Comune di Venezia – €10,000 Fine (Italy, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The city of Venice was fined EUR 10,000 for mishandling personal data related to a tourist tax exemption process. During an investigation, it was found that the city did not properly secure data collected from individuals claiming exemptions. This case shows that even local governments must be careful with personal information.
What happened
The Italian DPA fined the city of Venice for inadequately securing personal data during the tourist tax exemption verification process.
Who was affected
Residents and visitors claiming exemptions from the tourist tax were affected.
What the authority found
The authority found that the city failed to implement adequate security measures for the personal data collected, violating GDPR requirements.
Why this matters
This ruling emphasizes that local governments must prioritize data protection just like private companies. It serves as a reminder for all organizations to implement strong security measures for personal information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
= The city of Venice (the controller) implemented a fee for accessing certain areas of Venice during peak touristic season (the so-called "tourist tax"). Certain categories of people were exempted from this fee: for instance, Venice residents and their relatives, commuting workers, Venice University students, individuals with disabilities and outpatients of health care providers within the city. The DPA started an ex officio investigation on the implementation of this "tourist tax". In particular, the DPA investigated how the controller collected and processed data from citizens who were exempt from the fee (the data subjects), in order to verify their exemption. = The DPA found that the controller implemented a three-step system for verifying exemptions: * Step 1: the data subject logged into the controller's website, provide their personal details, stated the reason for exemption, and downloaded a QR code; * Step 2: upon entering certain parts of Venice, public officers required data subjects to provide their QR code as well as a self-declaration of the reason for their exemption; * Step 3: the controller's tax office would later control the truthfulness of the self-declaration provided during step 2. = The controller made kiosks available around the city where individuals could pay the fee. During the investigation, the DPA incidentally found that users of the kiosks could change the browser settings and enable the autocomplete function. This vulnerability potentially allowed users to view personal data entered by other users. The vulnerability was later fixed by the controller. The DPA observed that step 1 of the verification procedure was unnecessary. In and of itself, the QR code informed public officers that the data subject had applied for an exemption but did not provide information about the cause for the exemption. In fact, the cause from the exemption- which the data subject already provided in step 1- was collected again in step 2 via the self-decla
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Comune di Venezia in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
4 August 2025
Authority
Garante per la protezione dei dati personali
Fine Amount
€10,000
GDPRhub ID
gdprhub-9499About this data
Cite as: Cookie Fines. Comune di Venezia - Italy (2025). Retrieved from cookiefines.eu
Last updated: