Roma Capitale – €800,000 Fine (Italy, 2021)

The Italian DPA (Garante) has imposed a fine of EUR 800,000 on Roma Capitale. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters installed in the city in 2018. In fact, the company Atac s.p.a., which was also contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchase/renewal of public transport tickets) and introduce new payment methods that also take into account the vehicle's license plate number. Part of the equipment was supplied by another company, Flowbird Italia s.r.l. All parking information was then managed through a centralized system, which could also be accessed through an app by the employees responsible for controlling parking fees. Irregularities were then identified during the investigation. Namely, the city of Rome, as data controller, had not provided information on the processing of the drivers' data, had not designated the company Atac as data processor, and had not provided it with the necessary instructions to process the data collected. Also, the subcontractor was not formally instructed nor instructed on how to proceed with the data processing. It was also found that the companies had not established a data processing register. Also, the retention periods for the collected data were not specified, and appropriate security measures were not taken. For example, it was found that at the time of the audit, some data flows to and from the system implemented by Atac were going through insecure channels. In addition, officials could have checked any license plate en masse and repeatedly over time, for example, to find out a person's habits and parking location. In calculating the fine for the unlawful data processing, the DPA aggravatingly took into account the large amount of personal data processed (from June 2018 to November 2019, the system