Atac s.p.a. – €400,000 Fine (Italy, 2021)

The Italian DPA (Garante) has imposed a fine of EUR 400,000 against Atac s.p.a.. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters installed in the in the city of Rome. In fact, the company Atac s.p.a., which was contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchase/renewal of public transport tickets) and introduce new payment methods that also take into account the vehicle's license plate number. All parking information was then managed through a centralized system, which could also be accessed through an app by the employees responsible for controlling parking fees. Irregularities were then identified during the investigation. It was found that Atac had not established a data processing register. Also, the retention periods for the collected data were not specified, and appropriate security measures were not taken. For example, it was found that at the time of the audit, some data flows to and from the system implemented by were going through insecure channels. In addition, officials could have checked any license plate en masse and repeatedly over time, for example, to find out a person's habits and parking location.