Comune di Treviso – €7,000 Fine (Italy, 2024)

The DPA opened an ex officio investigation after it learned from social media that the controller, a municipality, had implemented a new app which allows citizens to report crimes. The controller pointed out that this app helps to detect the parts of the town with more crimes and is, therefore, to be regarded as to fulfill the controller’s “judiciary police” tasks. Moreover, it noted that only a small amount of the population has actually downloaded it. First, the DPA pointed out that, according to national law, the local police do not generally have a “judiciary police” function, i.e. the task of preventing and investigating crimes. On the contrary, the local police may have these tasks only when delegated by the state authorities. Since this was not the case, the DPA held that the controller collected this data without a legal basis and, therefore, found a violation of Article 5(1)(a) and 6(1) GDPR. Secondly, the DPA noted that the municipality did not develop the app itself, but outsourced the development and the managing of the app to an external company. The DPA also noticed that the municipality had identified as processor, while the external company had been identified as controller. However, the DPA found this identification wrong, since the entity determining the purposes and means of the processing was actually the municipality. Moreover, the DPA pointed out that the controller did not enter into a binding agreement with the controller according to Article 28(3) GDPR. Therefore, it found a violation of this article. Thirdly, the DPA found that the privacy policy was not compliant with Article 13 GDPR, since it had insufficient and wrong information. For example, it stated that the municipality was the processor (while it was the controller), it lacked the DPO contact details and did not inform the data subject of their right of filing a complaint with the DPA. Fourthly, the DPA noted that the controller made the app available to all data subjects without