Autonomous Province of Bolzano/Bozen – €32,000 Fine (Italy, 2025)
The Autonomous Province of Bolzano/Bozen was fined EUR 32,000 for using cameras that collected personal data without proper consent. This case matters because it shows that even pseudonymized data can still be considered personal information.
What happened
The Autonomous Province of Bolzano/Bozen installed cameras that collected license plate data without valid consent.
Who was affected
Drivers and vehicle owners whose license plates were captured by the cameras.
What the authority found
The Italian DPA ruled that the province did not have a valid legal basis for processing the license plate data, violating data protection rules.
Why this matters
This case sets a precedent that organizations must be transparent about data collection methods. Businesses should ensure they have proper consent before using surveillance technologies.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In 2019, the Province of Bolzano (the controller) installed a network of 124 cameras aimed at analysing traffic flows as a basis for mobility and infrastructure policies in a UNESCO protected area. These cameras automatically read license plates, and also collected a series of metadata, including an identifier of the camera, date, time, class of the vehicle, its nationality, KEMLER identifier if present (relates to dangerous goods), and speed of transit. The license number immediately went through a double pseudonymisation process, with the license number being deleted within 60 seconds of its acquisition. The metadata on the other hand was stored for 2 years. The processor, which was the company providing the technology, was the only entity with access to the raw data and to the algorithm used. The controller only had access to the final aggregated data. The Province stated that the level of pseudonymisation in use means that they were not dealing with data that could be classified as personal data anymore. The DPA came across the facts through news outlets, and opened an investigation ex-officio. The Italian DPA held first of all that license plates are to be classified as personal data, even if pseudonymised. In fact, anyone could connect them to a natural person by consulting the public vehicle registry. It is irrelevant that this is not the intention of the controller. Referring to the pseudonymisation process put in place by the controller, the DPA pointed out that pseudonymised data is still considered personal data, as they could still be attributable to a natural person when read in conjunction with supplementary information. For example, the stored metadata could be used in this regard. It is also irrelevant that the license number is only stored for 60 seconds, as the duration of processing has no influence on the assessment of its lawfulness. The province, through its processor, was thus processing personal data and needs to comply with GDPR obli
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Autonomous Province of Bolzano/Bozen in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
25 September 2025
Authority
Garante per la protezione dei dati personali
Fine Amount
€32,000
GDPRhub ID
gdprhub-9620About this data
Cite as: Cookie Fines. Autonomous Province of Bolzano/Bozen - Italy (2025). Retrieved from cookiefines.eu
Last updated: