Comune di Portici – €6,000 Fine (Italy, 2024)

The municipality of Portici (the data controller) installed and operated traffic cameras near traffic lights in order to record red lights violations. The controller did not install information signs for the cameras and did not provide residents with any information on the processing of personal data. Additionally, the controller did not carry out a data protection impact assessment (DPIA) for the processing of personal data. Several residents later complained to the Italian supervisory authority that the cameras were installed without information signs. In an early communication with the authority, the controller claimed that the law authorizing the use of traffic cameras did not require informing the data subject in the specific case of traffic light violations. The controller also claimed that a DPIA was not needed due to the limited scope of the video surveillance and to some privacy-preserving safeguards of the processing of the footage (such as the limitation of storage times and the obfuscation of car windshields). Nonetheless, the controller addressed the authority’s concerns in several ways. It installed information signs near the cameras to provide residents with the essential information on the processing of their data. It also drafted a privacy notice addressing the use of traffic cameras. The notice was published on the controller’s website and was made available at the police station. Finally, the controller carried out a DPIA for the use of the cameras and updated the municipal regulation on video surveillance. The supervisory authority held that the controller violated Articles 5(1)(a), 12, and 13 GDPR by failing to inform residents about the use of traffic cameras. The authority also held that the controller violated Article 35 GDPR by failing to carry out a DPIA. The authority considered that its concerns were entirely addressed during the procedure and fined the controller €6,000.