Comune di Forlì – €15,000 Fine (Italy, 2024)

The controller is an Italian municipality which decided to implement a mobile application. This application was made available on app stores between December 2020 and January 2021. It allowed citizens to send notifications to the Local Police about unsafe areas. After getting this notification, the Police could use the video surveillance system to monitor the area. Therefore, personal data of both the person who made the report and the people recorded by the camera were collected. The software collected the phone number of the reporting person and the location data. The former was then stored for 7 days, allowing the Police to contact the person to get more details about the incident. After 7 days, only location data was kept in an anonymised way. The controller decided not to manage this app on itself, but to outsource the development and the management of both the app and the video surveillance system to a company which is owned by the municipality. The application was temporarily deactivated from April to June 2022. On 11 July 2022 it was permanently deactivated, after the DPA started an investigation on the matter. Firstly, the DPA pointed out that the controller made the application available on app stores even though it was still in a beta version and, therefore, had not been completely tested yet. Moreover, the controller kept using the app even though the DPO had warned it about the data protection pitfalls of this processing. In addition, the DPA highlighted that, in the first release of the app, users could freely make a report, without the situations that could potentially be the subject of a report being predetermined. In the second release, the controller added a predefined list of categories to classify the report. However, users were still able to send a report of an “undefined” type. The DPA noted that this could lead to the collection of non-necessary data or data falling under Articles 9 or 10 GDPR. Moreover, it was also possible to make a report