Roma Capitale – €800,000 Fine (Italy, 2021)

The DPA launched an investigation into the parking meters operated by the Municipality of Rome. According to a report, users had to enter the license plate of their vehicle to obtain the parking ticket. It found some parking meters under management had recently been modernised to allow card payments and the personalisation of payments to stop users of the service from needing to display tickets. The latter required users to enter their license plates into the meters. The system underpinning this was operated by Atac s.p.a. The company collected information (e.g. the time, the start and end date of the stop, the amount paid and the license plate) relating to the payment of the parking, which was facilitated by more intermediary companies, and made it available both to traffic auxiliaries for the purposes of verifying the payment of the parking as well as to the company's internal staff for administrative management purposes. The DPA notified Roma Capitale that it had discovered some breaches and invited the municipality to produce defensive writings. It stated that the municipality had effectively put in place a system that (1) processed the personal data collected through the new parking meters installed in the area (2) without providing data subjects adequate information, (3) without defining the roles of the external companies involved in the processing, (4) without defining the storage times of the data collected and (5) without having adopted appropriate security measures, in violation of Articles 5, 12, 13, 25, 28 and 32 GDPR. The DPA held that Roma Capitale unlawfully carried out the the processing of personal data. This processing "took place in a manner that does not comply with the general principles of processing, in the absence of adequate information and appointment of data processors, as well as in the absence of suitable technical and organizational measures to guarantee a level of security adequate to the risk presented by the processing". It high