Comune di Venezia – €10,000 Fine (Italy, 2025)

= The city of Venice (the controller) implemented a fee for accessing certain areas of Venice during peak touristic season (the so-called "tourist tax"). Certain categories of people were exempted from this fee: for instance, Venice residents and their relatives, commuting workers, Venice University students, individuals with disabilities and outpatients of health care providers within the city. The DPA started an ex officio investigation on the implementation of this "tourist tax". In particular, the DPA investigated how the controller collected and processed data from citizens who were exempt from the fee (the data subjects), in order to verify their exemption. = The DPA found that the controller implemented a three-step system for verifying exemptions: * Step 1: the data subject logged into the controller's website, provide their personal details, stated the reason for exemption, and downloaded a QR code; * Step 2: upon entering certain parts of Venice, public officers required data subjects to provide their QR code as well as a self-declaration of the reason for their exemption; * Step 3: the controller's tax office would later control the truthfulness of the self-declaration provided during step 2. = The controller made kiosks available around the city where individuals could pay the fee. During the investigation, the DPA incidentally found that users of the kiosks could change the browser settings and enable the autocomplete function. This vulnerability potentially allowed users to view personal data entered by other users. The vulnerability was later fixed by the controller. The DPA observed that step 1 of the verification procedure was unnecessary. In and of itself, the QR code informed public officers that the data subject had applied for an exemption but did not provide information about the cause for the exemption. In fact, the cause from the exemption- which the data subject already provided in step 1- was collected again in step 2 via the self-decla