Autostrade per l’Italia S.p.A – €1,000,000 Fine (Italy, 2023)
Autostrade per l’Italia was fined EUR 1,000,000 for mishandling user data from its toll reimbursement app. This case is significant because it shows that companies must clearly define their roles in data processing to protect user privacy.
What happened
Autostrade per l’Italia was fined for unlawfully processing the data of users of its toll reimbursement app.
Who was affected
Approximately 100,000 users of the toll reimbursement app were affected by the mishandling of their personal data.
What the authority found
The Italian DPA ruled that Autostrade improperly classified its role in data processing, violating GDPR rules on transparency and user rights.
Why this matters
This ruling sets a precedent for how companies must clarify their roles in data processing. Businesses should ensure they accurately represent their data handling practices to users.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In October 2021, Autostrade per l’Italia S.p.A. (a public concession for the management of motorway services) signed a settlement agreement with the Ministry of Infrastructure and Transport providing for the implementation of compensation measures for motorway users, including discounts/refunds on toll rates, in view of the delays caused by construction sites on highways managed by the company. Following this agreement, Free to X, a company owned by Autostrade, was entrusted by the latter with the development and management of a cashback app that would allow users to request a total or partial refund of their toll costs. Both companies agreed that Free to X would be the considered as the controller since it would have "full and autonomous decision-making powers" regarding the purposes and the means of the data processing activities. Free to X launched the homonymous app still in 2021 and the total number of users registered that year was 308,058. Subsequently, Assoutenti, a consumer association, raised some concerns with the Italian DPA regarding personal data processing activities carried out through the app. The DPA opened an investigation and requested information from Autostrade, as the controller. In response, the controller argued that it did not act as a controller, as it limited itself "only to determining the purpose" of the app, without intervening in any way on related purposes and means. However, it committed "to change its role, attributing to itself the controlership of the processing of data relating to the cashback service" and to "amend the app's privacy policy and terms and conditions". Finally, Austostrade stated that it could inform all the app users about the changes by email. First, DPA highlighted that the reimbursement mechanism (cashback app) was chosen by Austostrade as a way to implement the compensatory measures provided for by the agreement signed with the Ministry and that the company was also defining the methods for the fulfillment
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Autostrade per l’Italia S.p.A in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
22 June 2023
Authority
Garante per la protezione dei dati personali
Fine Amount
€1,000,000
GDPRhub ID
gdprhub-6160About this data
Cite as: Cookie Fines. Autostrade per l’Italia S.p.A - Italy (2023). Retrieved from cookiefines.eu
Last updated: