The Rome City Council and the Society of Mobility Services were sanctioned by the Italian Data Protection Authority for not having adequately protected the data of citizens who had been granted access to restricted traffic areas. The sanctions, for a total of 410.000 Euros, came as a result of the investigation initiated following a report and some press articles on the problems related to the control of ZTL passes.

From the findings collected by the Authority, it emerged that the access permissions displayed on the cars had a two-dimensional barcode (QR code) that allowed employees to verify in real time the validity of the mark and who had been assigned.

This code, however, could be read with a simple application (app) installed in most smartphones on the market. Therefore, anyone could have access to the name of the permit holder (for example, the name of the company, the institution, the specific school, or the natural person), the name of its user and the category of the applicant, as well as the registration plate of the vehicle.

During the Authority’s investigations, a further problem in the management of the data was found: anyone, after having connected, through the QR code, to the web page with the data of the examined permission, could also access information about other pass-holders by simply changing the flag identification number (PID).

Different responsibilities of the municipality and the company for the unlawful disclosure of personal data of pass holders.

The mobility services company – designated as data controller by Roma Capitale – had not properly assessed the risks and had designed and implemented an inadequate information system, which did not restrict access to data to authorised persons only. Even the Municipality – data processor relating to the passes -had not adopted technical and organizational measures suitable to ensure a level of security appropriate to the specific risks of the treatment.

Roma Capitale, among other things, did not provide the company with specific instructions for handling the personal data of users of the service (holders of ZTL permits and users), preventing access by unauthorised third parties. The Municipality had not even proceeded to designate a further company responsible for processing that provided the “hosting” service of the computer systems used for the management of permits.The Authority for the Protection of Personal Data has therefore adopted two different corrective and sanctioning measures. In Rome Capitale has applied a penalty of 350,000 euros, calculated taking into account the high number of people involved, the long period of time of the violation, as well as the previous violations of privacy already committed by the local authority.

In view of the initial technical and organisational measures already taken to limit the problem, the Mobility Society was fined EUR 60000. In addition, corrective measures were taken to limit the consultation of personal data relating to ZTL permits.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELL’ITALIA – GPDP