Autostrade per l'Italia spa – €1,000,000 Fine (Italy, 2023)

The Italian DPA has fined Autostrade per l'Italia spa ('ASPI') EUR 1 million for unlawfully processing the data of approx. 100,000 registered users of the toll reimbursement app 'Free to X.' A consumer organization reported problems with the service, which provides toll refunds for delays caused by roadworks, to the DPA. The DPA found that Autostrade held the position of the data controller, instead of a processor, as stated in the documents governing the relationship between 'ASPI' and 'Free to X', the company that develops and operates the app, as well as in the information notice given to users. In fact, 'ASPI', as the operator of the highway network, was responsible for determining the reimbursement mechanism, the type of compensation measures, the processing and the causes of delays due to road works. 'Free to X' was only tasked with implementing the service. This incorrect assignment of privacy roles resulted in the notice to users being incorrect. The notice should have included the actual identity of the controller, namely ASPI, as well as all the necessary information for proper and transparent processing in accordance with data protection laws. The DPA finally found that ASPI also violated the GDPR by not designating Free to X as a processor.