Comune di Torri del Benaco – Complaint Upheld (Italy, 2024)

A Member of the Parliament was issued several speed camera fines by a municipality, the controller in the case at hand. Since she found these fines unfair, she decided to discuss this matter during a Parliament session and had interviews with some newspapers. A newspaper asked the mayor of the municipality for an interview, during which he confirmed how much fines were issued to the data subject and that her driving license had not been revoked. After that, the data subject filed a complaint with the DPA, arguing that the disclosure of this data was unlawful. Firstly, the mayor objected that he disclosed this data as a private person and not as a representative of the municipality Secondly, the controller argued that the data subject herself disclosed to the press basically all the information contained in the newspaper articles. Therefore, the mayor commented on something that had already become public and did not reveal any further personal data. First of all, the DPA found that the mayor was acting as a representative of the municipality and, therefore, the latter can be regarded as controller. Secondly, the DPA noted that [https://www.normattiva.it/uri-res/N2Ls?urn:nir:::2003;196~art2ter Article 2-ter(3) of the Italian Data Protection Code] allows a public administration to disclose personal data to third parties only when a piece of legislation authorises to do so. Therefore, it is irrelevant whether this data had already made public or not, since such an exception is not foreseen by any law. On these grounds, the DPA found a violation of Article 5(1)(a), 5(1)(c) and 6 GDPR and issued a reprimand to the controller.