In Italy the Garante per la protezione dei dati personali is a Data Protection Authority. Recently, they had launched an investigation following a complaint from an individual who had complained about the new parking meters installed in the city in 2018.
The fact of this case is that the the Part of the equipment was supplied by another company, Flowbird Italia s.r.l. All parking information was then managed through a centralized system, which could also be accessed through an app by the employees responsible for controlling parking fees. Irregularities were then identified during the investigation. Namely, the city of Rome, as data controller, had not provided information on the processing of the drivers’ data, had not designated the company Atac as data processor, and had not provided it with the necessary instructions to process the data collected. Also, the subcontractor was not formally instructed nor instructed on how to proceed with the data processing. It was also found that the companies had not established a data processing register. Also, the retention periods for the collected data were not specified, and appropriate security measures were not taken. For example, it was found that at the time of the audit, some data flows to and from the system implemented by Atac were going through insecure channels. In addition, officials could have checked any license plate en masse and repeatedly over time, for example, to find out a person’s habits and parking location. In calculating the fine for the unlawful data processing, the DPA aggravatingly took into account the large amount of personal data processed (from June 2018 to November 2019, the system established by Atac had already collected the data of 8,600,000 stops and potentially affects all users of the paid parking service in the city area) and the sanctions already received for data protection violations, but also the positive cooperation offered by the city and the companies to remedy some violations detected during the inspection.
The complaint was filed under Article 5 of GDPR (General Data Protection Regulation) Which says “Principles relating to processing of personal data”, Article 12 of GDPR (General Data Protection Regulation) which says “Transparent information, communication and modalities for the exercise of the rights of the data subject”, Article 13 of GDPR (General Data Protection Regulation) which says “Information to be provided where personal data are collected from the data subject”, Article 25 of GDPR (General Data Protection Regulation) which says “Data protection by design and by default”, Article 28 of GDPR (General Data Protection Regulation) Which says “Processor”, Article 32 of GDPR (General Data Protection Regulation) which says “Security of processing”.
So in this case, the Italian Data Protection Authority (Garante) has imposed a fine of EUR 800,000 (i.e. 6,95,45,672.29 Rupees) on Roma Capitale for violation of all Art. 5, 12, 13, 25, 28 and 32 of GDPR costed the company to pay such a huge amount of fine. This matter was decided on 22.07.2021.
Picture Credit-https://dataprivacymanager.net/
References-
https://www.wikipedia.org/
https://www.enforcementtracker.com/