A municipality has been sanctioned by the Italian Data Protection Authority because the system adopted for the verification of ZTL permits, based on a software reading of the QR code displayed on the coupon, allowed anyone with a smartphone to access the data of the permit holder.

The Authority, in particular, imposed two separate sanctions, the first on the municipality which, as controller of the data processing of the beneficiaries of the ZTL passes, had not adopted technical and organisational measures to ensure an adequate level of security. The second sanction was imposed on the mobility services company which the municipality uses and which, in this case, acts as data processor. The company was charged with an erroneous risk assessment which, according to the Authority, led to the use of an inadequate information system that did not comply with the principles of privacy by design and privacy by default, which did not limit access to data to authorised persons only.

Read the judgement

Author elex

More posts by elex