Roma Servizi per La Mobilita S.r.l. – €60,000 Fine (Italy, 2021)

The Italian DPA (Garante) fined Roma Servizi per La Mobilita S.r.l. EUR 60,000 for failing to take adequate technical and organizational measures regarding the data of citizens who had obtained permits to access restricted traffic areas. The controller was acting as a processor for the city of Rome. As part of this activity, it processed the data of individuals who held permits for restricted traffic areas. The permits were verified by scanning QR codes located on badges affixed to windshields. This allowed city staff to verify in real time whether the particular vehicle was allowed to be in the zone and to whom the permit had been issued. However, according to the DPA, not only city staff, but anyone could scan the codes and access the information, as it only required an ordinary QR scanner. The information stored in the system, included, for example, the name of the user or the license plate number of the vehicle. The DPA notes that the controller did not analyze the risk associated with the data processing and, as a result, did not implement adequate measures to protect the processing.