Garante per la protezione dei dati personali (Italy) - 10028498

From GDPRhub
Garante per la protezione dei dati personali - 10028498
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(f) GDPR
Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 12(1) GDPR
Article 13 GDPR
Article 13(2)(a) GDPR
Article 25(1) GDPR
Article 28(3) GDPR
Article 28(9) GDPR
Article 32 GDPR
Article 35(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 20.06.2024
Published:
Fine: 15,000 EUR
Parties: Comune di Forlì
National Case Number/Name: 10028498
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: fb

The DPA fined a municipality €15,000 as it developed a mobile app for safety purposes without conducting a DPIA and without stipulating a written binding agreement with its processor.

English Summary

Facts

The controller is an Italian municipality which decided to implement a mobile application. This application was made available on app stores between December 2020 and January 2021. It allowed citizens to send notifications to the Local Police about unsafe areas. After getting this notification, the Police could use the video surveillance system to monitor the area. Therefore, personal data of both the person who made the report and the people recorded by the camera were collected.

The software collected the phone number of the reporting person and the location data. The former was then stored for 7 days, allowing the Police to contact the person to get more details about the incident. After 7 days, only location data was kept in an anonymised way.

The controller decided not to manage this app on itself, but to outsource the development and the management of both the app and the video surveillance system to a company which is owned by the municipality.

The application was temporarily deactivated from April to June 2022. On 11 July 2022 it was permanently deactivated, after the DPA started an investigation on the matter.

Holding

Firstly, the DPA pointed out that the controller made the application available on app stores even though it was still in a beta version and, therefore, had not been completely tested yet. Moreover, the controller kept using the app even though the DPO had warned it about the data protection pitfalls of this processing.

In addition, the DPA highlighted that, in the first release of the app, users could freely make a report, without the situations that could potentially be the subject of a report being predetermined. In the second release, the controller added a predefined list of categories to classify the report. However, users were still able to send a report of an “undefined” type. The DPA noted that this could lead to the collection of non-necessary data or data falling under Articles 9 or 10 GDPR. Moreover, it was also possible to make a report about domestic violence or bullying incidents, matters that exceeded the controller's law enforcement competences under national law.

Therefore, the DPA found a violation of Articles 5(2) and 25 GDPR, as the controller did not, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate measures to ensure that the GDPR was complied with.

Secondly, the DPA noted that the controller published on its website a privacy policy about this specific processing only on 22 April 2022, while in the period between that day and December 2022 no privacy policy was available. The DPA did not uphold the argument of the controller about the fact that a shorter privacy notice had been available on the app itself since April 2022. According to the DPA, this notice was however not compliant with Article 13(2)(a) GDPR as it contained wrong information about the data storage period. Therefore, the DPA found a violation of Articles 5(1)(a), 12(1) and 13 GDPR.

Thirdly, the DPA focused on the relationship between the controller and the processor. The DPA noted that the two entities had never signed a written binding agreement, even though the latter was carrying out several processing activities, including the one at stake, on behalf of the controller. Therefore, the DPA found a violation of Article 28(3) and (9) GDPR.

Fourthly, the DPA stated that in this case the controller would have needed to carry out a DPIA, since this processing was likely to result in a high risk to the rights and freedoms of natural persons. In particular, the DPA stressed that the processing was a “large scale” processing and involved location data and potentially data relating to criminal convictions under Article 10 GDPR. However, the controller did not carry out such an assessment and, therefore, violated Article 35(1) GDPR.

Finally, the DPA noted that the Local Police staff could access the database with a generic password provided by the processor, and not with login credentials linked to a specific person. According to the DPA, this meant that, on the one hand, the controller was unable to identify the specific person who had accessed to data. On the other hand, if the controller had set up different user accounts with varying levels of access, it could have restricted access to only what each user needed for their job. Therefore, the DPA found a violation of Articles 5(1)(f) and 32 GDPR.

On these grounds, the DPA issued a fine of €15,000.

Comment

On the same day, the DPA also fined the processor with a separate decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 10028498]

Provision of 20 June 2024

Register of measures
n. 374 of 20 June 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and which repeals Directive 95/46/ EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter the “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette. n. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

Having seen the documentation in the documents;

Having seen the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker Dr. Agostino Ghiglia;

PREMISE

1. Introduction.

The Authority learned from public sources that the Municipality of Forlì (hereinafter, the "Municipality") had made an IT application available to citizens, called "Falco - Protected City", developed by FMI S.r.l. (hereinafter, “FMI” or the “Company”), which allowed citizens to send reports to the local police regarding situations of degradation or which aroused a certain level of social alarm, in any case not such as to require an emergency call to 112 .

Once a report was received, the local police personnel responsible for viewing the video surveillance images, coming from the cameras installed in the municipal territory for the purpose of protecting urban security, could monitor the situation in the specific area affected by the report and possibly send a patrol to site to carry out checks, as the GPS position and telephone number of the reporting device have been temporarily acquired.

From an information page published on the IMF website (https://www.fmi.fc.it/falco/), it also appeared that, following the receipt of a report, the local police could also send drones in the affected area to carry out the appropriate checks.

In relation to the processing of the personal data of the interested parties, the Municipality qualified itself as data controller, indicating the FMI as data controller (see the information on the processing of personal data at the time published on the institutional website of the Municipality, at the address https://www.fmi.fc.it/privacy-falco/#1651136340326-95cb6497-1535), while the FMI qualified itself as data controller (see the different information published at the time on the Company's website , at https://www.fmi.fc.it/privacy-falco).

2. The preliminary investigation activity.

In response to a request for information from the Authority (see note prot. 37217 of 8 July 2022), the Municipality, with note dated 18 July 2022 (prot. no. 0083196/2022), declared, in particular, That:

“with resolution of the City Council n. 111 of 12/19/2018 and with subsequent contract no. 91 of 6/6/2019, FMI was entrusted […], […] [the functions of] management of the Municipality's video control system […] and connected to urban surveillance […; with] said contract, in art. 39, FMI was identified as the data controller of personal data for the areas of its competence";

“with resolution of the Municipal Council […] n. 200 of 06/23/2021, following the transfer to FMI also of the technological support function for the design and management of video surveillance systems, arranged by resolution of the Council of the Union of Municipalities of Romagna Forlivese no. 93/2018 [...], the definitive/executive project "Protected City 2020 - 2nd and 3rd phase" [...] was approved, drawn up by the [...] IMF [...] and the presentation of the same to the Prefecture [competent ], by virtue of the provisions of the Legislative Decree. 20 February 2017 n.14 [...], [and] FMI was appointed [...] for the implementation of the above-mentioned project and for its subsequent management and reporting";

“[this] project […] includes the Falco application […]. […] [The] Falco System consists of a Web application on a centralized server and an app that runs on Android and IOS (Apple) mobile phones; the latter provides both its own functions and in connection with the video surveillance system [...] owned by the Municipality [...], managed at a technological level by FMI on the basis of existing agreements";

"the "Falco" app, after being downloaded onto a user's mobile phone, allows people to check whether they are in a video-surveillance area or not; if so, the user can decide to send an "alert" type report to the Operations Centers, highlighting [...] the camera filming the citizen who activated the report. This allows us to multiply the surveillance eyes on the city, in order to report situations of degradation, or which cause concern, but which do not require a call to 112, which remains the main way to request immediate assistance from the police. Falco therefore does not aim to replace the 112 function but rather to integrate it, allowing individual citizens to report situations that deserve to be highlighted especially to the Local Police, increasing the perception of city safety in the population, as highlighted by the Police Commissioner and the Prefect during the evaluation of the project at the [Provincial Committee for Public Order and Security] […]”;

“Falco also has a server-side application, made available to the Local Police, with which it will be possible to track all the anonymized reports sent via the mobile phone app in order to identify which areas have more or fewer reports over time, in order to be able to integrate the analysis of the Local Police Command with respect to the areas to be monitored most in the city";

“the “Falco” system does not carry out any tracking of the routes taken by citizens, nor does it store their movements. Only if a voluntary report is made by the citizen himself, the telephone number associated with the geographical coordinates (static) of the report and the timestamp is temporarily stored (for 7 days), to allow the Operations Centers to possibly call back the person who made the report. the reporting. After 7 days, the telephone number associated with the coordinates is deleted from the archives, effectively fully anonymizing the data which will remain available, for statistical purposes only, the static GPS coordinates of the report and the timestamp in which it was made, without any direct or indirect reference to the person who carried it out";

“the application, as designed and structured by FMI […], therefore constituted an integral part of a project on urban security presented to the [provincial public order and safety] Committee. In 2021 the project was approved and deemed worthy by the Technical Committee, the Prefecture and the Police Headquarters, as a valid initiative to increase citizens' perception of safety; was co-financed by the Ministry of the Interior associated with other video surveillance interventions in the "Protected City 2020" project as part of a tender for video surveillance and security in cities [...]";

"when the project was presented to the Prefecture in 2021, the Municipality [...] still joined the Union of Municipalities of Romagna Forlivese for the performance of local police functions. Following the withdrawal of the Municipality of Forlì from the Union (1/1/2022) and the consequent reacquisition of local police skills, the Municipality decided to use the Falco app to support and enhance related activities to the local police service";

“Falco was uploaded in beta version by FMI on the Apple and Google stores in December 2021. […] In the beta version of April 2022 the application would have allowed the citizen only to: 1. make a report specifying the type among the categories proposed by Falco (waste abandonment, vandalism and graffiti, road accident, domestic violence, bullying, other reports); 1. Make a call to 112 by pressing the relevant button (112) with redirection to the user's mobile phone keypad. On the back-end side, as anticipated, it was only possible to temporarily trace (for 7 days) the telephone number associated with the geographical coordinates of the report and the timestamp, to allow the Operations Centers to possibly call back the person who made the report";

"it is specified that in this phase the Local Police has not proceeded with the processing and management of any reports, except on a random basis, and only to support FMI in the application testing phase, awaiting explicit directives for the Operations Center regarding the “privacy” regulation and the application instruction manual”;

"at the same time as the formal detachment of the Municipality […] from the UCRF, the [Data Protection Officer – “DPO”] was appointed […, who], in the month of April 2022, represented to the administration the urgency of accelerating the regularization of video surveillance projects and the connected Falco application. The representatives of the FMI company also participated in the meetings [...] as data controller";

“[...] the body has structured an alignment path [for the purposes of] the regularization of all processes, comprising the following steps: 1. Priority identification of the legal bases of video surveillance processing and management of related applications in the relevant regulation of the City Council and in any further general administrative acts (council resolutions, managerial decisions, agreements with the UTG, etc.); 2. Detail in the same regulation of the general principles and purposes of the systems, the methods of processing and the fundamental rights of the interested parties; 3. Postponement of organizational details to secondary measures, such as the technical specifications, a fundamental tool for giving greater robustness to the legal basis; 4. Opening of the regulatory instrument towards possible joint agreements and technological innovation with evaluation of the involvement of the Prefecture in the shared use of the Falco app, given the evaluations of appreciation received from the Public Order and Security Committee, the Prefecture and the Police Headquarters at the time of presentation of the project in 2020 and which led to obtaining financing from the Interior Ministry; 5. Carrying out a risk assessment and a privacy impact assessment limited to video surveillance systems; 6. Adoption of a risk assessment and an impact assessment for the Falco application being tested, with possible activation of the preventive consultation mechanism pursuant to art. 36 [of the Regulation] in case of [impact assessment] with risk outcome high; 7. Drafting of cascade documents, including appointments, training and instructions to those authorized pursuant to art. 29 [of the Regulation], appointments pursuant to art. 28 [of the Regulation], etc.”;

"in [light] of the assessments carried out with the [RPD], the Entity proceeded with the perimeter of the processes by responsibly following the defined timeline, i.e. starting from the primary and absolute need to correctly identify and define the legal basis of processing, not trivially identifiable in the execution of a task of public interest or connected to the exercise of public powers (art. 6, par. 1, letters c) and e), and 3, of the Regulation, as well as 2-ter of the Code) [ …]”;

"in one of the first fundamental meetings, held on 26 April 2022 [...] it was chosen to explain in a more clear and transparent manner to interested parties through a privacy policy that the application was in the testing phase and that this would be extended (at least) until May 31, 2022, with evaluation of extension";

“in the information published on the institutional website […] the Municipality […] identified FMI […] as the data controller […] for the processing connected to the app. Falcon. The normal inconsistencies found [by] the Authority by virtue of the different information published on the FMI website (which instead indicated itself as the data controller) are the litmus test of the transitional phase we were going through. To date, in fact, the ownership of the processing remains with the FMI company [...], as the formalization of the structural steps is still in progress (sharing of processes with the Prefecture, signing of agreements, risk assessment, dedicated DPIA etc.), following which the Municipality [...] will become an independent data controller, within a well-defined perimeter of legal bases, purposes of the processing and consequent identification of the roles assumed by third parties, including, of course, FMI [ …] identified as responsible […] for the processing pursuant to art. 28 [of the Regulation]. The information provided on the Municipality's website outlines a situation which, although formally inaccurate (given the ownership still lies with FMI), describes a de facto existing hybrid situation";

"in the same meeting of 26 April 2022, it was suggested to the technical representatives of FMI to further reduce [...] "pro tempore", the scope of the application also from a technical point of view, bringing it back to an embryonic phase. Among the requests, those of: - Reducing the retention times of reports from 7 days to 24 hours; - Instantly anonymizing reports upon arrival on the server; - Reordering the optional reporting categories, pending future and possible agreements with the Prefecture, limiting them to: abandonment of waste, acts of vandalism and graffiti, road accidents - Deactivate the "other report" button to avoid sending information potentially containing non-processable personal data;

“the immediately following step was the involvement of the Council to share all the processes. On 6 July 2022 with Council Resolution no. 237, the "Project for the strategic and regulatory definition of the municipal video surveillance system with license plate reading gates and new technologies dedicated to integrated urban security" was approved;

“the technical specification, a further general administrative act, is the further tool suggested by the [RPD] of the Municipality and [by an external consultant] for further raising the profiles of lawfulness of the processing”;

"Furthermore, the involvement of the Prefecture was also recommended - at the same time as the presentation of the integrated urban security project and the inter-force connection - with a request for an opinion on whether or not their integration is necessary for the use of the app. co-financed by the Interior Ministry. The Prefecture of Forlì-Cesena was formally involved in the process outlined above, following a note from the Mayor of the Municipality [...] dated 13/07/2022 [...]";

“once these processes had been put in place, the legal basis had been well defined and the impact assessment had been carried out, we would proceed with the formalization of the appointments pursuant to art. 28 [of the Regulation] (the one relating to the Falco management already in the possession of the Municipality in draft version), the appointments pursuant to art. 29 [of the Regulation] for those authorized to process and the cascade actions including, very importantly, the instructions to be provided to local police operators responsible for using the application. From April 2022 to July 2022, the Municipality [...] therefore proceeded to produce the regulations and documents to align with the regulations in force";

“on 8 June 2022, the FMI company communicated via email to the organization that the Falco application had been reactivated for the part dedicated to the possibility of sending reports. […] The Local Police continued and still continues not to manage any reports, stopped in its operations by the lack of explicit directives and the instruction manual, as resulting from the communication from the Central Operational Section of the Local Police Force of Forlì, dated 13 July 2022 […];

"following [the start of the investigation by the Guarantor] [...] the Entity asked FMI to immediately proceed with disabling the application, [...] with certified e-mail addressed to the FMI company [...] on 12 July 2022 […]”;

“among the further requests made to the FMI company are those to: - Anonymize all the reports received and currently present in the Falco database which have been stored for less than seven days, as was done in the first weakening; - Remove the App from the Stores, blocking the download; - Disable the possibility of sending reports by type (making the application inactive even on the smartphones of users who had previously downloaded it); - Disable the “112” button. These technical changes were carried out by FMI [...] on 11 July 2022 (as resulting from the report dated 07/15/2022 signed by the FMI Technological Development Manager [...])";

“once the processes have been finalised, the Municipality's intention [...] is to evaluate the signing of two different appointments pursuant to art. 28 [of the Regulation] with the […] FMI […], one having as its object the general video surveillance system, the other the app. Hawk specifically. At present, the appointment relating to the app. Falco was delivered to the Municipality by the DPO in draft version while waiting for the process for the transfer of ownership from the company to the Municipality to be completed";

“[…] no personal data was ever actually processed by the Local Police, who limited themselves solely to randomly contacting some users, who in most cases reported having made an attempt to see how the application worked [… ]; the experimentation did not actually end on May 31, 2022, since the server-side part of Falco, with related software dedicated to data management by the Local Police, never entered into full operation with precise organizational regulations, formal and adequate”;

“the application stores […] only the active position at the time of the report if the user has given consent to sharing this data with the Falco application in the menu of his mobile phone. No processing of user paths is carried out for any reason whatsoever";

“the application […] [uses] the [video surveillance] system […]. The objective, [...] was not to achieve an automatic activation of certain cameras following the report, but rather to put in the foreground, on the screens of the operations centre, videos already present at the time of the report made by the citizen ”;

“contrary to what was declared by FMI in the information published on their website, there is no connection between the Falco Application and the use of drones, nor are there any automatic mechanisms between the drones and the Falco management software. Therefore the reference to drones contained in the IMF information is absolutely incorrect”;

“the Municipality is currently in progress with the drafting of the [data protection impact assessment] […]”;

“the reports received by Falco since the first experimental activation (April 2022), including the numerous test and functionality tests carried out by FMI during the verification phase of the various versions of the application, are 568. They are all anonymised date of 7/11/2022; those older than 7 days were already older following the functionality implemented on the server side which provides for their automatic deletion. Since the reactivation date (8 June 2022) only 86 reports have been received by Falco of which: - 16 for abandoned waste reports; 41 Other (it is not specified what they concern, only a situation of general discomfort of a citizen who cannot find a suitable report for what he wants to express is reported), often these are tests carried out out of curiosity; - 16 calls made to 112 via the app. falcon; - 4 reports for graffiti - 5 reports for vandalism - 1 for an area where alcohol is consumed - 1 for an area where drugs are used - 2 reports for a road accident. From the software reporting, none of these reports made appear to have been processed by the Local Police, not even after the reactivation on 9 June, due to the organizational problems expressed in the previous paragraphs";

"in fact - the application never actually left the testing phase and the local police did not process any data deriving from it for the management of reports [...]".
In response to a further request for information from the Authority (see note prot. 0082766 of 17 December 2022), the Municipality, with note dated 11 January 2023 (prot. no. 0003022/2023), declared, in particular, that:

"the information on the processing of personal data was prepared upon indication of the [RPD] of the Municipality [...] in April 2022 and made available to interested parties on the institutional website of the Municipality in the initial version dated 22 April 2022 and in the one updated on 2 May 2022";

it was also "provided to interested parties directly within the "Falco" IT application" by the FMI;

“the Municipality, data controller, has adhered to the views of its [RPD] […] and of the consultant in charge […] asking FMI […] on 12 July 2022 […] the immediate suspension of the application and the weighing of the risks for the rights and freedoms of the interested party, with assessments and consequent decisions that the investee company has taken in full autonomy";

a "memorandum of understanding was stipulated between the [competent] Prefecture and the Municipality [...], Prot. 80936 of 7/12/2021, concerning state financing pursuant to Legislative Decree. 20 February 2017 n. 14 […], of the “Forlì Città Protetta 2020” project, which includes the “Falco” application”.

With a note dated 10 May 2023 (prot. no. 0075074), the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the preliminary investigation, notified the Municipality, in its capacity as data controller, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, to have:

- acted in a manner that did not comply with the principles of "accountability" and "data protection by design and by default", in violation of articles. 5, par. 2 (in conjunction with art. 24) and 25 of the Regulation;

- failed to provide interested parties with information on data processing in the period between December 2021, in which the application was made available online, and 21 April 2022, and, after this period, for having provided to users with incorrect information regarding some essential aspects of the processing, having acted in violation of the articles. 5, par. 1, letter. a), and 13 of the Regulation;

- failed to stipulate a data protection agreement with FMI, in violation of art. 28, par. 3, of the Regulation;

- failed to draw up a data protection impact assessment, in violation of art. 35, par. 1, of the Regulation;

- acted in a manner that did not comply with the principle of "integrity and confidentiality" and in violation of the articles. 5, par. 1, letter. f), and 32 of the Regulation, in relation to the configuration of the methods of access to the IT system for managing reports.

With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of the l. 24 November 1981, n. 689).

With a note dated 6 June 2023 (protocol no. 0071601/2023), the Municipality presented a defense statement, declaring, in particular, that:

the Municipality “has always and consistently acted in absolute good faith; any errors or shortcomings, possibly found, are the result of the ongoing structuring [of] the process [...] linked to video surveillance processing [...] [in a period in which] the Municipality found itself facing at a single moment both the implementation of the Protected City project, and the complete reconstruction of every privacy requirement, following the separation of the local police force from that of the Union, with a severely reduced staff and in the absence of the figure of the Local Police Commander, provisionally replaced by an interim manager, already burdened with other significant managerial roles";

“[…] the untimeliness of the appointment pursuant to Article 28 of the IMF (then formalized in August 2022) was caused by the transitory nature of this phase”;

“no personal data has ever actually been processed by the Local Police. From a substantial point of view, the damage to the rights and freedoms of citizens is almost nil. The reports received by Falco, from the moment of the first activation on an experimental basis until July 2022, including tests and functionality tests carried out largely by the FMI itself during the verification phase, were a total of 568, all anonymized as of the 11th July 2022; moreover, those older than 7 days had already been previously. deleted, thanks to an automatic deletion feature. From the reactivation date of 8 June 2022 (the application was presented in a further weakened version: in fact, please refer to the previous notes, which illustrated that, in the absence of an agreement with the Prefecture, only three items selectable by the citizen) and until 11 July 2022 (therefore compared to only 33 days of actual activation), only 86 reports were received by Falco, mostly involving trials and beta tests. From the software reporting, none of these reports appear to have been processed by the Local Police [...]";

“[…] the Falco app (reactivated for 33 days solely for the purpose of continuing testing) has always remained in its beta version, with reports mostly sent by FMI employees in order to test the various functions, and with the making available on the main stores solely for the purpose of evaluating the front-end performance of the application. We reiterate: uploading the app to the stores did not represent its definitive activation, but it was the necessary testing phase, fundamental in order to be able to technically evaluate the stability of the application before the official release";

"it is believed that the actions of the Municipality of Forlì which are the object of the dispute are characterized, at most, by slight negligence, deriving from the untimeliness in carrying out obligations which, in any case, were in progress well before the request for information of the Authority”;

“the approval of the project within the Committee for Public Order and Security led the actors to temporarily perceive privacy obligations as secondary”;

“a long phase of in-depth "questioning" of everything achieved up to that point began, starting from April 2022, together with the proactive collaboration of an external consultant, with the creation of an operational plan strategic plan aimed at implementing, within a short timeframe, all the necessary obligations. Among other things, it should be remembered that the Falco app had already been turned off in April, on the initiative of the Municipality [...], precisely because the importance of applying privacy principles right from the design phase was strongly perceived at municipal level" ;

"it was not possible to appoint external managers without having completed the processes for defining the roles and functions and without previously understanding, through a specific risk assessment, what security measures to expect from the FMI [...], the company creating the software, before the definitive release of the latter”;

"[...] the Municipality ordered FMI to proceed with the deactivation of the application, starting from 12 July 2022. The negative repercussions on citizens' rights were therefore eliminated with immediate effect, without delay".

3. Outcome of the preliminary investigation.

3.1 The processing of personal data carried out as part of the "Falco" project.

At the end of the investigation, as reconstructed above, it emerged that, within the scope of the so-called "Falco" project, the Municipality, making use of the FMI, has created an IT system consisting of a "Web on centralized server" type component and, on the user side, a specific IT application for mobile devices (see protocol note . no. 0083196/2022 of 18 July 2022).

The IT application called "Falco" allowed users to verify their presence in an area subjected to video surveillance by the Municipality, as well as to send reports relating to possible situations of degradation or general potential risk - not such as to make a emergency call - highlighting for the local police operators, responsible for viewing the video surveillance images, the specific videos transmitted by the camera present at the reported location.

As for the server-side application of the Falco system, it was made available to the Local Police for tracking all the anonymized reports sent via the aforementioned application, in order to identify which areas presented more or fewer reports over time, facilitating the analysis of the Local Police Command regarding the areas of the municipal territory to be monitored most. It was only possible to temporarily trace (for seven days) the telephone number associated with the geographical coordinates of the report and the so-called timestamp, to allow the Operations Centers to possibly recall the user who made the report. After seven days, the telephone number associated with the coordinates was deleted from the archives, leaving the static GPS coordinates of the report and the timestamp in which the report was made available for statistical purposes only.

On a temporal level:

the "Falco" application was made available in the online stores "Google Play Store" on 20 December 2021 and "Apple Store" on 26 January 2022, in a version that allowed the user to send a report to the local police , without the possibility of classifying it with predefined settings; furthermore, the user could activate the "keypad" functionality of the telephone preset with the number 112; the reports could be voluntarily anonymized by the user, by pressing a specific button, and were in any case automatically anonymized, by deleting the telephone number associated with the static geographical position of the terminal from which the report came, seven days after the date of sending of the same (see IMF report sub annex 9 to protocol note 0003022/2023 of 11 January 2023);

on 6 April 2022, the application was modified as follows: the possibility of specifying the type of report from a predefined list of items (waste abandonment, vandalism and graffiti, road accident, domestic violence, bullying, other report); the possibility for the user to anonymize their report before the seven-day deadline has been eliminated; the possibility of attaching a photograph has been introduced, but only if taken from scratch, i.e. without the possibility of choosing a photo already saved in the user's terminal (ibidem);

from the end of April 2022 the application was deactivated, only to be reactivated at the beginning of June 2022 (see report of the Municipality's RPD sub annex 5 to protocol note no. 0083196/2022 of 18 July 2022 );

on 11 July 2022, following the start of the investigation by the Authority, the application was removed from online stores (see the aforementioned IMF report) and all the reports received were anonymised.

It also emerged that during normal use of the application, a request was sent to the server every 3.5 seconds containing a so-called digitally signed token, associated with the user's telephone number and the static position of the device, which would have been "discarded (deleted from the server memory) after a verification of the signature and the expiration date of the same, as its purpose is exclusively to prevent the robots from massively contacting the web service", without it being "ever stored even temporarily on a database, not even as a cache or backup"; the static geographical coordinate was "never saved in any case[;] upon receiving the request to the webservice, [it was] compared with the list of video-surveillance areas (geometric polygons saved in the database) and calculated if it was within one of them or not. The result of this verification [was] sent to the app and the coordinates [were] eliminated without ever being stored in any database, either support or transit" (see IMF report sub annex 9 to protocol note 0003022/ 2023 of 11 January 2023).

Having summarized the main characteristics of the Falco system in this way, it is noted that the processing of personal data carried out by the Municipality, also with regard, more generally, to the management of the municipal video surveillance system, has resulted in the violation of certain provisions of the relevant legislation of data protection, explained in detail below.

3.2. Violating the principles of accountability and data protection by design

The data controller, as the subject on whom decisions regarding the purposes and methods of processing the personal data of the interested parties fall, bears a "general responsibility" for the processing carried out (cons. 74 of the Regulation). Based on the principle of "accountability", it is, in fact, competent for compliance with the data protection principles (art. 5, par. 1, of the Regulation) and must be able to prove it (art. 5, par. 2 , of the Regulation). This will also be done by implementing adequate technical and organizational measures to guarantee, and be able to demonstrate, that the processing is carried out in accordance with the Regulation (art. 24, par. 1, of the Regulation).

In particular, in consideration of the risk looming over the rights and freedoms of the interested parties, the data controller must - "from design" and "by default" (art. 25 of the Regulation) - adopt adequate technical and organizational measures to implement the principles of data protection, integrating into the processing the necessary guarantees to satisfy the requirements of the Regulation and protect the rights and freedoms of the interested parties (see "Guidelines 4/2019 on article 25 - Data protection from design and for default setting”, adopted by the European Data Protection Board on 20 October 2020, especially points 42, 44 and 49).

In this case, as highlighted above, the "Falco" application was made available in the "Google Play Store" online stores on 20 December 2021 and "Apple Store" on 26 January 2022.

From the documentation in the documents it emerges that:

the "Falco" application was made available "in beta version" by [...] FMI, on behalf of the Municipality, although it "still had to be tested by the company's technicians" (note from the Municipality of 18 July 2022, protocol

already in the month of December 2021, the newly appointed RPD of the Municipality, during the first meetings with the representatives of the Institution, represented "the urgency for the administration to give priority to the regularization of video surveillance projects and the connected application and already active […] called “Falco””. An external professional was also involved who "confirmed the assessments expressed by the [DPO] regarding the critical issues regarding the use of video surveillance systems and related applications lacking an adequate organizational structure" (see the DPO's report, sub annex 5 to the protocol note 0083196/2022);

based on the findings made by the DPO and the external consultant, the Municipality, in April 2022, planned a series of actions to ensure compliance with the legislation on the protection of personal data, including the "identification of the legal bases of the processing of video surveillance and management of connected applications", the "carriage of a risk assessment and a privacy impact assessment limited to video surveillance systems", the "adoption of a risk assessment and an impact assessment for the 'Falco application being tested, with possible activation of the preventive consultation mechanism pursuant to art. 36 [of the Regulation] in case of [impact assessment] with a high risk outcome" and the "drafting of cascade documents, including [...] [the] appointments pursuant to art. 28 [of the Regulation], etc.” (ibidem);

only "once these processes had been put in place, the legal basis had been well defined and the impact assessment had been carried out" would the Municipality have "proceeded with the formalization of the appointments pursuant to art. 28 GDPR (the one relating to the Falco management already in the possession of the Municipality in draft version) [...] and the cascade documents including, very importantly, the instructions to be provided to the local police operators responsible for using the application" (ibidem ).

on 15 April 2022 a meeting was held between the Municipality and the IMF. and, on that occasion, the DPO discussed the "lawfulness profiles of the app and the state of the [video surveillance] systems in general, highlighting the first evident critical issues" (ibidem);

on 21 April 2022, the DPO, in agreement with the external consultant, sent an email to the Municipality, "confirming the urgency of the situation" (ibidem);

despite the RPD having invited the Municipality "to be cautious by suggesting to suspend the operation of the application until the conclusion of all the processes, in particular the drafting of a dedicated specification and an ad hoc [impact assessment], the The organization first deactivated the application and then, on 8 June, reactivated it, in contravention of the RPD's instructions (ibidem);

on 22 April 2022, the RPD wrote to the Municipality contact person "an urgent communication", containing "a first draft of the privacy information drawn up specifically for the Falco app", highlighting "the need for it to be published on the institutional website in the relevant section and that it was clearly specified that [the same] referred to an active application in the experimental phase” (ibidem);

on 26 April 2022, the RPD called "again and repeatedly on the administration to exercise prudence", suggesting "to suspend the app pending compliance with the regulations and to weaken it in its embryonic state, while waiting to define all the processes" ( ibidem);

the RPD urged the need to "limit the scope of application to "urban safety" only (with the exclusion of activities related to public safety), advising to remove the items "bullying" and "violence" from the types of reports that can be optioned by the citizen" (ibidem);

in April 2022, a "beta" version was made available, which allowed the citizen to "make a report specifying the type among the categories proposed by Falco (waste abandonment, vandalism and graffiti, road accident, domestic violence, bullying , other report)" and "make a call to 112 by pressing the relevant button (112) with redirection to the user's mobile phone keypad", although, in this phase, "the Local Police did not proceed with the processing and management of any reporting, if not on a random basis, and only to support FMI in the application testing phase, awaiting explicit directives for the Operations Center regarding the "privacy" regulation and the application instruction manual" (ibidem);

the RPD, together with the external consultant, suggested "updating the information relating to Falco again to align them with the choices made, also outlining an ideal operational timeline, including the creation of an ad hoc VDS regulation as a legal basis and the related specifications, the elimination of all personal data collected and the creation of a specific DPIA" (ibidem);

on 27 April 2022, the RPD, in agreement with the external consultant, sent a "new wording to be uploaded to the site, in the section dedicated to the Falco app, with emphasis on the weakening and the experimental phase" and "summarizes", again once, the steps to adapt the information" of both the site and the application (ibidem);

on 29 April 2022, the DPO sent "an updated version of the information" (ibidem).

on 30 April 2022, the Municipality's external consultant "outlined the path to regularize the processes, with particular attention to the falco application" (ibidem);

on 4 May 2022, the DPO warned that even if we proceeded with the "appointment of an external manager or the adoption of regulations and procedures before the approval of the regulation (legal basis) it would in any case lead to a sanction, as it was totally the entire privacy by design part is lacking", reiterating the need to "follow the [...] operational timeline" (ibidem);

on 6 July 2022, the RPD sent a communication to the Municipality, reiterating "the suggestion to suspend the Falco App until the entire regulatory compliance process has been completed - started, but [...] still considered not sufficiently robust", with particular regard to "the attachment of the legal basis and the risk and impact assessment" and "considered it prudentially more correct that the entire [video surveillance] system and the architecture of the Falco project be regularised, before allow citizens to use it". At the same time, the DPO asked an engineer to carry out "an initial technical evaluation of the app and the related privacy risk profiles preparatory to the risk assessment and impact assessment". This engineer "in addition to confirming the doubts that emerged, noted the high probability that a prior consultation with the Guarantor should have been carried out, following the outcome of an [impact assessment] which would almost certainly have reported a high impact on the rights and the freedoms of the interested parties” (ibidem);

on 11 July 2022, the DPO received "a copy of Council Resolution no. 38 of 6 June 2022 approving the [video surveillance] Regulation and Resolution no. 237 of 6 July 2022 with which the Council adopted the integrated urban security project" (ibidem);

on 11 July 2022, the Municipality asked the FMI to immediately proceed with disabling the application.

From the reconstruction of the events that occurred, it emerges, therefore, that the Municipality, starting from December 2021, made the "Falco" IT application available to users despite the fact that it had not yet been tested and, subsequently - despite the critical issues of data protection on several occasions highlighted by the DPO and an external consultant as early as December 2021 and then more specifically in the month of April 2022 (with particular regard to the failure to evaluate the applicable legal basis and the absence of internal acts of the 'Body that fully regulates the processing, the analysis of the risks deriving from the processing, through a prior impact assessment on data protection, the definition of the relationship with the data controller, the operating instructions for those authorized to process and the categories of personal data being processed) - continued to use the aforementioned application (with an interruption between the end of April 2022 and the beginning of June 2022), until 11 July 2022, despite being fully aware of these critical issues.

It should also be noted that, in the first version of the application, uploaded to online stores in the period December 2021-January 2022, users could freely make a report, without the situations that could potentially be the subject of a report having been predetermined ex ante .

Even in the subsequent version of 6 April 2022, although a predefined list was inserted to classify the report, the possibility of making a report of another type not specifically indicated was still left, thus exposing the data controller to the possibility of collecting and process personal data that is not necessary or irrelevant to the purpose pursued or personal data relating to particular categories (see art. 9 of the Regulation) or to criminal convictions and crimes (art. 10 of the Regulation), in the absence of a legal basis. Furthermore, by allowing users to send reports also in relation to episodes of domestic violence and bullying - cases of potential criminal relevance (see art. 610 c.p.) certainly not attributable to the administrative functions of the Municipality - the Institution has further exposed itself to this risk.

The Municipality has, therefore, implemented the processing of personal data, through the "Falco" application, without ensuring that the data protection profiles were taken into due consideration "both when determining the means of processing and when act of processing”, identifying and implementing adequate technical and organizational measures with respect to the risks deriving from the processing (art. 25 of the Regulation). This is also in order to ensure compliance with the principles regarding data protection (art. 5 of the Regulation) already in the planning phase of the processing and development of the IT systems through which the same is carried out, as well as in order to correctly frame the processing of personal data carried out with regard to the identification of the legal basis applicable for each processing purpose.

The same considerations also apply with regard to the processing of personal data carried out by the Municipality through the municipal video surveillance system, with respect to which both the DPO and the external consultant had made the Municipality aware of the same critical issues with regard to the personal data protection profiles. The Municipality nevertheless continued to keep its video surveillance system active, despite being fully aware of the aforementioned critical issues. Only in the months of June and July 2022 did the Authority approve its regulation on video surveillance (see resolution no. 38 of 6 June 2022, sub doc. 8 of the protocol note no. 0083196/2022 of 18 July 2022) and the so-called project “integrated urban security” (see resolution no. 237 of 6 July 2022, sub doc. 9 to note prot. no. 0083196/2022 of 18 July 2022). Furthermore, as emerges from a note from the RPD dated 6 July 2022, in the documents, the Municipality had not stipulated an agreement for the implementation of urban security, through video surveillance systems, with the territorially competent Prefecture (as required by art. 5 , paragraph 1, letter a), of the legislative decree 20 February 2017, n. 14), had not proceeded to stipulate a data protection agreement with the data controller (i.e. the FMI) and had not identified those authorized for processing (see annex sub doc. 12 to the protocol note no. 0083196/2022 of 18 July 2022).

In light of the foregoing considerations, it must be concluded that the Municipality acted in a manner that did not comply with the principles of "accountability" and "data protection from design and by default", in violation of articles. 5, par. 2 (in conjunction with art. 24) and 25 of the Regulation.

3.3 Transparency of processing

Based on the principle of "lawfulness, correctness and transparency", personal data must be processed in a lawful, correct and transparent manner towards the interested party (art. 5, par. 1, letter a), of the Regulation).

In compliance with this principle, the data controller must take appropriate measures to provide the interested party with all the information referred to in the articles. 13 and 14 of the Regulation in a concise, transparent, intelligible and easily accessible form, with simple and clear language (art. 12 of the Regulation; see Working Group art. 29, "Guidelines on transparency pursuant to Regulation 2016/679 ”, WP260 rev.01 of 11 April 2018, endorsed by the European Data Protection Board with “Endorsement 1/2018” of 25 May 2018).

In the present case, the Municipality provided the information on the processing of personal data to users of the "Falco" application only on 22 April 2022, publishing the same on its institutional website, with subsequent updating of the same on 2 May 2022.

Therefore, in the period between December 2021, in which the application was made available online, and 21 April 2022, the Municipality failed to provide interested parties with its own information on the processing of personal data, acting in violation of the articles 5, par. 1, letter. a), 12, par. 1, and 13 of the Regulation.

Furthermore, in this regard, the information provided by FMS - incorrectly qualified as data controller - to all users, directly within the application, cannot be taken into consideration, on the assumption that the "Falco" application can also be used by citizens of other Municipalities with which the FMI has agreements in place for the use of the service.

It also appears from the documents that, within the application, the FMI, at the request of the Municipality, included a brief information on data processing, dated 28 April 2022, which did not, however, refer to a complete text of the itself. Subsequently, on 3 May 2022, a more extended version of the information was inserted into the application, which corresponds to the one published on the institutional website of the Municipality on 2 May 2022.

However, the information dated 22 April 2022 did not fully comply with the requirements of the Regulation (see art. 13, par. 2, letter a). In fact, it was stated that until 31 May 2022, i.e. in a phase defined as experimental, the retention times of reports would be limited to twenty-four hours. This circumstance is not, however, reflected in the IMF report (sub annex 9 to note protocol 0003022/2023 of 11 January 2023), in which, with regard to the Authority's request to clarify the differences, in terms of functionality of the application, among the different versions of the same that have occurred over time, only a first version of the application for the period December 2021-January 2022 is given (with reporting retention times of seven days) and a second version of the itself, released on 6 April 2022, with the same retention time of seven days (with the sole disabling of the possibility for the user to anonymize their report before the seven-day deadline).

The same considerations also apply to the subsequent version of the information dated 2 May 2022, which states that, during the experimental phase of the application, which will end on 31 May 2022, "data retention times are eliminated", a circumstance which is not reflected in the aforementioned IMF report.

Furthermore, neither version of the information takes into account the fact that, while using the application, it acquired the static geographic coordinates of the device every 3.5 seconds.

In light of the foregoing considerations, it must be concluded that the Municipality, in the period between December 2021, in which the application was made available online, and 21 April 2022, failed to provide interested parties with its own information on the processing of personal data, and, after this period, has provided users with incorrect information regarding some essential aspects of the processing, having acted in violation of the articles. 5, par. 1, letter. a), and 13 of the Regulation.

3.4 Failure to define relationships with the data controller

Pursuant to art. 28, par. 3 of the Regulation, "processing by a data controller must be governed by a contract or other legal act pursuant to 26 Union or Member State law, which binds the data controller to the data controller, which stipulates the subject matter regulated and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of interested parties, the obligations and rights of the data controller", and which provides for all the commitments provided for by the same art. . 28, par. 3 of the Regulation (see paragraph 81 of the Regulation).

The contract or other legal act must be "stipulated in written form, including in electronic format" (art. 28, par. 9, of the Regulation).

As clarified by the European Data Protection Board, "since the Regulation clearly establishes the obligation to conclude a written contract, if no other relevant legal act is in force there is a violation of the [Regulation], or of the " Article 28, paragraph 9, of the [Regulation]". Considering that "both the data controller and the data controller have the responsibility to guarantee the existence of a contract or other legal act that regulates the processing", the competent supervisory authority "may impose a pecuniary administrative sanction on both the data controller and to the data controller” (“Guidelines 07/2020 on the concepts of data controller and data processor under the GDPR”, adopted by the European Data Protection Board on 7 July 2021, para. 103).

Therefore, where, as in the present case, "a data controller-processor relationship exists [...] even in the absence of a [valid] written processing agreement" - since the person processing the data actually carries out the processing not for its own purposes but on behalf of the client, as part of an activity outsourced by the latter and in the execution of a service contract or other similar legal relationship existing between the parties (see the definition of "responsible for processing” referred to in art. 4, par. 8, of the Regulation) - “this implies […] a violation of article 28, paragraph 3, of the [Regulation]” (ibidem).

Having said this, it should be noted that, as emerged during the investigation, the Municipality has over time entrusted the execution of a series of services to the FMI, namely:

with resolution of the Municipal Council n. 333/2017, maintenance and support activities for the management of automatic video control systems for infringements of the Highway Code for access to the ZTL and those for detecting goods movement;

with resolution of the City Council n. 111 of 12/19/2018 and with subsequent contract no. 91 of 6/6/2019, to the management of the Municipality's video control system and connected to urban surveillance. In this contract, FMI was identified as "data controller for the areas of its competence";

with resolution of the Municipal Council n. 200 of 06/23/2021, the maintenance of the systems and technical equipment of the video surveillance systems to be carried out as part of the "Protected City 2020 - 2nd and 3rd phase" project, which also includes the "Falco" application.
Although the FMI, in the context of the provision of a plurality of services in favor of the Municipality, has processed and processes personal data on behalf and in the interests of the same, acting, therefore, as "data controller" (art. 4 , par. 1, n. of the Regulation), the Municipality has failed to stipulate a contract with the same on the protection of personal data, as required by the art. 28 of the Regulation.

In this regard, it is noted that, on 26 April 2022, the FMI itself had asked the Municipality to "be classified as external manager pursuant to art. 28 [of the Regulation], with the consequent need to sign the appropriate nominations" (see the report of the DPO, annex 5 to the note prot. n. 0083196/2022). On 28 April 2022, the Municipality's RPD and its external consultant also highlighted the need for "FMI [to be] classified as external data controller" (ibidem). And again, on 4 May 2022, the DPO sent "a communication to the IMF contact person, in response to his request to send the appointments pursuant to art. 28, highlighting that only following the implementation of the [video surveillance] regulation [...] and all the consequent acts, in particular disciplinary and dpia, [the Municipality would] have been able to proceed with the appointments". Nonetheless, as declared by the Municipality, the formalization of the agreement only took place "in August 2022".

The Municipality, as data controller, has therefore failed, until August 2022, to stipulate a data protection agreement with the FMI, which - as a company with complete public participation, entrusted with multiple services to be part of the Municipality - was actually acting as data controller, in violation of the art. 28, par. 3 of the Regulation.

3.5 Failure to assess the impact on data protection

In case of high risks for data subjects - arising, for example, from the use of new technologies - the data controller must carry out a data protection impact assessment, in order to adopt, in particular, appropriate measures to address these risks, consulting the Guarantor in advance, where the conditions exist (see articles 35 and 36 of the Regulation).

In this case, the use of the "Falco" application involved the collection of data on the geographical position of the users, as well as implied the possibility that, even in the case of abusive or unauthorized access, third parties could become aware of the reports made , with possible retaliatory consequences for the interested parties. As illustrated above, however, the collection of personal data relating to crimes, which by their nature are particularly sensitive, could not be excluded.

Although, therefore, the processing resulting from the use of this application, potentially made available to all citizens, presented a high risk for the rights and freedoms of natural persons, the Municipality did not prepare an impact assessment on the protection of data before starting the processing in question (see the “Guidelines on data protection impact assessment and determination of whether the processing “may present a high risk” for the purposes of Regulation (EU) 2016/679 ”, adopted by the Article 29 Working Group on 4 April 2017, WP 248 rev.01, endorsed by the European Data Protection Committee with “Endorsement 1/2018” of 25 May 2018, with particular regard to data criteria of a highly personal nature, such as those relating to location or the processing of which may have serious repercussions on the daily life of the data subject, as well as large-scale data processing).

The Municipality therefore acted in violation of the art. 35, par. 1, of the Regulation.

3.6 The safety of the treatment

The art. 5, par. 1, letter. f), of the Regulation establishes that personal data must be "processed in a way that guarantees adequate security of personal data, including protection, through appropriate technical and organizational measures, from unauthorized or unlawful processing and from loss, destruction or from accidental damage” (principle of “integrity and confidentiality”).

In application of this principle, art. 32 of the Regulation, concerning the security of the processing, provides that "taking into account the state of the art and the costs of implementation, as well as the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons, the data controller and the data processor shall implement adequate technical and organizational measures to guarantee a level of security appropriate to the risk [...]" (para. 1) and that "in evaluating the adequate level of security takes into account in particular the risks presented by the processing which derive in particular from the destruction, loss, modification, unauthorized disclosure or access, accidentally or illegally, to personal data transmitted , stored or otherwise processed” (par. 2) (see paragraph 83 of the Regulation).

At the end of the preliminary investigation it emerged that the operators of the local police of the Municipality, "in the absence of personal credentials for consulting the reports made by users, in the absence of specific service instructions from the Deputy Commander [...]", accessed the data collected through the Falco application "using the generic password provided by FMI", therefore not having specific and personal authentication credentials to access the IT system (see note from the local police of the Municipality of 13 July 2022, in documents ).

Taking into account the nature, object, context and purposes of the processing, which involved the acquisition and management of reports made by users, with the collection of personal data relating to the reporting person, such as the telephone number and the location of the device, it is believed that the aforementioned methods of access to the IT system cannot be considered adequate from a security point of view (see provision dated 10 June 2021, n. 236, web doc. n. 9685947).

The use of non-nominal users, by multiple subjects, prevents, in fact, from attributing the actions carried out in an IT system to a specific subject, with prejudice, also for the data controller and data processor, who are in fact private individuals. of the possibility of controlling the actions of subjects acting under one's authority.

Furthermore, when a non-nominal user, such as the one in question, is used by multiple subjects, situations may arise in which there is no consistency between the authorization profiles assigned and the actual operational needs for the management of the systems, thus making possible for an unauthorized person to operate, in the absence of a specific will of the data controller or data processor, within the processing systems and services (see provision dated 4 April 2019, no. 83, web document no. 9101974; 14 January 2021, no. 4

Furthermore, the use of "authentication credentials for the exclusive use of subjects operating under his or her authority or that of the data controller" in the previous regulatory regime was expressly envisaged as a minimum security measure which all data controllers were required to adopt. (pursuant to the technical specifications referred to in Annex B to the Code, in the text prior to the amendments referred to in Legislative Decree no. 101/2018), the violation of which also entailed the application of a criminal sanction (see art. . 169 of the Code, in the text prior to the amendments referred to in Legislative Decree no. 101/2018).

For these reasons, in light of the methods of access to the information management system of reports, with the characteristics described above, the Municipality acted in a manner that did not comply with the principle of "integrity and confidentiality" and in violation of the articles. 5, par. 1, letter. f), and 32 of the Regulation.

4. Conclusions.

In light of the assessments mentioned above, it is noted that the declarations made by the data controller during the investigation are the truthfulness of which one may be called upon to respond to pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow us to overcome the findings notified by the Office with the act of initiating the proceeding and are insufficient to allow the dismissal of this proceeding, as, moreover, none of the cases envisaged by the 'art. 11 of the Guarantor Regulation n. 1/2019.

The preliminary assessments of the Office are therefore confirmed and the illegality of the processing of personal data carried out by the Municipality is noted, for having processed personal data in violation of the articles. 5, par. 1, letter. a) and f), and par. 2 (in conjunction with art. 24), 12, par. 1, 13, 25, 28, par. 3, 32 and 35, par. 1, of the Regulation.

In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this case, the Municipality has implemented two distinct behaviors, which must be considered separately for the purposes of quantifying the administrative sanction to be applied.

5.1 Violations relating to the processing of personal data using video devices.

Taking into account that violations of articles. 5, par. 2 (in conjunction with art. 24), 25 and 28, par. 3, of the Regulation, in relation to the treatments carried out using video devices, have taken place as a result of a single conduct (same treatment or treatments connected to each other), the art. applies. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation. Considering that, in the present case, the most serious violation concerns the art. 5, par. 2, of the Regulation (in conjunction with art. 24), subject to the administrative sanction provided for by art. 83, par. 5 of the Regulation, the total amount of the fine is to be quantified up to 20,000,000 euros.

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into due account the elements provided for by the art. 83, par. 2, of the Regulation.

Considering that:

the violation concerns the processing carried out, over an extended period of time, using video devices (video surveillance and control cameras of the ZTL access areas), which may concern a very large number of citizens and other interested parties passing through the municipal territory ; However, the investigation did not reveal that they had suffered specific damages as a result of such processing (see art. 83, par. 2, letter a), of the Regulation);

although the Municipality had not stipulated an agreement on data protection with the FMI, the latter is a single-member limited liability company with complete public participation, whose ownership is in any case attributable to the Municipalities belonging to the Union of Municipalities of the Forlivese Romagna, including including the Municipality of Forlì; furthermore, the parties had in any case signed a service contract, the subject matter regulated and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of interested parties having been defined at least in general terms (see art. 83, par. 2, letter a), of the Regulation);

the violation is negligent in nature (see art. 83, par. 2, letter b), of the Regulation);

the processing did not concern personal data belonging to particular categories (see art. 9 of the Regulation), having, however, to consider that video surveillance systems, installed on public roads for the protection of urban safety, may involve the processing of personal data relating to crimes referred to in art. 10 of the Regulation (see art. 83, par. 2, letter g), of the Regulation),

it is believed that, in the specific case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Committee, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

Having said this, it is believed that, for the purposes of quantifying the sanction, the following mitigating circumstances must be taken into consideration:

the Municipality has a high degree of responsibility, having essentially failed to consider the data protection profiles underlying the processing in question, before implementing it and right from the design of the systems used (art. 83, par. 2, letter d), of the Regulation);

the Municipality offered good cooperation with the Authority during the investigation, having also promptly taken action to remedy the violations, also resorting to the support of the DPO and expert consultants in data protection matters (art. 83, par 2, letter), of the Regulation);

there are no previous relevant violations committed by the Municipality (art. 83, par. 2, letter e), of the Regulation).

On the basis of the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 10,000 (ten thousand) euros for the violation of the articles. 5, par. 2 (in conjunction with art. 24), 25 and 28, par. 3 of the Regulation, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

Taking into account that the video surveillance activity in question involved public places, implementing a processing of personal data that "allows [to detect] the presence and behavior of people in the space considered" (European Data Protection Committee, "Lines guide 3/2019 on the processing of personal data through video devices” of 29 January 2020, par. 2.1), without the overall compliance with the data protection principles having been guaranteed since the design of the video surveillance system, it is also considered that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., must be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019.

5.2 Violations relating to the "Falco" system.

Taking into account that the violation of articles. 5, par. 1, letter. a) and f), and par. 2 (in conjunction with art. 24), 12, par. 1, 13, 25, 28, par. 3, 32 and 35, par. 1, of the Regulation, in relation to the processing carried out through the so-called “Falco” system, took place as a consequence of a single conduct (same treatment or treatments connected to each other), art. applies. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation. Considering that, in this case, the most serious violations concern the articles. 5, 12 and 13, subject to the administrative sanction provided for by art. 83, par. 5 of the Regulation, the total amount of the fine is to be quantified up to 20,000,000 euros.

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking due account of the elements provided for by the art. 83, par. 2, of the Regulation.

Considering that:

the processing concerned a limited number of interested parties compared to the total number of residents in the Municipality (approximately 116,726), given that, as declared by the Municipality during the investigation, the reports received from the moment of the first experimental activation (April 2022) , including the numerous test and functionality tests carried out by FMI during the verification phase of the various versions of the application, are n. 568, while from the date of reactivation (8 June 2022) n. 86 reports, for a total of no. 654 reports, including those relating to tests only (see art. 83, par. 2, letter a), of the Regulation);

although the Municipality had not stipulated an agreement on data protection with the IMF, the latter is a single-member limited liability company with complete public participation, whose ownership is in any case attributable to the Municipalities belonging to the Union of Municipalities of the Forlivese Romagna, including including the Municipality of Forlì; furthermore, the parties had in any case signed a service contract, the subject matter regulated and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of interested parties having been defined at least in general terms (see art. 83, par. 2, letter a), of the Regulation);

the violation is negligent (see art. 83, par. 2, letter b), of the Regulation);

the processing did not concern personal data belonging to particular categories (see art. 9 of the Regulation), having, however, to consider that, as illustrated above, the processing of data could not be completely excluded as a result of the reports submitted by citizens. personal data relating to crimes referred to in art. 10 of the Regulation (see art. 83, par. 2, letter g), of the Regulation),

it is believed that, in the specific case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Committee, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

Having said this, it is believed that, for the purposes of quantifying the sanction, the following mitigating circumstances must be taken into consideration:

the Municipality has a high degree of responsibility, having essentially failed to consider the data protection profiles underlying the processing in question, before implementing it and from the design of the systems used, having, moreover, acted, starting from the reactivation of the application, in June 2022, in a manner contrary to the guidelines expressed by the DPO (art. 83, par. 2, letter d), of the Regulation);

the Municipality offered good cooperation with the Authority during the investigation, having also promptly taken action to remedy the violations, also resorting to the support of the DPO and expert consultants in data protection matters (art. 83, par. 2, letter), of the Regulation);

there are no previous relevant violations committed by the Municipality (art. 83, par. 2, letter e), of the Regulation).

On the basis of the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 5,000 (five thousand) euros for the violation of the articles. 5, par. 1, letter. a) and f), and par. 2 (in conjunction with art. 24), 12, par. 1, 13, 28, par. 3, 25, 32 and 35, par. 1, of the Regulation, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

Taking into account that the processing of the personal data in question took place in violation of the aforementioned provisions of the Regulation for an extended period of time, it is also believed that the additional sanction of publication on the Guarantor's website of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019.

ALL THIS CONSIDERING THE GUARANTOR

declares, pursuant to art. 57, par. 1, letter. f), of the Regulation, the illegality of the processing carried out by the Municipality of Forlì for the violation of the articles. 5, par. 1, letter. a) and f), and par. 2 (in conjunction with art. 24), 12, par. 1, 13, 25, 28, par. 3, 32 and 35, par. 1 of the Regulation, within the terms set out in the justification;

ORDER

to the Municipality of Forlì, in the person of the legal representative pro tempore, with registered office in Piazza Saffi, 8 - 47121 Forlì (FC), C.F. 00606620409, to pay the total sum of 15,000 (fifteen thousand) euros as a pecuniary administrative sanction for the violations indicated in the justification. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

to the aforementioned Municipality in case of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 15,000 (fifteen thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of the law. n. 689/1981;

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication of this provision on the Guarantor's website, believing that the conditions set out in the art. 17 of the Guarantor Regulation n. 1/2019.

Pursuant to the articles. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 20 June 2024

PRESIDENT
Stantion

THE SPEAKER
Ghiglia

THE GENERAL SECRETARY
Mattei

[doc. web no. 10028498]

Provision of 20 June 2024

Register of measures
n. 374 of 20 June 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data and which repeals Directive 95/46/ EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196 containing "Code regarding the protection of personal data, containing provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter the “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4 April 2019, published in the Official Gazette. n. 106 of 8 May 2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

Having seen the documentation in the documents;

Having seen the observations made by the general secretary pursuant to art. 15 of the Guarantor's Regulation no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, doc. web no. 1098801;

Speaker Dr. Agostino Ghiglia;

PREMISE

1. Introduction.

The Authority learned from public sources that the Municipality of Forlì (hereinafter, the "Municipality") had made an IT application available to citizens, called "Falco - Protected City", developed by FMI S.r.l. (hereinafter, “FMI” or the “Company”), which allowed citizens to send reports to the local police regarding situations of degradation or which aroused a certain level of social alarm, in any case not such as to require an emergency call to 112 .

Once a report was received, the local police personnel responsible for viewing the video surveillance images, coming from the cameras installed in the municipal territory for the purpose of protecting urban security, could monitor the situation in the specific area affected by the report and possibly send a patrol to site to carry out checks, as the GPS position and telephone number of the reporting device have been temporarily acquired.

From an information page published on the IMF website (https://www.fmi.fc.it/falco/), it also appeared that, following the receipt of a report, the local police could also send drones in the affected area to carry out the appropriate checks.

In relation to the processing of the personal data of the interested parties, the Municipality qualified itself as data controller, indicating the FMI as data controller (see the information on the processing of personal data at the time published on the institutional website of the Municipality, at the address https://www.fmi.fc.it/privacy-falco/#1651136340326-95cb6497-1535), while the FMI qualified itself as data controller (see the different information published at the time on the Company's website , at https://www.fmi.fc.it/privacy-falco).

2. The preliminary investigation activity.

In response to a request for information from the Authority (see note prot. 37217 of 8 July 2022), the Municipality, with note dated 18 July 2022 (prot. no. 0083196/2022), declared, in particular, That:

“with resolution of the City Council n. 111 of 12/19/2018 and with subsequent contract no. 91 of 6/6/2019, FMI was entrusted […], […] [the functions of] management of the Municipality's video control system […] and connected to urban surveillance […; with] said contract, in art. 39, FMI was identified as the data controller of personal data for the areas of its competence";

“with resolution of the Municipal Council […] n. 200 of 06/23/2021, following the transfer to FMI also of the technological support function for the design and management of video surveillance systems, arranged by resolution of the Council of the Union of Municipalities of Romagna Forlivese no. 93/2018 [...], the definitive/executive project "Protected City 2020 - 2nd and 3rd phase" [...] was approved, drawn up by the [...] IMF [...] and the presentation of the same to the Prefecture [competent ], by virtue of the provisions of the Legislative Decree. 20 February 2017 n.14 [...], [and] FMI was appointed [...] for the implementation of the above-mentioned project and for its subsequent management and reporting";

“[this] project […] includes the Falco application […]. […] [The] Falco System consists of a Web application on a centralized server and an app that runs on Android and IOS (Apple) mobile phones; the latter provides both its own functions and in connection with the video surveillance system [...] owned by the Municipality [...], managed at a technological level by FMI on the basis of existing agreements";

"the "Falco" app, after being downloaded onto a user's mobile phone, allows people to check whether they are in a video-surveillance area or not; if so, the user can decide to send an "alert" type report to the Operations Centers, highlighting [...] the camera filming the citizen who activated the report. This allows us to multiply the surveillance eyes on the city, in order to report situations of degradation, or which cause concern, but which do not require a call to 112, which remains the main way to request immediate assistance from the police. Falco therefore does not aim to replace the 112 function but rather to integrate it, allowing individual citizens to report situations that deserve to be highlighted especially to the Local Police, increasing the perception of city safety in the population, as highlighted by the Police Commissioner and the Prefect during the evaluation of the project at the [Provincial Committee for Public Order and Security] […]”;

“Falco also has a server-side application, made available to the Local Police, with which it will be possible to track all the anonymized reports sent via the mobile phone app in order to identify which areas have more or fewer reports over time, in order to be able to integrate the analysis of the Local Police Command with respect to the areas to be monitored most in the city";

“the “Falco” system does not carry out any tracking of the routes taken by citizens, nor does it store their movements. Only if a voluntary report is made by the citizen himself, the telephone number associated with the geographical coordinates (static) of the report and the timestamp is temporarily stored (for 7 days), to allow the Operations Centers to possibly call back the person who made the report. the reporting. After 7 days, the telephone number associated with the coordinates is deleted from the archives, effectively fully anonymizing the data which will remain available, for statistical purposes only, the static GPS coordinates of the report and the timestamp in which it was made, without any direct or indirect reference to the person who carried it out”;

“the application, as conceived and structured by FMI […], therefore constituted an integral part of a project on urban security presented to the [provincial public order and safety] Committee. In 2021 the project was approved and deemed worthy by the Technical Committee, the Prefecture and the Police Headquarters, as a valid initiative to increase citizens' perception of safety; was co-financed by the Ministry of the Interior associated with other video surveillance interventions in the "Protected City 2020" project as part of a tender for video surveillance and security in cities [...]";

"when the project was presented to the Prefecture in 2021, the Municipality [...] still joined the Union of Municipalities of Romagna Forlivese for the performance of local police functions. Following the withdrawal of the Municipality of Forlì from the Union (1/1/2022) and the consequent reacquisition of local police skills, the Municipality decided to use the Falco app to support and enhance related activities to the local police service";

“Falco was uploaded in beta version by FMI on the Apple and Google stores in December 2021. […] In the beta version of April 2022 the application would have allowed the citizen only to: 1. make a report specifying the type among the categories proposed by Falco (waste abandonment, vandalism and graffiti, road accident, domestic violence, bullying, other reports); 1. Make a call to 112 by pressing the relevant button (112) with redirection to the user's mobile phone keypad. On the back-end side, as anticipated, it was only possible to temporarily trace (for 7 days) the telephone number associated with the geographical coordinates of the report and the timestamp, to allow the Operations Centers to possibly call back the person who made the report";

"it is specified that in this phase the Local Police has not proceeded with the processing and management of any reports, except on a random basis, and only to support FMI in the application testing phase, awaiting explicit directives for the Operations Center regarding the “privacy” regulation and the application instruction manual”;

"at the same time as the formal detachment of the Municipality […] from the UCRF, the [Data Protection Officer – “DPO”] was appointed […, who], in the month of April 2022, represented to the administration the urgency of accelerating the regularization of the video surveillance projects and the connected Falco application. The representatives of the FMI company [...] as data controller also participated in the meetings;

“[...] the body has structured an alignment path [for the purposes of] regularization of all processes, comprising the following steps: 1. Priority identification of the legal bases of video surveillance processing and management of related applications in the relevant regulation of the City Council and in any further general administrative acts (council resolutions, managerial decisions, agreements with the UTG, etc.); 2. Detail in the same regulation of the general principles and purposes of the systems, the methods of processing and the fundamental rights of the interested parties; 3. Postponement of organizational details to secondary measures, such as the technical specifications, a fundamental tool for giving greater robustness to the legal basis; 4. Opening of the regulatory instrument towards possible joint agreements and technological innovation with evaluation of the Prefecture's involvement in the shared use of the Falco app, given the appreciation ratings received from the Public Order and Security Committee, the Prefecture and the Police Headquarters at the time of presentation of the project in 2020 and which led to obtaining financing from the Interior Ministry; 5. Carrying out a risk assessment and a privacy impact assessment limited to video surveillance systems; 6. Adoption of a risk assessment and an impact assessment for the Falco application being tested, with possible activation of the preventive consultation mechanism pursuant to art. 36 [of the Regulation] in case of [impact assessment] with risk outcome high; 7. Drafting of cascade documents, including appointments, training and instructions to those authorized pursuant to art. 29 [of the Regulation], appointments pursuant to art. 28 [of the Regulation], etc.”;

"in [light] of the assessments carried out with the [RPD], the Entity proceeded with the perimeter of the processes by responsibly following the defined timeline, i.e. starting from the primary and absolute need to correctly identify and define the legal basis of processing, not trivially identifiable in the execution of a task of public interest or connected to the exercise of public powers (art. 6, par. 1, letters c) and e), and 3, of the Regulation, as well as 2-ter of the Code) [ …]”;

"in one of the first fundamental meetings, held on 26 April 2022 [...] it was chosen to explain in a more clear and transparent manner to interested parties through a privacy policy that the application was in the testing phase and that this would be extended (at least) until May 31, 2022, with evaluation of extension";

“in the information published on the institutional website […] the Municipality […] identified FMI […] as the data controller […] for the processing connected to the app. Falcon. The normal inconsistencies found [by] the Authority by virtue of the different information published on the FMI website (which instead indicated itself as the data controller) are the litmus test of the transitional phase we were going through. To date, in fact, the ownership of the processing remains with the FMI company [...], as the formalization of the structural steps is still ongoing (sharing of processes with the Prefecture, signing of agreements, risk assessment, dedicated DPIA etc.), following which the Municipality [...] will become autonomous data controller, within a well-defined perimeter of legal bases, purposes of the processing and consequent identification of the roles assumed by third parties, including, of course, FMI [ …] identified as responsible […] for the processing pursuant to art. 28 [of the Regulation]. The information provided on the Municipality's website outlines a situation which, although formally inaccurate (given the ownership still lies with FMI), describes a de facto existing hybrid situation";

"in the same meeting of 26 April 2022, it was suggested to the technical representatives of FMI to further reduce [...] "pro tempore", the scope of the application also from a technical point of view, bringing it back to an embryonic phase. Among the requests, those of: - Reducing the retention times of reports from 7 days to 24 hours; - Instantly anonymizing reports upon arrival on the server; - Reordering the optional reporting categories, pending future and possible agreements with the Prefecture, limiting them to: abandonment of waste, acts of vandalism and graffiti, road accidents - Deactivate the "other report" button to avoid sending information potentially containing non-processable personal data;

“the immediately following step was the involvement of the Council to share all the processes. On 6 July 2022 with Council Resolution no. 237, the "Project for the strategic and regulatory definition of the municipal video surveillance system with license plate reading gates and new technologies dedicated to integrated urban security" was approved;

“the technical specification, a further general administrative act, is the further tool suggested by the [RPD] of the Municipality and [by an external consultant] for further raising the profiles of lawfulness of the processing”;

"Furthermore, the involvement of the Prefecture was also recommended - at the same time as the presentation of the integrated urban security project and the inter-force connection - with a request for an opinion on whether or not their integration is necessary for the use of the app. co-financed by the Interior Ministry. The Prefecture of Forlì-Cesena was formally involved in the process outlined above, following a note from the Mayor of the Municipality [...] dated 13/07/2022 [...]";

“once these processes had been put in place, the legal basis had been well defined and the impact assessment had been carried out, we would proceed with the formalization of the appointments pursuant to art. 28 [of the Regulation] (the one relating to the Falco management already in the possession of the Municipality in draft version), the appointments pursuant to art. 29 [of the Regulation] for those authorized to process and cascade actions including, very importantly, the instructions to be provided to local police operators responsible for using the application. From April 2022 to July 2022, the Municipality [...] therefore proceeded to produce the regulations and documents to align with the regulations in force";

“on 8 June 2022, the FMI company communicated via email to the organization that the Falco application had been reactivated for the part dedicated to the possibility of sending reports. […] The Local Police continued and still continues not to manage any reports, stopped in its operations by the lack of explicit directives and the instruction manual, as resulting from the communication from the Central Operational Section of the Local Police Force of Forlì, dated 13 July 2022 […];

"following [the start of the investigation by the Guarantor] [...] the Entity asked FMI to immediately proceed with disabling the application, [...] with certified e-mail addressed to the FMI company [...] on 12 July 2022 […]”;

“among the further requests made to the FMI company are those to: - Anonymize all the reports received and currently present in the Falco database which have been stored for less than seven days, as was done in the first weakening; - Remove the App from the Stores, blocking the download; - Disable the possibility of sending reports by type (making the application inactive even on the smartphones of users who had previously downloaded it); - Disable the “112” button. These technical changes were carried out by FMI […] on 11 July 2022 (as resulting from the report dated 07/15/2022 signed by the FMI Technological Development Manager […])”;

“once the processes have been finalised, the Municipality's intention [...] is to evaluate the signing of two different appointments pursuant to art. 28 [of the Regulation] with the […] FMI […], one having as its object the general video surveillance system, the other the app. Hawk specifically. At present, the appointment relating to the app. Falco was delivered to the Municipality by the DPO in draft version while waiting for the process for the transfer of ownership from the company to the Municipality to be completed";

“[…] no personal data was ever actually processed by the Local Police, who limited themselves solely to randomly contacting some users, who in most cases reported having made an attempt to see how the application worked [… ]; the experimentation did not actually end on May 31, 2022, since the server-side part of Falco, with related software dedicated to data management by the Local Police, never entered into full operation with precise organizational regulations, formal and adequate”;

“the application stores […] only the active position at the time of the report if the user has given consent to sharing this data with the Falco application in the menu of his mobile phone. No processing of user paths is carried out for any reason whatsoever";

“the application […] [uses] the [video surveillance] system […]. The objective, [...] was not to achieve an automatic activation of certain cameras following the report, but rather to put in the foreground, on the screens of the operations centre, videos already present at the time of the report made by the citizen ”;

“contrary to what was declared by FMI in the information published on their website, there is no connection between the Falco Application and the use of drones, nor are there any automatic mechanisms between the drones and the Falco management software. Therefore the reference to drones contained in the IMF information is absolutely incorrect”;

“the Municipality is currently in progress with the drafting of the [data protection impact assessment] […]”;

“the reports received by Falco since the first experimental activation (April 2022), including the numerous test and functionality tests carried out by FMI during the verification phase of the various versions of the application, are 568. They are all anonymised date of 7/11/2022; those older than 7 days were already older following the functionality implemented on the server side which provides for their automatic deletion. Since the reactivation date (8 June 2022) only 86 reports have been received by Falco of which: - 16 for abandoned waste reports; 41 Other (it is not specified what they concern, only a situation of general discomfort of a citizen who cannot find a suitable report for what he wants to express is reported), often these are tests carried out out of curiosity; - 16 calls made to 112 via the app. falcon; - 4 reports for graffiti - 5 reports for vandalism - 1 for an area where alcohol is consumed - 1 for an area where drugs are used - 2 reports for a road accident. From the software reporting, none of these reports made appear to have been treated by the Local Police, not even after the reactivation on 9 June, due to the organizational problems expressed in the previous paragraphs";

"in fact - the application never actually left the testing phase and the local police did not process any data deriving from it for the management of reports [...]".
In response to a further request for information from the Authority (see note prot. 0082766 of 17 December 2022), the Municipality, with note dated 11 January 2023 (prot. no. 0003022/2023), declared, in particular, that:

"the information on the processing of personal data was prepared upon indication of the [RPD] of the Municipality [...] in April 2022 and made available to interested parties on the institutional website of the Municipality in the initial version dated 22 April 2022 and in the one updated on 2 May 2022";

it was also "provided to interested parties directly within the "Falco" IT application" by the FMI;

“the Municipality, data controller, has adhered to the views of its [RPD] […] and of the consultant in charge […] asking FMI […] on 12 July 2022 […] the immediate suspension of the application and the weighing of the risks for the rights and freedoms of the interested party, with assessments and consequent decisions that the investee company has taken in full autonomy";

a "memorandum of understanding was stipulated between the [competent] Prefecture and the Municipality [...], Prot. 80936 of 7/12/2021, concerning state financing pursuant to Legislative Decree. 20 February 2017 n. 14 […], of the “Forlì Città Protetta 2020” project, which includes the “Falco” application”.

With a note dated 10 May 2023 (prot. no. 0075074), the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the preliminary investigation, notified the Municipality, in its capacity as data controller, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation, to have:

- acted in a manner that did not comply with the principles of "accountability" and "data protection by design and by default", in violation of articles. 5, par. 2 (in conjunction with art. 24) and 25 of the Regulation;

- failed to provide interested parties with information on data processing in the period between December 2021, in which the application was made available online, and 21 April 2022, and, after this period, for having provided to users with incorrect information regarding some essential aspects of the processing, having acted in violation of the articles. 5, par. 1, letter. a), and 13 of the Regulation;

- failed to stipulate a data protection agreement with FMI, in violation of art. 28, par. 3, of the Regulation;

- failed to draw up a data protection impact assessment, in violation of art. 35, par. 1, of the Regulation;

- acted in a manner that did not comply with the principle of "integrity and confidentiality" and in violation of the articles. 5, par. 1, letter. f), and 32 of the Regulation, in relation to the configuration of the methods of access to the IT system for managing reports.

With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code, as well as art. 18, paragraph 1, of the l. 24 November 1981, n. 689).

With a note dated 6 June 2023 (protocol no. 0071601/2023), the Municipality presented a defense statement, declaring, in particular, that:

the Municipality “has always and consistently acted in absolute good faith; any errors or shortcomings, possibly found, are the result of the ongoing structuring [of] the process [...] linked to video surveillance processing [...] [in a period in which] the Municipality found itself facing at a single moment both the implementation of the Protected City project, and the complete reconstruction of every privacy requirement, following the separation of the local police force from that of the Union, with a severely reduced staff and in the absence of the figure of the Local Police Commander, provisionally replaced by an interim manager, already burdened with other significant managerial roles";

“[…] the untimeliness of the appointment pursuant to Article 28 of the IMF (then formalized in August 2022) was caused by the transitory nature of this phase”;

“no personal data has ever actually been processed by the Local Police. From a substantial point of view, the damage to the rights and freedoms of citizens is almost nil. The reports received by Falco, from the moment of the first activation on an experimental basis until July 2022, including tests and functionality tests carried out largely by the FMI itself during the verification phase, were a total of 568, all anonymized as of the 11th July 2022; moreover, those older than 7 days had already been previously. deleted, thanks to an automatic deletion feature. From the reactivation date of 8 June 2022 (the application was presented in a further weakened version: in fact, please refer to the previous notes, which illustrated that, in the absence of an agreement with the Prefecture, only three items selectable by the citizen) and until 11 July 2022 (therefore compared to only 33 days of actual activation), only 86 reports were received by Falco, mostly involving trials and beta tests. From the software reporting, none of these reports appear to have been processed by the Local Police [...]";

“[…] the Falco app (reactivated for 33 days solely for the purpose of continuing testing) has always remained in its beta version, with reports mostly sent by FMI employees in order to test the various functions, and with the making available on the main stores solely for the purpose of evaluating the front-end performance of the application. We reiterate: uploading the app to the stores did not represent its definitive activation, but it was the necessary testing phase, fundamental in order to be able to technically evaluate the stability of the application before the official release";

"it is believed that the actions of the Municipality of Forlì which are the object of the dispute are characterized, at most, by slight negligence, deriving from the untimeliness in carrying out obligations which, in any case, were in progress well before the request for information of the Authority”;

“the approval of the project within the Committee for Public Order and Security led the actors to temporarily perceive privacy obligations as secondary”;

“a long phase of in-depth "questioning" of everything achieved up to that point began, starting from April 2022, together with the proactive collaboration of an external consultant, with the creation of an operational plan strategic plan aimed at implementing, within a short timeframe, all the necessary obligations. Among other things, it should be remembered that the Falco app had already been turned off in April, on the initiative of the Municipality [...], precisely because the importance of applying privacy principles right from the design phase was strongly perceived at municipal level" ;

"it was not possible to appoint external managers without having completed the processes for defining the roles and functions and without previously understanding, through a specific risk assessment, what security measures to expect from the FMI [...], the company creating the software, before the definitive release of the latter”;

"[...] the Municipality ordered FMI to proceed with the deactivation of the application, starting from 12 July 2022. The negative repercussions on citizens' rights were therefore eliminated with immediate effect, without delay".

3. Outcome of the preliminary investigation.

3.1 The processing of personal data carried out as part of the "Falco" project.

At the end of the investigation, as reconstructed above, it emerged that, within the scope of the so-called "Falco" project, the Municipality, making use of the FMI, has created an IT system consisting of a "Web on centralized server" type component and, on the user side, a specific IT application for mobile devices (see protocol note . no. 0083196/2022 of 18 July 2022).

The IT application called "Falco" allowed users to verify their presence in an area subjected to video surveillance by the Municipality, as well as to send reports relating to possible situations of degradation or general potential risk - not such as to make a emergency call - highlighting for the local police operators, responsible for viewing the video surveillance images, the specific videos transmitted by the camera present at the reported location.

As for the server-side application of the Falco system, it was made available to the Local Police for tracking all the anonymized reports sent via the aforementioned application, in order to identify which areas presented more or fewer reports over time, facilitating the analysis of the Local Police Command regarding the areas of the municipal territory to be monitored most. It was only possible to temporarily trace (for seven days) the telephone number associated with the geographical coordinates of the report and the so-called timestamp, to allow the Operations Centers to possibly recall the user who made the report. After seven days, the telephone number associated with the coordinates was deleted from the archives, leaving the static GPS coordinates of the report and the timestamp in which the report was made available for statistical purposes only.

On a temporal level:

the "Falco" application was made available in the online stores "Google Play Store" on 20 December 2021 and "Apple Store" on 26 January 2022, in a version that allowed the user to send a report to the local police , without the possibility of classifying it with predefined settings; furthermore, the user could activate the "keypad" functionality of the telephone preset with the number 112; the reports could be voluntarily anonymized by the user, by pressing a specific button, and were in any case automatically anonymized, by deleting the telephone number associated with the static geographical position of the terminal from which the report came, seven days after the date of sending of the same (see IMF report sub annex 9 to protocol note 0003022/2023 of 11 January 2023);

on 6 April 2022, the application was modified as follows: the possibility of specifying the type of report from a predefined list of items (waste abandonment, vandalism and graffiti, road accident, domestic violence, bullying, other report); the possibility for the user to anonymize their report before the seven-day deadline has been eliminated; the possibility of attaching a photograph has been introduced, but only if taken from scratch, i.e. without the possibility of choosing a photo already saved in the user's terminal (ibidem);

from the end of April 2022 the application was deactivated, only to be reactivated at the beginning of June 2022 (see report of the Municipality's RPD sub annex 5 to protocol note no. 0083196/2022 of 18 July 2022 );

on 11 July 2022, following the start of the investigation by the Authority, the application was removed from online stores (see the aforementioned IMF report) and all the reports received were anonymised.

It also emerged that during normal use of the application, a request was sent to the server every 3.5 seconds containing a so-called digitally signed token, associated with the user's telephone number and the static position of the device, which would have been "discarded (deleted from the server memory) after a verification of the signature and the expiration date of the same, as its purpose is exclusively to prevent the robots from massively contacting the web service", without it being "ever stored even temporarily on a database, not even as a cache or backup"; the static geographical coordinate was "never saved in any case[;] upon receiving the request to the webservice, [it was] compared with the list of video-surveillance areas (geometric polygons saved in the database) and calculated if it was within one of them or not. The result of this verification [was] sent to the app and the coordinates [were] eliminated without ever being stored in any database, either support or transit" (see IMF report sub annex 9 to protocol note 0003022/ 2023 of 11 January 2023).

Having summarized the main characteristics of the Falco system in this way, it is noted that the processing of personal data carried out by the Municipality, also with regard, more generally, to the management of the municipal video surveillance system, has resulted in the violation of certain provisions of the relevant legislation of data protection, explained in detail below.

3.2. Violating the principles of accountability and data protection by design

The data controller, as the subject on whom decisions regarding the purposes and methods of processing the personal data of the interested parties fall, bears a "general responsibility" for the processing carried out (cons. 74 of the Regulation). Based on the principle of "accountability", it is, in fact, competent for compliance with the data protection principles (art. 5, par. 1, of the Regulation) and must be able to prove it (art. 5, par. 2 , of the Regulation). This will also be done by implementing adequate technical and organizational measures to guarantee, and be able to demonstrate, that the processing is carried out in accordance with the Regulation (art. 24, par. 1, of the Regulation).

In particular, in consideration of the risk looming over the rights and freedoms of the interested parties, the data controller must - "from design" and "by default" (art. 25 of the Regulation) - adopt adequate technical and organizational measures to implement the principles of data protection, integrating into the processing the necessary guarantees to satisfy the requirements of the Regulation and protect the rights and freedoms of the interested parties (see "Guidelines 4/2019 on article 25 - Data protection from design and for default setting”, adopted by the European Data Protection Board on 20 October 2020, especially points 42, 44 and 49).

In this case, as highlighted above, the "Falco" application was made available in the "Google Play Store" online stores on 20 December 2021 and "Apple Store" on 26 January 2022.

From the documentation in the documents it emerges that:

the "Falco" application was made available "in beta version" by [...] FMI, on behalf of the Municipality, although it "still had to be tested by the company's technicians" (note from the Municipality of 18 July 2022, protocol

already in the month of December 2021, the newly appointed RPD of the Municipality, during the first meetings with the representatives of the Institution, represented "the urgency for the administration to give priority to the regularization of video surveillance projects and the connected application and already active […] called “Falco””. An external professional was also involved who "confirmed the assessments expressed by the [DPO] regarding the critical issues regarding the use of video surveillance systems and related applications lacking an adequate organizational structure" (see the DPO's report, sub annex 5 to the protocol note 0083196/2022);

based on the findings made by the DPO and the external consultant, the Municipality, in April 2022, planned a series of actions to ensure compliance with the legislation on the protection of personal data, including the "identification of the legal bases of the processing of video surveillance and management of connected applications", the "carriage of a risk assessment and a privacy impact assessment limited to video surveillance systems", the "adoption of a risk assessment and an impact assessment for the 'Falco application being tested, with possible activation of the preventive consultation mechanism pursuant to art. 36 [of the Regulation] in case of [impact assessment] with a high risk outcome" and the "drafting of cascade documents, including [...] [the] appointments pursuant to art. 28 [of the Regulation], etc.” (ibidem);

only "once these processes had been put in place, the legal basis had been well defined and the impact assessment had been carried out" would the Municipality have "proceeded with the formalization of the appointments pursuant to art. 28 GDPR (the one relating to the Falco management already in the possession of the Municipality in draft version) [...] and the cascade documents including, very importantly, the instructions to be provided to the local police operators responsible for using the application" (ibidem ).

on 15 April 2022 a meeting was held between the Municipality and the F.M.I. and, on that occasion, the DPO discussed the "lawfulness profiles of the app and the state of the [video surveillance] systems in general, highlighting the first evident critical issues" (ibidem);

on 21 April 2022, the DPO, in agreement with the external consultant, sent an email to the Municipality, "confirming the urgency of the situation" (ibidem);

despite the RPD having invited the Municipality "to be cautious by suggesting to suspend the operation of the application until the conclusion of all the processes, in particular the drafting of a dedicated specification and an ad hoc [impact assessment], the The organization first deactivated the application and then, on 8 June, reactivated it, in contravention of the RPD's instructions (ibidem);

on 22 April 2022, the RPD wrote to the Municipality contact person "an urgent communication", containing "a first draft of the privacy information drawn up specifically for the Falco app", highlighting "the need for it to be published on the institutional website in the relevant section and that it was clearly specified that [the same] referred to an active application in the experimental phase" (ibidem);

on 26 April 2022, the RPD called "again and repeatedly on the administration to exercise prudence", suggesting "to suspend the app pending compliance with the regulations and to weaken it in its embryonic state, while waiting to define all the processes" ( ibidem);

the RPD urged the need to "limit the scope of application to "urban safety" only (with the exclusion of activities related to public safety), advising to remove the items "bullying" and "violence" from the types of reports that can be optioned by the citizen" (ibidem);

in April 2022, a "beta" version was made available, which allowed the citizen to "make a report specifying the type among the categories proposed by Falco (waste abandonment, vandalism and graffiti, road accident, domestic violence, bullying , other report)" and "make a call to 112 by pressing the relevant button (112) with redirection to the user's mobile phone keypad", although, in this phase, "the Local Police did not proceed with the processing and management of any reporting, if not on a random basis, and only to support FMI in the application testing phase, awaiting explicit directives for the Operations Center regarding the "privacy" regulation and the application instruction manual" (ibidem);

the RPD, together with the external consultant, suggested "updating the information relating to Falco again to align them with the choices made, also outlining an ideal operational timeline, including the creation of an ad hoc VDS regulation as a legal basis and the related specifications, the elimination of all personal data collected and the creation of a specific DPIA” (ibidem);

on 27 April 2022, the RPD, in agreement with the external consultant, sent a "new wording to be uploaded to the site, in the section dedicated to the Falco app, with emphasis on the weakening and the experimental phase" and "summarizes", again once, the steps to adapt the information" of both the site and the application (ibidem);

on 29 April 2022, the DPO sent "an updated version of the information" (ibidem).

on 30 April 2022, the Municipality's external consultant "outlined the path to regularize the processes, with particular attention to the falco application" (ibidem);

on 4 May 2022, the DPO warned that even if we proceeded with the "appointment of an external manager or the adoption of regulations and procedures before the approval of the regulation (legal basis) it would in any case lead to a sanction, as it was totally the entire privacy by design part is lacking", reiterating the need to "follow the [...] operational timeline" (ibidem);

on 6 July 2022, the RPD sent a communication to the Municipality, reiterating "the suggestion to suspend the Falco App until the entire regulatory compliance process has been completed - begun, but [...] still considered not sufficiently robust", with particular regard to "the attachment of the legal basis and the risk and impact assessment" and "considered it prudentially more correct that the entire [video surveillance] system and the architecture of the Falco project be regularised, before allow citizens to use it". At the same time, the DPO asked an engineer to carry out "an initial technical evaluation of the app and the related privacy risk profiles preparatory to the risk assessment and impact assessment". This engineer "in addition to confirming the doubts that emerged, noted the high probability that a prior consultation with the Guarantor should have been carried out, following the outcome of an [impact assessment] which would almost certainly have reported a high impact on the rights and the freedoms of the interested parties” (ibidem);

on 11 July 2022, the DPO received "a copy of Council Resolution no. 38 of 6 June 2022 approving the [video surveillance] Regulation and Resolution no. 237 of 6 July 2022 with which the Council adopted the integrated urban security project" (ibidem);

on 11 July 2022, the Municipality asked the FMI to immediately proceed with disabling the application.

From the reconstruction of the events that occurred, it emerges, therefore, that the Municipality, starting from December 2021, made the "Falco" IT application available to users despite the fact that it had not yet been tested and, subsequently - despite the critical issues of data protection on several occasions highlighted by the DPO and an external consultant as early as December 2021 and then more specifically in the month of April 2022 (with particular regard to the failure to evaluate the applicable legal basis and the absence of internal acts of the 'Body that fully regulates the processing, the analysis of the risks deriving from the processing, through a prior impact assessment on data protection, the definition of the relationship with the data controller, the operating instructions for those authorized to process and the categories of personal data being processed) - continued to use the aforementioned application (with an interruption between the end of April 2022 and the beginning of June 2022), until 11 July 2022, despite being fully aware of these critical issues.

It should also be noted that, in the first version of the application, uploaded to online stores in the period December 2021-January 2022, users could freely make a report, without the situations that could potentially be the subject of a report having been predetermined ex ante .

Even in the subsequent version of 6 April 2022, although a predefined list was inserted to classify the report, the possibility of making a report of another type not specifically indicated was still left, thus exposing the data controller to the possibility of collecting and process personal data that is not necessary or irrelevant to the purpose pursued or personal data relating to particular categories (see art. 9 of the Regulation) or to criminal convictions and crimes (art. 10 of the Regulation), in the absence of a legal basis. Furthermore, by allowing users to send reports also in relation to episodes of domestic violence and bullying - cases of potential criminal relevance (see art. 610 c.p.) certainly not attributable to the administrative functions of the Municipality - the Institution has further exposed itself to this risk.

The Municipality has, therefore, implemented the processing of personal data, through the "Falco" application, without ensuring that the data protection profiles were taken into due consideration "both when determining the means of processing and when act of processing”, identifying and implementing adequate technical and organizational measures with respect to the risks deriving from the processing (art. 25 of the Regulation). This is also in order to ensure compliance with the principles regarding data protection (art. 5 of the Regulation) already in the planning phase of the processing and development of the IT systems through which the same is carried out, as well as in order to correctly frame the processing of personal data carried out with regard to the identification of the legal basis applicable for each processing purpose.

The same considerations also apply with regard to the processing of personal data carried out by the Municipality through the municipal video surveillance system, with respect to which both the DPO and the external consultant had made the Municipality aware of the same critical issues with regard to the personal data protection profiles. The Municipality nevertheless continued to keep its video surveillance system active, despite being fully aware of the aforementioned critical issues. Only in the months of June and July 2022 did the Authority approve its regulation on video surveillance (see resolution no. 38 of 6 June 2022, sub doc. 8 of the protocol note no. 0083196/2022 of 18 July 2022) and the so-called project “integrated urban security” (see resolution no. 237 of 6 July 2022, sub doc. 9 to note prot. no. 0083196/2022 of 18 July 2022). Furthermore, as emerges from a note from the RPD dated 6 July 2022, in the documents, the Municipality had not stipulated an agreement for the implementation of urban security, through video surveillance systems, with the territorially competent Prefecture (as required by art. 5 , paragraph 1, letter a), of the legislative decree 20 February 2017, n. 14), had not proceeded to stipulate a data protection agreement with the data controller (i.e. the FMI) and had not identified those authorized for processing (see annex sub doc. 12 to protocol note no. 0083196/2022 of 18 July 2022).

In light of the foregoing considerations, it must be concluded that the Municipality acted in a manner that did not comply with the principles of "accountability" and "data protection from design and by default", in violation of articles. 5, par. 2 (in conjunction with art. 24) and 25 of the Regulation.

3.3 Transparency of processing

Based on the principle of "lawfulness, correctness and transparency", personal data must be processed in a lawful, correct and transparent manner towards the interested party (art. 5, par. 1, letter a), of the Regulation).

In compliance with this principle, the data controller must take appropriate measures to provide the interested party with all the information referred to in the articles. 13 and 14 of the Regulation in a concise, transparent, intelligible and easily accessible form, with simple and clear language (art. 12 of the Regulation; see Working Group art. 29, "Guidelines on transparency pursuant to Regulation 2016/679 ”, WP260 rev.01 of 11 April 2018, endorsed by the European Data Protection Board with “Endorsement 1/2018” of 25 May 2018).

In the present case, the Municipality provided the information on the processing of personal data to users of the "Falco" application only on 22 April 2022, publishing the same on its institutional website, with subsequent updating of the same on 2 May 2022.

Therefore, in the period between December 2021, in which the application was made available online, and 21 April 2022, the Municipality failed to provide interested parties with its own information on the processing of personal data, acting in violation of the articles 5, par. 1, letter. a), 12, par. 1, and 13 of the Regulation.

Furthermore, in this regard, the information provided by FMS - incorrectly qualified as data controller - to all users, directly within the application, cannot be taken into consideration, on the assumption that the "Falco" application can also be used by citizens of other Municipalities with which the FMI has agreements in place for the use of the service.

It also appears from the documents that, within the application, the FMI, at the request of the Municipality, included a brief information on data processing, dated 28 April 2022, which did not, however, refer to a complete text of the itself. Subsequently, on 3 May 2022, a more extended version of the information was inserted into the application, which corresponds to the one published on the institutional website of the Municipality on 2 May 2022.

However, the information dated 22 April 2022 did not fully comply with the requirements of the Regulation (see art. 13, par. 2, letter a). In fact, it was stated that until 31 May 2022, i.e. in a phase defined as experimental, the retention times of reports would be limited to twenty-four hours. This circumstance is not, however, reflected in the IMF report (sub annex 9 to note protocol 0003022/2023 of 11 January 2023), in which, with regard to the Authority's request to clarify the differences, in terms of functionality of the application, among the different versions of the same that have occurred over time, only a first version of the application for the period December 2021-January 2022 is given (with reporting retention times of seven days) and a second version of the itself, released on 6 April 2022, with the same retention time of seven days (with the sole disabling of the possibility for the user to anonymize their report before the seven-day deadline).

The same considerations also apply to the subsequent version of the information dated 2 May 2022, which states that, during the experimental phase of the application, which will end on 31 May 2022, "data retention times are eliminated", a circumstance which is not reflected in the aforementioned IMF report.

Furthermore, neither version of the information takes into account the fact that, while using the application, it acquired the static geographic coordinates of the device every 3.5 seconds.

In light of the foregoing considerations, it must be concluded that the Municipality, in the period between December 2021, in which the application was made available online, and 21 April 2022, failed to provide interested parties with its own information on the processing of personal data, and, after this period, has provided users with incorrect information regarding some essential aspects of the processing, having acted in violation of the articles. 5, par. 1, letter. a), and 13 of the Regulation.

3.4 Failure to define relationships with the data controller

Pursuant to art. 28, par. 3 of the Regulation, "processing by a data controller must be governed by a contract or other legal act pursuant to 26 Union or Member State law, which binds the data controller to the data controller, which stipulates the subject matter regulated and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of interested parties, the obligations and rights of the data controller", and which provides for all the commitments provided for by the same art. . 28, par. 3 of the Regulation (see paragraph 81 of the Regulation).

The contract or other legal act must be "stipulated in written form, including in electronic format" (art. 28, par. 9, of the Regulation).

As clarified by the European Data Protection Board, "since the Regulation clearly establishes the obligation to conclude a written contract, if no other relevant legal act is in force there is a violation of the [Regulation], or of the " Article 28, paragraph 9, of the [Regulation]”. Considering that "both the data controller and the data controller have the responsibility to guarantee the existence of a contract or other legal act that regulates the processing", the competent supervisory authority "may impose a pecuniary administrative sanction on both the data controller and to the data controller” (“Guidelines 07/2020 on the concepts of data controller and data processor under the GDPR”, adopted by the European Data Protection Board on 7 July 2021, para. 103).

Therefore, where, as in the present case, "a data controller-processor relationship exists [...] even in the absence of a [valid] written processing agreement" - since the person processing the data actually carries out the processing not for its own purposes but on behalf of the client, as part of an activity outsourced by the latter and in the execution of a service contract or other similar legal relationship existing between the parties (see the definition of "responsible for processing” referred to in art. 4, par. 8, of the Regulation) - “this implies […] a violation of article 28, paragraph 3, of the [Regulation]” (ibidem).

Having said this, it should be noted that, as emerged during the investigation, the Municipality has over time entrusted the execution of a series of services to the FMI, namely:

with resolution of the Municipal Council n. 333/2017, maintenance and support activities for the management of automatic video control systems for infringements of the Highway Code for access to the ZTL and those for detecting goods movement;

with resolution of the City Council n. 111 of 12/19/2018 and with subsequent contract no. 91 of 6/6/2019, to the management of the Municipality's video control system and connected to urban surveillance. In this contract, FMI was identified as the "data controller for the areas of its competence";

with resolution of the Municipal Council n. 200 of 06/23/2021, the maintenance of the systems and technical equipment of the video surveillance systems to be carried out as part of the "Protected City 2020 - 2nd and 3rd phase" project, which also includes the "Falco" application.
Although the FMI, in the context of the provision of a plurality of services in favor of the Municipality, has processed and processes personal data on behalf and in the interests of the same, acting, therefore, as "data controller" (art. 4 , par. 1, n. of the Regulation), the Municipality has failed to stipulate a contract with the same on the protection of personal data, as required by the art. 28 of the Regulation.

In this regard, it is noted that, on 26 April 2022, the FMI itself had asked the Municipality to "be classified as external manager pursuant to art. 28 [of the Regulation], with the consequent need to sign the appropriate nominations" (see the report of the DPO, annex 5 to the note prot. n. 0083196/2022). On 28 April 2022, the Municipality's RPD and its external consultant also highlighted the need for "FMI [to be] classified as external data controller" (ibidem). And again, on 4 May 2022, the DPO sent "a communication to the IMF contact person, in response to his request to send the appointments pursuant to art. 28, highlighting that only following the implementation of the [video surveillance] regulation [...] and all the consequent acts, in particular disciplinary and dpia, [the Municipality would] have been able to proceed with the appointments". Nonetheless, as declared by the Municipality, the formalization of the agreement only took place "in August 2022".

The Municipality, as data controller, has therefore failed, until August 2022, to stipulate a data protection agreement with the FMI, which - as a company with complete public participation, entrusted with multiple services to be part of the Municipality - was actually acting as data controller, in violation of the art. 28, par. 3, of the Regulation.

3.5 Failure to assess the impact on data protection

In case of high risks for data subjects - arising, for example, from the use of new technologies - the data controller must carry out a data protection impact assessment, in order to adopt, in particular, appropriate measures to address these risks, consulting the Guarantor in advance, where the conditions exist (see articles 35 and 36 of the Regulation).

In this case, the use of the "Falco" application involved the collection of data on the geographical position of the users, as well as implied the possibility that, even in the case of abusive or unauthorized access, third parties could become aware of the reports made , with possible retaliatory consequences for the interested parties. As illustrated above, however, the collection of personal data relating to crimes, which by their nature are particularly sensitive, could not be excluded.

Although, therefore, the processing resulting from the use of this application, potentially made available to all citizens, presented a high risk for the rights and freedoms of natural persons, the Municipality did not prepare an impact assessment on the protection of data before starting the processing in question (see the “Guidelines on data protection impact assessment and determination of whether the processing “may present a high risk” for the purposes of Regulation (EU) 2016/679 ”, adopted by the Article 29 Working Group on 4 April 2017, WP 248 rev.01, endorsed by the European Data Protection Committee with “Endorsement 1/2018” of 25 May 2018, with particular regard to the data criteria of a highly personal nature, such as those relating to location or the processing of which may have serious repercussions on the daily life of the data subject, as well as large-scale data processing).

The Municipality therefore acted in violation of the art. 35, par. 1, of the Regulation.

3.6 The safety of the treatment

The art. 5, par. 1, letter. f), of the Regulation establishes that personal data must be "processed in a way that guarantees adequate security of personal data, including protection, through appropriate technical and organizational measures, from unauthorized or unlawful processing and from loss, destruction or from accidental damage” (principle of “integrity and confidentiality”).

In application of this principle, art. 32 of the Regulation, concerning the security of the processing, provides that "taking into account the state of the art and the implementation costs, as well as the nature, object, context and purposes of the processing, as well as the risk of varying probability and gravity for the rights and freedoms of natural persons, the data controller and the data processor shall implement adequate technical and organizational measures to guarantee a level of security appropriate to the risk [...]" (para. 1) and that "in evaluating the adequate level of security takes into account in particular the risks presented by the processing which derive in particular from the destruction, loss, modification, unauthorized disclosure or access, accidentally or illegally, to personal data transmitted , stored or otherwise processed” (par. 2) (see paragraph 83 of the Regulation).

At the end of the preliminary investigation it emerged that the operators of the local police of the Municipality, "in the absence of personal credentials for consulting the reports made by users, in the absence of specific service instructions from the Deputy Commander [...]", accessed the data collected through the Falco application "using the generic password provided by FMI", therefore not having specific and personal authentication credentials to access the IT system (see note from the local police of the Municipality of 13 July 2022, in documents ).

Taking into account the nature, object, context and purposes of the processing, which involved the acquisition and management of reports made by users, with the collection of personal data relating to the reporting person, such as the telephone number and the location of the device, it is believed that the aforementioned methods of access to the IT system cannot be considered adequate from a security point of view (see provision dated 10 June 2021, n. 236, web doc. n. 9685947).

The use of non-nominal users, by multiple subjects, prevents, in fact, from attributing the actions carried out in an IT system to a specific subject, with prejudice, also for the data controller and data processor, who are in fact private individuals. of the possibility of controlling the actions of subjects acting under one's authority.

Furthermore, when a non-nominal user, such as the one in question, is used by multiple subjects, situations may arise in which there is no consistency between the authorization profiles assigned and the actual operational needs for the management of the systems, thus making possible for an unauthorized person to operate, in the absence of a specific will of the data controller or data processor, within the processing systems and services (see provision dated 4 April 2019, no. 83, web document no. 9101974; 14 January 2021, no. 4

Furthermore, the use of "authentication credentials for the exclusive use of subjects operating under his or her authority or that of the data controller" in the previous regulatory regime was expressly envisaged as a minimum security measure which all data controllers were required to adopt. (pursuant to the technical specifications referred to in Annex B to the Code, in the text prior to the amendments referred to in Legislative Decree no. 101/2018), the violation of which also entailed the application of a criminal sanction (see art. . 169 of the Code, in the text prior to the amendments referred to in Legislative Decree no. 101/2018).

For these reasons, in light of the methods of access to the information management system of reports, with the characteristics described above, the Municipality acted in a manner that did not comply with the principle of "integrity and confidentiality" and in violation of the articles. 5, par. 1, letter. f), and 32 of the Regulation.

4. Conclusions.

In light of the assessments mentioned above, it is noted that the declarations made by the data controller during the investigation are the truthfulness of which one may be called upon to respond to pursuant to art. 168 of the Code ˗, although worthy of consideration, do not allow us to overcome the findings notified by the Office with the act of initiating the proceeding and are insufficient to allow the dismissal of this proceeding, as, moreover, none of the cases envisaged by the 'art. 11 of the Guarantor Regulation n. 1/2019.

The preliminary assessments of the Office are therefore confirmed and the illegality of the processing of personal data carried out by the Municipality is noted, for having processed personal data in violation of the articles. 5, par. 1, letter. a) and f), and par. 2 (in conjunction with art. 24), 12, par. 1, 13, 25, 28, par. 3, 32 and 35, par. 1, of the Regulation.

In this context, considering, in any case, that the conduct has exhausted its effects, the conditions for the adoption of further corrective measures pursuant to art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).

The Guarantor, pursuant to articles. 58, par. 2, letter. i) and 83 of the Regulation as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In this case, the Municipality has implemented two distinct behaviors, which must be considered separately for the purposes of quantifying the administrative sanction to be applied.

5.1 Violations relating to the processing of personal data using video devices.

Taking into account that violations of articles. 5, par. 2 (in conjunction with art. 24), 25 and 28, par. 3, of the Regulation, in relation to the treatments carried out using video devices, have taken place as a consequence of a single conduct (same treatment or treatments connected to each other), the art. applies. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation. Considering that, in the present case, the most serious violation concerns the art. 5, par. 2, of the Regulation (in conjunction with art. 24), subject to the administrative sanction provided for by art. 83, par. 5 of the Regulation, the total amount of the fine is to be quantified up to 20,000,000 euros.

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking due account of the elements provided for by the art. 83, par. 2, of the Regulation.

Considering that:

the violation concerns the processing carried out, over an extended period of time, using video devices (video surveillance and control cameras of the ZTL access areas), which may concern a very large number of citizens and other interested parties passing through the municipal territory ; However, the investigation did not reveal that they had suffered specific damages as a result of such processing (see art. 83, par. 2, letter a), of the Regulation);

although the Municipality had not stipulated an agreement on data protection with the FMI, the latter is a single-member limited liability company with complete public participation, whose ownership is in any case attributable to the Municipalities belonging to the Union of Municipalities of the Forlivese Romagna, including including the Municipality of Forlì; furthermore, the parties had in any case signed a service contract, the subject matter regulated and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of interested parties having been defined at least in general terms (see art. 83, par. 2, letter a), of the Regulation);

the violation is negligent in nature (see art. 83, par. 2, letter b), of the Regulation);

the processing did not concern personal data belonging to particular categories (see art. 9 of the Regulation), having, however, to consider that video surveillance systems, installed on public roads for the protection of urban safety, may involve the processing of personal data relating to crimes referred to in art. 10 of the Regulation (see art. 83, par. 2, letter g), of the Regulation),

it is believed that, in the specific case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Committee, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

Having said this, it is believed that, for the purposes of quantifying the sanction, the following mitigating circumstances must be taken into consideration:

the Municipality has a high degree of responsibility, having essentially failed to consider the data protection profiles underlying the processing in question, before implementing it and right from the design of the systems used (art. 83, par. 2, letter d), of the Regulation);

the Municipality offered good cooperation with the Authority during the investigation, having also promptly taken action to remedy the violations, also resorting to the support of the DPO and expert consultants in data protection matters (art. 83, par 2, letter), of the Regulation);

there are no previous relevant violations committed by the Municipality (art. 83, par. 2, letter e), of the Regulation).

On the basis of the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 10,000 (ten thousand) euros for the violation of the articles. 5, par. 2 (in conjunction with art. 24), 25 and 28, par. 3 of the Regulation, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

Taking into account that the video surveillance activity in question involved public places, implementing a processing of personal data that "allows [to detect] the presence and behavior of people in the space considered" (European Data Protection Committee, "Lines guide 3/2019 on the processing of personal data through video devices” of 29 January 2020, par. 2.1), without the overall compliance with the data protection principles having been guaranteed since the design of the video surveillance system, it is also considered that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., must be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019.

5.2 Violations relating to the "Falco" system.

Taking into account that the violation of articles. 5, par. 1, letter. a) and f), and par. 2 (in conjunction with art. 24), 12, par. 1, 13, 25, 28, par. 3, 32 and 35, par. 1, of the Regulation, in relation to the processing carried out through the so-called “Falco” system, took place as a consequence of a single conduct (same treatment or treatments connected to each other), art. applies. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation. Considering that, in this case, the most serious violations concern the articles. 5, 12 and 13, subject to the administrative sanction provided for by art. 83, par. 5 of the Regulation, the total amount of the fine is to be quantified up to 20,000,000 euros.

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into due account the elements provided for by the art. 83, par. 2, of the Regulation.

Considering that:

the processing concerned a limited number of interested parties compared to the total number of residents in the Municipality (approximately 116,726), given that, as declared by the Municipality during the investigation, the reports received from the moment of the first experimental activation (April 2022) , including the numerous test and functionality tests carried out by FMI during the verification phase of the various versions of the application, are n. 568, while from the date of reactivation (8 June 2022) n. 86 reports, for a total of no. 654 reports, including those relating to tests only (see art. 83, par. 2, letter a), of the Regulation);

although the Municipality had not stipulated an agreement on data protection with the IMF, the latter is a single-member limited liability company with complete public participation, whose ownership is in any case attributable to the Municipalities belonging to the Union of Municipalities of the Forlivese Romagna, including including the Municipality of Forlì; furthermore, the parties had in any case signed a service contract, the subject matter regulated and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of interested parties having been defined at least in general terms (see art. 83, par. 2, letter a), of the Regulation);

the violation is negligent (see art. 83, par. 2, letter b) of the Regulation);

the processing did not concern personal data belonging to particular categories (see art. 9 of the Regulation), having, however, to consider that, as illustrated above, the processing of data could not be completely excluded as a result of the reports submitted by citizens personal data relating to crimes referred to in art. 10 of the Regulation (see art. 83, par. 2, letter g), of the Regulation),

it is believed that, in the specific case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Committee, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

Having said this, it is believed that, for the purposes of quantifying the sanction, the following mitigating circumstances must be taken into consideration:

the Municipality has a high degree of responsibility, having essentially failed to consider the data protection profiles underlying the processing in question, before implementing the same and from the design of the systems used, having, moreover, acted, starting from the reactivation of the application, in June 2022, in a manner contrary to the guidelines expressed by the DPO (art. 83, par. 2, letter d), of the Regulation);

the Municipality offered good cooperation with the Authority during the investigation, having also promptly taken action to remedy the violations, also resorting to the support of the DPO and expert consultants in data protection matters (art. 83, par 2, letter), of the Regulation);

there are no previous relevant violations committed by the Municipality (art. 83, par. 2, letter e), of the Regulation).

On the basis of the aforementioned elements, evaluated as a whole, it is decided to determine the amount of the pecuniary sanction in the amount of 5,000 (five thousand) euros for the violation of the articles. 5, par. 1, letter. a) and f), and par. 2 (in conjunction with art. 24), 12, par. 1, 13, 28, par. 3, 25, 32 and 35, par. 1, of the Regulation, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

Taking into account that the processing of the personal data in question took place in violation of the aforementioned provisions of the Regulation for an extended period of time, it is also believed that the additional sanction of publication on the Guarantor's website of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019.

ALL THIS CONSIDERING THE GUARANTOR

declares, pursuant to art. 57, par. 1, letter. f), of the Regulation, the illegality of the processing carried out by the Municipality of Forlì for the violation of the articles. 5, par. 1, letter. a) and f), and par. 2 (in conjunction with art. 24), 12, par. 1, 13, 25, 28, par. 3, 32 and 35, par. 1 of the Regulation, within the terms set out in the justification;

ORDER

to the Municipality of Forlì, in the person of the legal representative pro tempore, with registered office in Piazza Saffi, 8 - 47121 Forlì (FC), C.F. 00606620409, to pay the total sum of 15,000 (fifteen thousand) euros as a pecuniary administrative sanction for the violations indicated in the justification. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

to the aforementioned Municipality in case of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 15,000 (fifteen thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of the law. n. 689/1981;

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication of this provision on the Guarantor's website, believing that the conditions set out in the art. 17 of the Guarantor Regulation n. 1/2019.

Pursuant to the articles. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 20 June 2024

PRESIDENT
Stanzione

THE SPEAKER
Ghiglia

THE GENERAL SECRETARY
Mattei