigation following a complaint from an ...

€800K
Fine
Apr 2023· Garante per la protezione dei dati personali

The Italian DPA imposed a fine of EUR 176,000 on Roma Capitale. The city had provided data of women who had abortions to the company in charge of the ...

€176K

Details

Fine Date

11 February 2021

Authority

Garante per la protezione dei dati personali

Fine Amount

€350,000

Enforcement Tracker ID

ETid-617

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Roma Capitale - Italy (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: