Italian Data Protection Authority (Garante)-Roma Capitale (7/22/2021)

Irregularities were then identified during the investigation. Namely, the city of Rome, as data controller, had not provided information on the processing of the drivers’ data, had not designated the company Atac as data processor, and had not provided it with the necessary instructions to process the data collected. Also, the subcontractor was not formally instructed nor instructed on how to proceed with the data processing.

It was also found that the companies had not established a data processing register. Also, the retention periods for the collected data were not specified, and appropriate security measures were not taken. For example, it was found that at the time of the audit, some data flows to and from the system implemented by Atac were going through insecure channels. In addition, officials could have checked any license plate en masse and repeatedly over time, for example, to find out a person’s habits and parking location.

In calculating the fine for the unlawful data processing, the DPA aggravatingly took into account the large amount of personal data processed (from June 2018 to November 2019, the system established by Atac had already collected the data of 8,600,000 stops and potentially affects all users of the paid parking service in the city area) and the sanctions already received for data protection violations, but also the positive cooperation offered by the city and the companies to remedy some violations detected during the inspection.