Garante per la protezione dei dati personali (Italy) - 10050298

From GDPRhub
Garante per la protezione dei dati personali - 10050298
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(2) GDPR
Article 24(1) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Article 28(3) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 04.07.2024
Published:
Fine: 7,000 EUR
Parties: Comune di Treviso
National Case Number/Name: 10050298
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: fb

The DPA fined a municipality €7,000 after it made an app available to collect crime reports without adopting any measures to ensure GDPR compliance.

English Summary

Facts

The DPA opened an ex officio investigation after it learned from social media that the controller, a municipality, had implemented a new app which allows citizens to report crimes.

The controller pointed out that this app helps to detect the parts of the town with more crimes and is, therefore, to be regarded as to fulfill the controller’s “judiciary police” tasks.

Moreover, it noted that only a small amount of the population has actually downloaded it.

Holding

First, the DPA pointed out that, according to national law, the local police do not generally have a “judiciary police” function, i.e. the task of preventing and investigating crimes. On the contrary, the local police may have these tasks only when delegated by the state authorities.

Since this was not the case, the DPA held that the controller collected this data without a legal basis and, therefore, found a violation of Article 5(1)(a) and 6(1) GDPR.

Secondly, the DPA noted that the municipality did not develop the app itself, but outsourced the development and the managing of the app to an external company. The DPA also noticed that the municipality had identified as processor, while the external company had been identified as controller. However, the DPA found this identification wrong, since the entity determining the purposes and means of the processing was actually the municipality.

Moreover, the DPA pointed out that the controller did not enter into a binding agreement with the controller according to Article 28(3) GDPR. Therefore, it found a violation of this article.

Thirdly, the DPA found that the privacy policy was not compliant with Article 13 GDPR, since it had insufficient and wrong information. For example, it stated that the municipality was the processor (while it was the controller), it lacked the DPO contact details and did not inform the data subject of their right of filing a complaint with the DPA.

Fourthly, the DPA noted that the controller made the app available to all data subjects without any previous internal act governing the processing at hand. Therefore, according to the DPA, this means that the controller did not implement, before the processing, the appropriate technical and organizational measures in order to ensure compliance with the GDPR. For this reason, the DPA found a violation of Article 25(1) GDPR.

Fifthly, it noted that the app had a free text box. This means that users could enter any kind of information, including special categories of data under Article 9 GDPR or data relating to crimes under Article 10 GDPR and, more generally, data which is not relevant for the purposes of the processing at hand.

Therefore, the DPA pointed out that the controller did not implement appropriate measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. Thus, it found a violation of Article 25(2) GDPR.

Finally, the DPA held that the controller was not able to prove that it complied with the data protection principles and that it did not implemented measures to ensure and be able to demonstrate compliance with the GDPR. Therefore, it found a violation of Article 5(2) and 24(1) GDPR.

On these grounds, the DPA issued a fine of €7,000.

Comment

With a separate decision, the DPA also fined the processor €1,500.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10050298]

Provision of 4 July 2024

Register of provisions
no. 405 of 4 July 2024

GUARANTEE FOR THE PROTECTION OF PERSONAL DATA



IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter “Code”);

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

Having seen the documentation in the files;

Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;

Rapporteur Dr. Agostino Ghiglia;

WHEREAS

1. Introduction.

From a press article it was learned that the Municipality of Treviso (hereinafter, the “Municipality”) would have used drones equipped with video devices capable of identifying heat sources, including human bodies, in order to combat the phenomenon of night-time burglaries in homes. 

The same article also referred to the possibility for citizens to report any crimes suffered through a computer application called “TrevisoSicura”. 

2. The preliminary investigation.

In response to a request for information from the Authority, the Municipality, with a note dated 7 December 2022 (ref. no. 0180056/2022), as integrated with notes dated 22 February 2023, declared, in particular, that:

A)    in reference to the use of drones by the Local Police:

- “within the Local Police Command […] a specialized unit of agents has been set up, aimed at using the specific technology represented by the APR (remotely piloted aircraft) more commonly known as “drones””;

- “all the APRs have payloads consisting of photographic equipment with optics suitable for obtaining photographic shots and video recordings, [and some are] equipped with a thermal option”;

- “infrared optics, or thermal cameras, refer to technological instruments that, based on the detection, without contact, of the heat emitted by any object or body that has a temperature above absolute zero (-273.15 C°), in the form of infrared rays, therefore invisible to the naked eye, processes the image, returning to the operator who uses said media, the sighting of things in total or semi-darkness, being able to then generate a photo or video”;

- “[…] the image, displayed on the police operator’s visor or on the SAPR operator’s monitor, corresponds to the heat map that the emanating object, or subject, produces. The thermal signal is converted into an electrical one and then the scene is shown on a screen as if it were a television image”;

- “up to the date of the request for information by the Authority, the APRs have been used […] [, among other things,] in police and public safety operations for which the Local Police is involved by virtue of its auxiliary functions and competences pursuant to art. 5 L. 65/86”;

- “the use of the technologies mentioned does not envisage that subjects can be identified or identifiable in any way since these have the sole purpose of making “heat maps” visible to the operator, consisting of indistinguishable silhouettes that are then reported to the local police operators who, in coordination with the operations centre, appropriately guided, then carry out the police assessment “in person” with the classic police identification and any judicial or administrative excursus”;

- “[…] no cataloguing or data collection or processing activity is performed, and has never been performed through the use of said technologies, not even with the detection of temperatures expressed in degrees Celsius, since the thermal cameras only return color variations in relation to the temperature variations detected, but do not reveal the “temperature” data of the subject to be used exclusively in the search for missing subjects in the context of interventions in the event of natural disasters”;

- “[…] from the day on which the request for information by the Guarantor Authority was made known, any form of use of drones was suspended, as a preventive and precautionary measure”. 

 

B)    with reference to the “TrevisoSicura” application:

- “the APP called “TrevisoSicura” is provided by the Lapis Company [sas] [hereinafter, the “Company”] […]”;

- “the PL Command through the reports that come voluntarily from citizens receives specific and detailed reports relating to waste abandoned in the municipal territory […]”;

- “the same APP allows citizens to report that they have suffered a theft and the place where it occurred: this allows the judicial police office of the PL command to better identify the areas affected by predatory crimes and then organize targeted services both in plain clothes and in uniform for the prevention of the aforementioned crimes. This is a normal judicial police activity, handled by the agents and officers of the judicial police”;

- “another method provided by the App concerns communication to the citizen, notified of the availability of news from the Municipality with the receipt of a notification”;

- “the report necessarily requires the name and telephone number of the reporting person in order to proceed with the validation of the same by sending an SMS message to be confirmed via a link. The system then proceeds with forwarding to the administration”;

- “it is also possible […] to attach a photo or take it at the same time”; 

- “it is instead mandatory to indicate the type of report (waste, theft, etc.) and a free text message field where the citizen can provide further information”;

- “the PL staff receives an e-mail notification of a new report and forwards the information to colleagues for further investigation and resolution of the problem highlighted by the citizen”;

- “it is clear that this method, not correctly structured at the process level, […] could […] temporarily and initially fulfill the need to open a communication channel towards citizens but, evidently, requires a complete revision”;

- “the same method of transferring the report via email was probably the misleading element, starting from the supplier who, according to the information published at the web address https://trevisosicura.it/privacy.html [...] plays the role of owner, irregularly placing the recipients of the reports (local authorities and police forces) even as “Data Processors”, moreover in clear contrast with what is instead provided for by art. 2-ter of the Code”; 

- “the incorrect identification of the figures and the consequent reversal of the roles provided for by the discipline has not only formally flawed the general system but also the due obligations, starting from the appointment as data controller and the due, as coherent with respect to the processing, information to citizens […]”; 

- “the app in question, after an experimental period, was activated from 07.27.2020. So far, an average of around 400 reports have been received from citizens per year, compared to a number of downloads reported in the Android Store of more than 1,000 since the publication date. However, immediately after the request for information by the Guarantor Authority, the reporting functions were immediately disabled, leaving only any news notifications”;

- “the adoption of the app by the Municipality of Treviso has the objective of improving and facilitating communication between citizens and the administration, also considering the push mode of sending notifications regarding events, demonstrations and news. Reports by citizens fall fully within the execution of a task of public interest or connected to the exercise of public powers as provided for by the TUEL”;

- “at the moment, the retention period of the reports reported in the information is a maximum of 12 months; on the app web page, a retention period of 3 months from the report with subsequent automatic deletion is reported. In consideration of the purpose and especially the method of routing of the reports, it is believed, in order to considerably reduce the exposure surface and consequently the risks for the interested parties, to avoid such storage by the systems upstream or in any case to limit to a number of days compatible with any problems of receiving the email, consequently updating the information"; 

- "[…] the app provider must be appointed Data Controller and [it is necessary] to provide the same with specific technical and organizational requirements regarding the app itself and the security of the back end [...]"; 

- "at the moment no decisions have been adopted aimed at regulating the processing of personal data deriving from the provision of the app due to the incorrect identification of the roles envisaged by the Regulation.The only decisions concern the activation/maintenance of the service for the years 2021 and 2022". 

With a note dated 6 April 2023 (ref. no. 0058164), the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the preliminary investigation, notified the Municipality, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation, in relation to the following alleged violations of the data protection legislation:

a) in the context of the use of drones:

- for having processed personal data, including data relating to crimes, in a manner not compliant with the principle of "lawfulness, correctness and transparency", in the absence of an appropriate regulatory basis, in violation of art. 5, paragraph 1, letter b), of the Regulation; a), 6 and 10 of the Regulation, as well as 2-ter and 2-octies of the Code; 

- for having failed to draw up a data protection impact assessment before starting the processing, in violation of art. 35 of the Regulation; 

b) in the context of the use of the IT application “TrevisoSicura”:

- for having processed the personal data of the users of the IT application in the absence of an appropriate legal basis, in violation of art. 5, par. 1, letter a) and 6 of the Regulation, as well as 2-ter of the Code; 

- for having provided the data subjects with an inadequate information notice on the processing of personal data, in violation of art. 5, par. 1, letter a), and 13 of the Regulation; 

- for having failed to enter into, as data controller, a data protection agreement with the Company, as data processor, in violation of art. 28, par. 3, of the Regulation;

- for having acted in a manner that is not compliant with the principles of data protection by design and by default, as well as accountability, in violation of Articles 5, paragraph 2 (in conjunction with Article 24), and 25 of the Regulation.

With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as Article 18, paragraph 1, of Law No. 689 of 24 November 1981).

With a note dated 4 May 2023 (ref. no. 0135761/23), the Municipality submitted a defence brief, declaring, in particular, that:

- “the use of drones [occurs] […] only for administrative purposes and for activities that do not involve the processing of personal data, except in an eventual or accidental manner”;

- “[…] for the activities carried out under the jurisdiction of the local police, the use of the aforementioned technologies does not involve the processing of personal data and, even more so, [the processing of judicial data pursuant to art. 10 [of the Regulation] is not foreseen”;

- “[…] no subjects were identified during the activity carried out by the drone pilots and […] the owner’s practices do not provide for any type of recognition in such conditions”; 

- “[…] the use of the drone with a thermal camera, pending indications on the correct use, has already been suspended […]”;

- “with reference to the “TrevisoSicura” app, it is confirmed, unfortunately, [that the initiative is] the result of an assignment in a complicated period such as the autumn of 2020 [in which] the need to protect the health of the population […] was necessary [and] expressly requested by the health authorities”;

- “[…] to contain and remedy the errors committed, we proceeded to block on 25 November 2022 the possibility for citizens to make reports, […] to remove the information inserted, having made the application, in fact, unusable. We subsequently proceeded [to remove] the app from the stores where it is published”;

- “we have already proceeded to terminate the relationship with the supplier, contractually concluded on 31.12.2022, and the related app, in order to proceed with a new assignment that complies with all the data protection principles indicated, starting with an approach compliant with the principles of privacy by design”;

- “[…] only in some cases were situations reported that could only abstractly be qualified as crimes”;

- “the number of downloads of the app corresponds to approximately 1% of the resident population and […] the total number of reports in the period is extremely limited”, with n. “43” reports relating to “potholes and various reports”, no. “352” reports relating to “waste” and no. “19” reports relating to “thefts””.

During the hearing, requested pursuant to art. 166, paragraph 6, of the Code and held on 13 December 2023 (see minutes prot. no. 0165047 of 13 December 2023), the Municipality declared, in particular, that:

- “the press article from which the Authority’s investigation originated did not correctly report the actual methods of use of the drones by the Municipality”;

- “following the start of the investigation by the Authority, the Municipality carried out internal checks, from which it emerged that the drones were equipped with photographic devices only to carry out administrative activities”;

- “it does not appear that the drones were used for police purposes by the Municipality, except, in residual, at the specific request of the Police Forces, who asked for support from the Local Police for the performance of specific police activities”;

- “with regard to the application, […] only a limited number of users used the application (about 1% of citizens) and also the number of reports sent via the application, compared to those that are ordinarily presented to the Local Police, is limited. Therefore, the processing concerned a limited number of personal data”;

- “the Authority had, moreover, also presented the application to the Provincial Committee for Public Order and Security, which, in the person of the Prefect, had expressed appreciation for the initiative”.

3. Outcome of the preliminary investigation.

3.1. The processing of personal data using drones equipped with thermal cameras

First of all, it should be noted that, differently from what was believed by the Municipality, the use of drones equipped with thermal cameras, in order to generate so-called heat maps, on the basis of which de visu checks can be arranged by the patrols of the Local Police in service in the territory, may involve the processing of personal data (see Articles 2, paragraph 1, and 4, nos. 1 and 2, of the Regulation), also relating to crimes (see Article 10 of the Regulation and 2-octies of the Code). As has emerged during the investigation (see illustrative videos in the documents), although it is not possible to recognize the faces of the subjects filmed, the images still allow us to view, with a reasonable level of definition, their silhouettes and movements. Therefore, this is information that, following the possible identification of the alleged perpetrators of the crimes by the Local Police officers or the police forces who intervened on the scene, can be associated with identified natural persons and be used as evidence of criminal offences. It should also be noted that, in implementation of Article 5, paragraph 3-sexies, of Legislative Decree no. 7 of 18 February 2015, art. 3 of the decree of the Ministry of the Interior of 13 June 2022 provides that “the Police Forces use UAS [, unmanned aircraft systems,] for the purposes of territorial control for purposes of public order and safety, with particular reference to the fight against terrorism and the prevention of organised and environmental crime”. The regulatory framework of the sector does not, therefore, generally allow the Local Police Forces of the Municipalities to use drones, equipped with video devices, for purposes related to the protection of public safety, except in cases where auxiliary public safety functions are delegated to the Local Police by the competent authorities for specific operations (see art. 3 and 5, paragraph 1, letter c), of Law no. 7 of 7 March 1986. 65), in any case in compliance with the conditions set out in the sector legislation that governs the use of drones in this context (see art. 2, par. 3, letter a) of Regulation (EU) 1139/2018; Implementing Regulation (EU) no. 947/2019; UAS-IT regulation of the National Civil Aviation Authority of 4 January 2021, art. 2, par. 1, letter b) and Section II - Part B; arts. 743-746 and 748 of Royal Decree 30 March 1942, no. 327), the supervision of which falls outside the powers attributed to the Guarantor by the legislation on data protection. However, it must take note of what was declared by the Municipality, with the assumption of responsibility also pursuant to art. 168 of the Code, regarding the circumstance that the press article, from which the investigation originated, “did not correctly report the actual methods of use of the drones by the Municipality”. The Authority also declared that following internal checks, “it does not appear that the drones were used for police purposes by the Municipality, except, residually, at the specific request of the Police Force, who asked the local Police for support in carrying out specific police activities”. Furthermore, according to what was represented by the Municipality, “no individuals were identified during the activity carried out by the drone pilots”. It is therefore believed that, in relation to the processing of personal data in question and with regard to the contested violations of articles 5, par. 1, letter a), a), 6, 10 and 35 of the Regulation, as well as 2-ter and 2-octies of the Code, the filing of the proceedings should be ordered, as no violation of the legislation on the protection of personal data has been proven, according to the documents (seeart. 14 of the Regulation of the Guarantor n. 1/2019). 

3.2. The processing of personal data in the context of the use of the IT application “TrevisoSicura”

3.2.1. The lawfulness of the processing

During the investigation, it emerged that the IT application “TrevisoSicura” was not used by users to formally submit crime reports to the Local Police in their judicial police function (with the possible indication of the details of the alleged perpetrators of the crimes), having been conceived solely as a tool through which citizens could submit generic reports regarding crimes, not attributed to specific subjects considered as alleged perpetrators, in order to allow the Local Police to have knowledge, on an aggregate basis, of the areas of the city most affected by criminal phenomena and organize “targeted services […] [for] prevention of […] crimes”. 

Consequently, contrary to what was claimed by the Municipality during the investigation, the Local Police of the Municipality did not perform a judicial police function in this context. 

In this regard, it must be noted that Law no. 65 of 7 March 1986 (Framework Law on the organization of the municipal police) assigns the municipal police personnel the performance of four types of functions: local police (art. 1); judicial police (art. 5, letter a)); traffic police (art. 5, letter b)); public safety (art. 5, letter c)). 

Art. 55 of the Code of Criminal Procedure specifies that “1. The judicial police must, also on its own initiative, take notice of the crimes, prevent them from being brought to further consequences, search for the perpetrators, carry out the necessary actions to secure the sources of evidence and collect anything else that may be useful for the application of the criminal law. 2. It carries out any investigation and activity ordered or delegated by the judicial authority. 3. The functions indicated in paragraphs 1 and 2 are carried out by the officers and agents of the judicial police”. 

The Court of Cassation has clarified, with consolidated orientation, that “pursuant to Law 7 March 1986, n. 65, art. 5 and art. 57 c.p.p., paragraph 2, letter b), the status of judicial police officers is expressly attributed to municipal guards, who are recognized with the power to intervene within the territorial scope of the entity to which they belong and within the limits of their own attributions, which include the performance of functions relating to the ascertainment of crimes of any kind, which have occurred in their presence, and which require prompt intervention also for the purpose of acquiring evidence” (Cass. pen. Sect. III, Sent., hearing 07/06/2022, 30/08/2022, no. 31930; see also Cass. pen., sect. 1, 10/03/1994, no. 1193; regarding the territorial limits of the judicial police jurisdiction of local police officers, see also Cass. civ. Sect. II Ord., 08/02/2019, no. 3839; Cass. civ. Sez. VI - 2 Ord., 01/30/2019, n. 2748).

Therefore, “the qualification of judicial police officers attributed to members of the municipal police is […] limited in time ("when they are on duty") and space ("within the territorial scope of the entity to which they belong"), unlike other bodies (State Police, Carabinieri, Guardia di Finanza) whose members operate throughout the national territory and are always on duty” (see Cass. civ. Labour Section, Ord., 12/02/2019, n. 31388; Cass. pen. 06/10/2015, n. 35099). 

Consequently, judicial police operations by the local police, on the initiative of individuals during the service, are permitted exclusively in case of necessity due to the flagrant nature of the crime committed in the territory to which they belong. Otherwise, outside of this hypothesis, the judicial police activity of the Local Police is permitted exclusively "under the control and direction of the judicial authority" (art. 56 c.p.p.), limited to "acts specifically delegated to it pursuant to article 370, carrying out the directives of the public prosecutor", while any activity of its own initiative is precluded.

With regard to the public safety functions of the local police, art. 5, paragraph 1, letter c), of law no. 65 of 7 March 1986 provides that "the personnel who perform municipal police service, within the territorial scope of the body to which they belong and within the limits of their own powers, also perform [...] auxiliary public safety functions"; this "collaborating, within the scope of their powers, with the State Police Forces, following the mayor's instructions, when a motivated request is made for specific operations by the competent authorities" (art. 3). To this end, the Prefect confers upon the personnel of the Local Police, upon communication from the Mayor, the quality of public safety agent, after having ascertained that they possess the requirements set forth by law (art. 5, paragraph 2). In the exercise of the functions of public safety agent, such personnel, made available by the Mayor, depend operationally on the competent public safety authority in compliance with any agreements between said authorities and the Mayor (art. 5, paragraph 4).

In the case in question - in which, however, it does not appear that the Municipality became aware of the personal data relating to the alleged perpetrators of the reported crimes, or 19 cases of theft -, the Authority has not proven that the collection of reports from citizens, aimed at planning public safety activities in the territory, was carried out at the request of the competent public safety authorities. 

Therefore, since the Local Police of the Municipality does not have general competence in the matter, it must be considered that the processing of the personal data in question was carried out in a manner that does not comply with the principle of "lawfulness, correctness and transparency" and in the absence of a legal basis, in violation of Articles 5, par. 1, letter a) and 6 of the Regulation, as well as 2-ter of the Code. 

3.2.2 The incorrect qualification of the roles in terms of personal data protection and the failure to enter into a data protection agreement with the data controller

Pursuant to Article 28, par. 3, of the Regulation, “processing by a processor must be governed by a contract or other legal act pursuant to 26 Union or Member State law, which binds the processor to the controller, which stipulates the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller”, and which includes all the commitments provided for by the same art. 28, par. 3, of the Regulation (see recital 81 of the Regulation).

The contract or other legal act must be “stipulated in written form, including in electronic format” (art. 28, par. 9, of the Regulation).

During the investigation, it emerged that the Municipality has assumed the role of data controller in the relationship with the Company, supplier of the application “TrevisoSicura”, which qualified itself as the controller of the personal data of the users of that application.

As acknowledged by the Municipality, the Entity should have instead been qualified as the data controller, as the entity to which the purposes and means of the processing are attributable and which determined them. Conversely, the application provider should have been qualified as the data processor, since it processed the aforementioned personal data not for its own purposes, but on behalf of and in the interest of the Municipality.

Having said this, it should be noted that the Municipality, as the data controller, failed to enter into an agreement on the protection of personal data with the aforementioned provider, as the data processor.

In this regard, it should be noted that, as clarified by the European Data Protection Board, “since the Regulation clearly establishes the obligation to enter into a written contract, if no other relevant legal act is in force, there is a violation of the [Regulation], or of “Article 28, paragraph 9, of the [Regulation]”. Considering that “both the controller and the processor are responsible for ensuring the existence of a contract or other legal act governing the processing”, the competent supervisory authority “may impose an administrative fine on both the controller and the processor” (“Guidelines 07/2020 on the concepts of controller and processor under the GDPR”, adopted by the European Data Protection Board on 7 July 2021, para. 103). 

Therefore, where, as in the present case, there is “a data controller-processor relationship […] even in the absence of a [valid] written processing agreement” - since the entity processing the data does not actually process the data for its own purposes but on behalf of the commissioning entity and data controller, in the performance of a service contract or other similar legal relationship between the parties (see the definition of “processor” in art. 4, par. 1, no. 8, of the Regulation) - “this implies […] a violation of Article 28, paragraph 3, of the [Regulation]” (ibidem, par. 103 and note no. 42). 

Given that, in the present case, no agreement on the protection of personal data was stipulated with the supplier and maintainer of the IT application “TrevisoSicura”, who actually acted as data controller, it must be concluded that the Municipality has committed a violation of art. 28, par. 3, of the Regulation. 

3.2.3 The inappropriate information on the processing of personal data

Also due to the incorrect qualification of the roles in terms of personal data protection, the information on the processing of personal data that was provided to the users of the “TrevisoSicura” application (in the files), cannot be considered fully compliant with the requirements set out in art. 13 of the Regulation.

This is because this information:

- erroneously indicates the Company as the data controller instead of the Municipality, whose contact details are not indicated (see art. 13, par. 1, letter a), of the Regulation);

- does not indicate the contact details of the Data Protection Officer designated by the Municipality (see art. 13, par. 1, letter b), of the Regulation);

- fails to refer, as the legal basis for the processing, to the need to exercise tasks of public interest specific to the Municipality (see art. 13, par. 1, letter c), of the Regulation);

- does not mention the Company among the recipients of the data in the capacity of data controller (see art. 13, par. 1, letter e), of the Regulation); 

- indicates a data retention period (“maximum 12 months”) that does not correspond to that indicated on the application web page (“3 months from notification with subsequent automatic deletion”) (see art. 13, par. 2, letter a), of the Regulation);

- does not mention the right of the data subject to lodge a complaint with a supervisory authority (see art. 13, par. 2, letter d), of the Regulation);

- does not clarify whether the data subject is obliged to provide personal data or the possible consequences of failure to provide them (see art. 13, par. 2, letter e), of the Regulation).

It must therefore be concluded that the Municipality, in its capacity as data controller, which is subject to the transparency obligations provided for by the data protection legislation, has acted in violation of art. 5, par. 1, letter a), and 13 of the Regulation.

3.2.4 Violation of the principles of data protection by design and by default, as well as accountability

From the overall investigation launched against the Municipality, it emerged that the Authority made the IT application “TrevisoSicura” available to users, without, however, having adopted any internal act aimed at regulating the processing and ensuring overall compliance with the data protection legislation, having, moreover, erroneously attributed to itself the role of data controller (see the aforementioned statements of the Municipality regarding the circumstance that "at the moment no decisions have been adopted aimed at regulating the processing of personal data deriving from the provision of the app due to the incorrect identification of the roles envisaged by the Regulation. The only decisions concern the activation/maintenance of the service for the years 2021 and 2022”).

Therefore, the Authority did not identify, before starting the processing and from the design of the application, the necessary measures aimed at implementing the principles of data protection, integrating the necessary guarantees into the processing in order to meet the requirements of the Regulation (see art. 25, par. 1, of the Regulation).

Nor have adequate technical and organizational measures been implemented to ensure that, by default, only the personal data necessary for each specific purpose of the processing are processed (see art. 25, par. 2, of the Regulation). In particular, the Municipality, by configuring the application in such a way as to grant data subjects the possibility of entering free text in a specific field, did not consider the possibility that they could send the Authority data that are not relevant to the purpose pursued (see art. 5, par. 1, letter c), which formalizes the principle of "data minimization"), or the mapping of the areas of the city affected by criminal phenomena, with the consequent risk of acquiring data belonging to particular categories (see art. 9 of the Regulation) or to crimes (see art. 10 of the Regulation). 

The Municipality then stated that "at the moment the retention period of the reports reported in the information is a maximum of 12 months", while "the web page of the app instead reports a retention period of 3 months from the report with subsequent automatic deletion". Notwithstanding that there is an inconsistency with regard to the retention times declared in the information and those mentioned on the web page of the application, the Municipality nevertheless acknowledged that "in consideration of the purpose and above all the method of routing the reports, it is believed, in order to considerably reduce the surface of exposure and consequently the risks for the interested parties, to avoid such retention by the systems upstream or in any case to limit to a number of days compatible with any problems in receiving the email, consequently updating the information". Therefore, as admitted by the Municipality itself, the retention of the reports in the IT systems of the supplier, after sending them to the local police by email, was not, in any case, necessary.

From the above considerations it emerges that the Municipality was not able to demonstrate that it had complied with the principles of data protection and that it had taken due account of the personal data protection profiles before making the “TrevisoSicura” application available to users, thus failing to comply with the obligations arising from the principle of accountability, which informs the European legislation on data protection (see Articles 5, paragraph 2, and 24, paragraphs 1 and 2, of the Regulation).

It must therefore be concluded that the Municipality acted in a manner that was not compliant with the principles of accountability and data protection by design and by default, in violation of Articles 5, paragraph 2 (in conjunction with Article 24), and 25 of the Regulation.

4. Conclusions.

In light of the above assessments, it is noted that the declarations made by the data controller during the investigation ˗ the truthfulness of which may be held accountable pursuant to Article 168 of the Code ˗, although worthy of consideration, do not allow to overcome the findings notified by the Office with the act of initiation of the proceeding and are insufficient to allow the archiving of the present proceeding, since, moreover, none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Municipality is noted, for having processed personal data in the context of the use of the application "TrevisoSicura", in violation of arts. 5, par. 1, letter a) and par. 2 (in conjunction with art. 24), 6, 13, 25 and 28, par. 3, of the Regulation, as well as 2-ter of the Code. 

Taking into account that the violation of the aforementioned provisions occurred as a consequence of a single conduct (same processing or processing linked to each other), art. 83, par. 3, of the Regulation, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case in question, the most serious violations, relating to Articles 5, 6 and 13 of the Regulation, as well as 2-ter of the Code, are subject to the sanction provided for by Article 83, par. 5, of the Regulation, as also referred to in Article 166, paragraph 2, of the Code, the total amount of the sanction is to be quantified up to EUR 20,000,000. 

In this context, considering, in any case, that the conduct has exhausted its effects, given that the reporting functions of the IT application have been deactivated and that the maximum retention period for reports already received has elapsed, the conditions for the adoption of further corrective measures pursuant to Article 58, par. 2, of the Regulation do not apply.

5.    Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).

Violation of the provisions cited is subject to the application of an administrative pecuniary sanction pursuant to the combined provisions of articles 58, paragraph 2, letters i), and 83, paragraph 5, of the Regulation.

The administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for in article 83, paragraph 2, of the Regulation.

Considering that:

- although the IT application “TrevisoSicura” was made available to users for an extended period of time (from July 2020 to December 2022), the Municipality received a low number of reports (n. 414) and, therefore, the processing concerned a limited number of interested parties compared to the total number of residents in the Municipality (approximately 85,000 inhabitants) (see art. 83, par. 2, letter a), of the Regulation);

- the relationship between the Municipality and the Company, in addition to not having been definitive in a data protection agreement stipulated pursuant to art. 28, par. 3, of the Regulation, has not been correctly framed, for data protection purposes, even within the scope of the contract for the supply of maintenance services (see the Company's email of 5 May 2023, acquired within the scope of the separate but connected proceeding initiated against the same, where it is stated that the client relationship between the Municipality and the Company "is not regulated except in a scant disciplinary" (see art. 83, par. 2, letter a), of the Regulation); 

- the violation is negligent (see art. 83, par. 2, letter b), of the Regulation); 

- the processing did not concern personal data belonging to particular categories (see art. 9 of the Regulation) or data relating to crimes (see art. 10 of the Regulation), although, as illustrated above, the fact that the application was configured in such a way as to allow users to enter free text exposed the Municipality to the risk of also acquiring such types of data (see art. 83, par. 2, letter g), of the Regulation),

it is believed that, in the specific case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR” of 24 May 2023, point 60).

That said, it is believed that, for the purposes of quantifying the sanction, the following mitigating circumstances must be taken into account: 

- the Municipality has a high degree of responsibility, having substantially failed to consider the data protection profiles underlying the processing in question, before carrying out the same (Article 83, paragraph 2, letter d), of the Regulation); 

- the Municipality offered good cooperation with the Authority during the investigation, having also promptly taken action to deactivate the reporting functions of the IT application immediately after learning of the start of the investigation (Article 83, paragraph 2, letter f), of the Regulation); 

- there are no previous relevant violations committed by the Municipality (Article 83, paragraph 2, letter e), of the Regulation). 

On the basis of the above elements, assessed as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of Euro 7,000 (seven thousand) for the violation of Articles 5, paragraph 1, letter a) and paragraph 2 (in conjunction with Article 24), 6, 13, 25 and 28 of the Regulation, as well as 2-ter of the Code, as an administrative pecuniary sanction deemed, pursuant to Article 83, paragraph 1, of the Regulation, effective, proportionate and dissuasive. 

Considering that the processing of the personal data in question took place in violation of the aforementioned provisions of the Regulation for an extended period of time and that, as emerged from the investigation, the Municipality substantially failed to consider the data protection profiles before making the application available to users, it is also believed that the accessory sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met.

CONSIDERING ALL THE ABOVE, THE GUARANTOR

declares, pursuant to art. 57, paragraph 1, letter f), of the Regulation, the unlawfulness of the processing carried out by the Municipality of Treviso due to violation of arts. 5, paragraph 1, letter a) and paragraph 2 (in conjunction with art. 24), 6, 13, 25 and 28 of the Regulation, as well as 2-ter of the Code, within the terms set out in the reasons;

ORDERS

the Municipality of Treviso, in the person of its legal representative pro-tempore, with registered office in Via Del Municipio, 16 - 31100 Treviso (TV), C.F. 80007310263, to pay the sum of 7,000 (seven thousand) euros as an administrative pecuniary sanction for the violations indicated in the reasons. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed;

ORDERS

the aforementioned Municipality, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 7,000 (seven thousand) euros according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981;

ORDERS

- the archiving, pursuant to art. 14 of the Regulation of the Guarantor no. 1/2019, of the dispute concerning the processing of personal data carried out through the use of drones equipped with thermal cameras by the Local Police;

- the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code (see art. 16 of the Regulation of the Guarantor no. 1/2019);

- the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, letter u), of the Regulation, of the violations and of the measures adopted in accordance with art. 58, par. 2, of the Regulation (see art. 17 of the Regulation of the Guarantor n. 1/2019).

Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree n. 150/2011, against this provision it is possible to lodge an appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. 

Rome, 4 July 2024

THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE GENERAL SECRETARY
Mattei
 

[web doc. n. 10050298]

Provision of 4 July 2024

Register of provisions
n. 405 of 4 July 2024

GUARANTEE FOR THE PROTECTION OF PERSONAL DATA



IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter, “Regulation”);

HAVING SEEN Legislative Decree no. 30 June 2003 196 containing the “Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC (hereinafter “Code”); 

SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority, approved with resolution no. 98 of 4 April 2019, published in the Official Journal no. 106 of 8 May 2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Data Protection Authority Regulation no. 1/2019”);

Having seen the documentation in the files;

Having seen the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. n. 1098801;

Rapporteur Dr. Agostino Ghiglia;

WHEREAS

1. Introduction.

From a press article it was learned that the Municipality of Treviso (hereinafter, the “Municipality”) would have used drones equipped with video devices capable of identifying heat sources, including human bodies, in order to combat the phenomenon of night-time burglaries in homes. 

The same article also referred to the possibility for citizens to report any crimes suffered through an IT application called “TrevisoSicura”. 

2. The investigative activity.

In response to a request for information from the Authority, the Municipality, with a note dated 7 December 2022 (ref. no. 0180056/2022), as integrated with notes dated 22 February 2023, declared, in particular, that:

A)    with reference to the use of drones by the Local Police:

- “within the Local Police Command […] a specialized unit of agents has been set up, aimed at using the specific technology represented by the APR (remotely piloted aircraft) more commonly known as “drones””;

- “all APRs have payloads consisting of photographic equipment with optics suitable for obtaining photographic shots and video recordings, [and some are] equipped with a thermal option”;

- “infrared optics, or thermal cameras, refer to technological instruments that, based on the detection, without contact, of the heat emitted by any object or body that has a temperature above absolute zero (-273.15 C°), in the form of infrared rays, therefore invisible to the naked eye, processes the image, returning to the operator who uses said media, the sighting of things in total or semi-darkness, being able to then generate a photo or video”;

- “[…] the image, displayed on the police operator’s visor or on the SAPR operator’s monitor, corresponds to the heat map that the emanating object, or subject, produces. The thermal signal is converted into an electrical one and then the scene is shown on a screen as if it were a television image”;

- “up to the date of the request for information by the Authority, the APRs have been used […] [, among other things,] in police and public safety operations for which the Local Police is involved by virtue of its auxiliary functions and competences pursuant to art. 5 L. 65/86”;

- “the use of the technologies mentioned does not envisage that subjects can be identified or identifiable in any way since these have the sole purpose of making “heat maps” visible to the operator, consisting of indistinguishable silhouettes that are then reported to the local police operators who, in coordination with the operations centre, appropriately guided, then carry out the police assessment “in person” with the classic police identification and any judicial or administrative excursus”;

- “[…] no cataloguing or data collection or processing activity is performed, and has never been performed through the use of said technologies, not even with the detection of temperatures expressed in degrees Celsius, since the thermal cameras only return color variations in relation to the temperature variations detected, but do not reveal the “temperature” data of the subject to be used exclusively in the search for missing subjects in the context of interventions in the event of natural disasters”;

- “[…] from the day on which the request for information by the Guarantor Authority was made known, any form of use of drones was suspended, as a preventive and precautionary measure”. 

 

B)    with reference to the “TrevisoSicura” application:

- “the APP called “TrevisoSicura” is provided by the Lapis Company [sas] [hereinafter, the “Company”] […]”;

- “the PL Command through the reports that come voluntarily from citizens receives specific and detailed reports relating to waste abandoned in the municipal territory […]”;

- “the same APP allows citizens to report that they have suffered a theft and the place where it occurred: this allows the judicial police office of the PL command to better identify the areas affected by predatory crimes and then organize targeted services both in plain clothes and in uniform for the prevention of the aforementioned crimes.This is a normal judicial police activity, handled by judicial police agents and officers”;

- “another method provided by the App concerns communication to the citizen, who is notified of the availability of news from the Municipality by receiving a notification”;

- “the report requires the name and telephone number of the person reporting it in order to proceed with its validation by sending an SMS message to be confirmed via a link. The system then forwards it to the administration”;

- “it is also possible […] to attach a photo or take it at the same time”; 

- “it is instead mandatory to indicate the type of report (waste, theft, etc.) and a free text message field where the citizen can provide further information”;

- “the PL staff receives an e-mail notification of a new report and forwards the information to colleagues for further investigations and the resolution of the problem highlighted by the citizen”;

- “it is clear that this method, not properly structured at the process level, […] could […] temporarily and initially fulfill the need to open a communication channel towards citizens but, evidently, requires a complete revision”;

- “the same method of transferring the report via email was probably the misleading element, starting from the supplier who, according to the information published at the web address https://trevisocura.it/privacy.html [...] plays the role of owner, irregularly placing the recipients of the reports (local authorities and police forces) even as “Data Processors”, moreover in clear contrast with what is instead provided for by art. 2-ter of the Code”; 

- “the incorrect identification of the figures and the consequent reversal of the roles provided for by the discipline has not only formally vitiated the general system but also the due obligations, starting from the appointment as data controller and the due, as coherent with respect to the processing, information to citizens […]”; 

- “the app in question, after an experimental period, was activated on 07.27.2020. So far, an average of around 400 reports have been received from citizens per year, compared to a number of downloads reported in the Android Store of more than 1,000 starting from the date of publication. However, immediately after the request for information by the Guarantor Authority, the reporting functions were immediately disabled, leaving only any news notifications”;

- “the adoption of the app by the Municipality of Treviso aims to improve and facilitate communication between citizens and the administration, also considering the push mode of sending notifications regarding events, demonstrations and news. Reports by citizens fall fully within the performance of a task of public interest or connected to the exercise of public powers as provided for by the TUEL”;

- “at the moment, the retention period for reports reported in the information is a maximum of 12 months; the app web page instead reports a retention period of 3 months from the report with subsequent automatic deletion. In consideration of the purpose and above all the method of routing the reports, it is believed, in order to considerably reduce the exposure surface and consequently the risks for the interested parties, to avoid such retention by the systems upstream or in any case to limit to a number of days compatible with any problems receiving email, consequently updating the information"; 

- "[…] the app provider must be appointed Data Controller and [it is necessary] to provide the same with specific technical and organizational requirements regarding the app itself and the security of the back end [...]"; 

- "at the moment no decisions have been adopted aimed at regulating the processing of personal data deriving from the provision of the app due to the incorrect identification of the roles envisaged by the Regulation. The only decisions concern the activation/maintenance of the service for the years 2021 and 2022". 

With a note dated 6 April 2023 (ref. no. 0058164), the Office, on the basis of the elements acquired, the checks carried out and the facts that emerged following the preliminary investigation, notified the Municipality, pursuant to art. 166, paragraph 5, of the Code, the initiation of the procedure for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation, in relation to the following alleged violations of the data protection legislation:

a) in the context of the use of drones:

- for having processed personal data, including data relating to crimes, in a manner that does not comply with the principle of "lawfulness, fairness and transparency", in the absence of an appropriate regulatory basis, in violation of art. 5, paragraph 1, letter a), 6 and 10 of the Regulation, as well as 2-ter and 2-octies of the Code;

- for having failed to draw up a data protection impact assessment before starting the processing, in violation of art. 35 of the Regulation; 

b) in the context of the use of the IT application “TrevisoSicura”:

- for having processed the personal data of the users of the IT application in the absence of an appropriate legal basis, in violation of art. 5, par. 1, letter a) and 6 of the Regulation, as well as 2-ter of the Code; 

- for having provided the data subjects with an inadequate information notice on the processing of personal data, in violation of art. 5, par. 1, letter a), and 13 of the Regulation; 

- for having failed to enter into, as data controller, a data protection agreement with the Company, as data processor, in violation of art. 28, par. 3, of the Regulation; 

- for having acted in a manner that was not compliant with the principles of data protection by design and by default, as well as accountability, in violation of Articles 5, paragraph 2 (in conjunction with Article 24), and 25 of the Regulation.

With the same note, the aforementioned owner was invited to produce defensive writings or documents to the Guarantor or to request to be heard by the Authority (Article 166, paragraphs 6 and 7, of the Code, as well as Article 18, paragraph 1, of Law No. 689 of 24 November 1981).

With a note dated 4 May 2023 (ref. No. 0135761/23), the Municipality submitted a defensive brief, declaring, in particular, that:

- “the use of drones [occurs] […] only for administrative purposes and for activities that do not involve the processing of personal data, except in an eventual or accidental manner”;

- “[…] for the activities carried out under the jurisdiction of the local police, the use of the technologies mentioned does not involve the processing of personal data and, even more so, [the processing of judicial data pursuant to art. 10 [of the Regulation] is not foreseen”;

- “[…] no subjects were identified during the activity carried out by the drone pilots and […] the owner’s practices do not provide for any type of recognition in such conditions”;

- “[…] the use of the drone with a thermal camera, pending indications on the correct use, has already been suspended […]”;

- “with reference to the “TrevisoSicura” app, it is confirmed, unfortunately, [that the initiative is] the result of an assignment in a complicated period such as the autumn of 2020 [in which] the need to protect the health of the population […] was necessary [and] expressly requested by the health authorities”;

- “[…] to contain and remedy the errors committed, on 25 November 2022 the possibility for citizens to make reports was blocked, […] to have the information inserted removed, having made the application, in fact, unusable. The app was subsequently [removed] from the stores where it is published”;

- “the relationship with the supplier, contractually concluded on 31.12.2022, and the related app have already been terminated, in order to proceed with a new assignment that complies with all the data protection principles indicated, starting with an approach compliant with the principles of privacy by design”;

- “[…] only in some cases were situations communicated that could only abstractly be qualified as crimes”;

- “the number of downloads of the app corresponds to approximately 1% of the resident population and […] the total number of reports in the period is extremely limited”, as n. were received. “43” reports relating to “potholes and various reports”, no. “352” reports relating to “waste” and no. “19” reports relating to “thefts””.

During the hearing, requested pursuant to art. 166, paragraph 6, of the Code and held on 13 December 2023 (see minutes prot. no. 0165047 of 13 December 2023), the Municipality declared, in particular, that:

- “the press article from which the Authority’s investigation originated did not correctly report the actual methods of use of the drones by the Municipality”;

- “following the start of the investigation by the Authority, the Municipality carried out internal checks, from which it emerged that the drones were equipped with photographic devices only to carry out administrative activities”;

- “it does not appear that the drones were used for police purposes by the Municipality, except, in residual, at the specific request of the Police Forces, who asked for support from the Local Police for the performance of specific police activities”;

- “with regard to the application, […] only a limited number of users have used the application (about 1% of citizens) and also the number of reports sent via the application, compared to those that are ordinarily presented to the Local Police, is limited. Therefore, the processing concerned a limited number of personal data”;

- “the Authority had, moreover, also presented the application to the Provincial Committee for Public Order and Security, which, in the person of the Prefect, had expressed appreciation for the initiative”.

3. Outcome of the investigation.

3.1. Processing of personal data using drones equipped with thermal cameras

First of all, it should be noted that, differently from what the Municipality believed, the use of drones equipped with thermal cameras, in order to generate so-called heat maps, on the basis of which de visu checks can be arranged by the local police patrols on duty in the territory, may involve the processing of personal data (see art. 2, par. 1, and 4 nos. 1 and 2, of the Regulation), also relating to crimes (see art. 10 of the Regulation and 2-octies of the Code). As it emerged during the investigation (see example videos in the documents), although it is not possible to recognize the faces of the subjects filmed, the images still allow us to view, with a reasonable level of definition, their silhouettes and movements. Therefore, in any case, this is information that, following the possible identification of the alleged perpetrators of the crimes by the local police officers or law enforcement officers who intervened on the scene, can be associated with identified natural persons and be used as evidence of criminal offences. It should also be noted that, in implementation of art. 5, paragraph 3-sexies, of Legislative Decree no. 7 of 18 February 2015, art. 3 of the decree of the Ministry of the Interior of 13 June 2022 provides that "the police forces use UAS [, unmanned aircraft systems,] for the purposes of territorial control for purposes of public order and safety, with particular reference to the fight against terrorism and the prevention of organised and environmental crime". The regulatory framework of the sector does not, therefore, generally allow the local police forces of the Municipalities to use drones, equipped with video devices, for purposes related to the protection of public safety, except in cases where auxiliary public safety functions are delegated to the local police by the competent authorities for specific operations (see art. 3 and 5, paragraph 1, letter c), of Law no. 65 of 7 March 1986), in any case in compliance with the conditions set out in the sector legislation that governs the use of drones in this context (see art. 2, paragraph 3, letter a) of Regulation (EU) 1139/2018; Implementing Regulation (EU) no. 947/2019; UAS-IT regulation of the National Civil Aviation Authority of 4 January 2021, art. 2, paragraph 1, letter b) and Section II - Part B; arts. 743-746 and 748 of the Royal Decree of 30 March 1942, no. 327), the supervision of which is outside the powers attributed to the Guarantor by the legislation on data protection.

However, it is necessary to take note of what was declared by the Municipality, with the assumption of responsibility also pursuant to art. 168 of the Code, regarding the circumstance that the press article, from which the investigation originated, "did not correctly report the actual methods of use of the drones by the Municipality". The Authority also declared that following internal checks, "it does not appear that the drones were used for police purposes by the Municipality, except, residually, at the specific request of the Police Forces, who asked for support from the local Police to carry out specific police activities". Furthermore, according to what was represented by the Municipality, "no individuals were identified during the activity carried out by the drone pilots". It is therefore believed that, in relation to the processing of personal data in question and with regard to the contested violations of Articles 5, par. 1, letter a), 6, 10 and 35 of the Regulation, as well as 2-ter and 2-octies of the Code, the filing of the proceedings should be ordered, as no violation of the legislation on the protection of personal data has been proven, in the current state of the documents (see Article 14 of the Regulation of the Guarantor no. 1/2019). 

3.2. The processing of personal data in the context of the use of the IT application “TrevisoSicura”

3.2.1. The lawfulness of the processing

During the investigation, it emerged that the IT application “TrevisoSicura” was not used by users to formally submit crime reports to the Local Police in their judicial police function (with the possible indication of the details of the alleged perpetrators of the crimes), having been conceived solely as a tool through which citizens could submit generic reports regarding crimes, not attributed to specific individuals considered as alleged perpetrators, in order to allow the Local Police to have knowledge, on an aggregate basis, of the areas of the city most affected by criminal phenomena and organize “targeted services […] [for] prevention of […] crimes”. 

Consequently, contrary to what was claimed by the Municipality during the investigation, the Local Police of the Municipality did not perform a judicial police function in this context. 

In this regard, it must be noted that Law no. 7 March 1986, n. 65 (Framework Law on the Organization of the Municipal Police) assigns the municipal police personnel the performance of four types of functions: local police (art. 1); judicial police (art. 5, letter a)); traffic police (art. 5, letter b)); public safety (art. 5, letter c)). 

Art. 55 of the Code of Criminal Procedure specifies that “1. The judicial police must, also on its own initiative, take notice of crimes, prevent them from being brought to further consequences, search for the perpetrators, carry out the necessary actions to secure the sources of evidence and collect anything else that may be useful for the application of the criminal law. 2. It carries out any investigation and activity ordered or delegated by the judicial authority. 3. The functions indicated in paragraphs 1 and 2 are carried out by the officers and agents of the judicial police”. 

The Court of Cassation has clarified, with a consolidated orientation, that "pursuant to Law 7 March 1986, n. 65, art. 5 and art. 57 c.p.p., paragraph 2, letter. b), the status of judicial police officers is expressly attributed to municipal guards, who are recognized with the power to intervene within the territorial scope of the entity to which they belong and within the limits of their own attributions, which include the performance of functions relating to the ascertainment of crimes of any kind, which have occurred in their presence, and which require prompt intervention also for the purpose of acquiring evidence” (Cass. pen. Sect. III, Sent., hearing 07/06/2022, 30/08/2022, no. 31930; see also Cass. pen., sect. 1, 10/03/1994, no. 1193; regarding the territorial limits of the judicial police jurisdiction of local police officers, see also Cass. civ. Sect. II Ord., 08/02/2019, no. 3839; Cass. civ. Sez. VI - 2 Ord., 01/30/2019, n. 2748).

Therefore, “the qualification of judicial police officers attributed to members of the municipal police is […] limited in time ("when they are on duty") and space ("within the territorial scope of the entity to which they belong"), unlike other bodies (State Police, Carabinieri, Guardia di Finanza) whose members operate throughout the national territory and are always on duty” (see Cass. civ. Labour Section, Ord., 12/02/2019, n. 31388; Cass. pen. 06/10/2015, n. 35099). 

Consequently, judicial police operations by the local police, on the initiative of individuals during the service, are permitted exclusively in case of necessity due to the flagrant nature of the crime committed in the territory to which they belong. Otherwise, outside of this hypothesis, the judicial police activity of the Local Police is permitted exclusively "under the control and direction of the judicial authority" (art. 56 c.p.p.), limited to "acts specifically delegated to it pursuant to article 370, carrying out the directives of the public prosecutor", while any activity of its own initiative is precluded.

With regard to the public safety functions of the local police, art. 5, paragraph 1, letter c), of law no. 65 of 7 March 1986 provides that "the personnel who perform municipal police service, within the territorial scope of the body to which they belong and within the limits of their own powers, also perform [...] auxiliary public safety functions"; this "collaborating, within the scope of their powers, with the State Police Forces, following the mayor's instructions, when a motivated request is made for specific operations by the competent authorities" (art. 3). To this end, the Prefect confers upon the personnel of the Local Police, upon communication from the Mayor, the quality of public safety agent, after having ascertained that they possess the requirements set forth by law (art. 5, paragraph 2). In the exercise of the functions of public safety agent, such personnel, made available by the Mayor, depend operationally on the competent public safety authority in compliance with any agreements between said authorities and the Mayor (art. 5, paragraph 4).

In the case in question - in which, however, it does not appear that the Municipality became aware of the personal data relating to the alleged perpetrators of the reported crimes, or 19 cases of theft -, the Authority has not proven that the collection of reports from citizens, aimed at planning public safety activities in the territory, was carried out at the request of the competent public safety authorities. 

Therefore, since the Local Police of the Municipality does not have general competence in the matter, it must be considered that the processing of the personal data in question was carried out in a manner that does not comply with the principle of "lawfulness, correctness and transparency" and in the absence of a legal basis, in violation of Articles 5, par. 1, letter a) and 6 of the Regulation, as well as 2-ter of the Code. 

3.2.2 The incorrect qualification of the roles in terms of personal data protection and the failure to enter into a data protection agreement with the data controller

Pursuant to Article 28, par. 3, of the Regulation, “processing by a processor shall be governed by a contract or other legal act under Union or Member State law, which binds the processor to the controller, which sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller”, and which provides for all the commitments provided for by the same art. 28, par. 3, of the Regulation (see recital 81 of the Regulation).

The contract or other legal act must be “stipulated in written form, including in electronic format” (Article 28, paragraph 9, of the Regulation).

During the investigation, it emerged that the Municipality assumed the role of data controller in the relationship with the Company, supplier of the “TrevisoSicura” application, which qualified itself as the data controller of the personal data of the users of that application.

As acknowledged by the Municipality, the Entity should have instead qualified itself as the data controller, as the entity to which the purposes and means of the processing can be traced and which determined them. Conversely, the application supplier should have been qualified as the data controller, as the same processed the aforementioned personal data not for its own purposes, but on behalf of and in the interest of the Municipality. 

Having said this, it must be noted that the Municipality, as the data controller, failed to stipulate an agreement on the protection of personal data with the aforementioned supplier, as the data controller.

In this regard, it should be noted that, as clarified by the European Data Protection Board, “since the Regulation clearly establishes the obligation to conclude a written contract, if no other relevant legal act is in force, there is a violation of the [Regulation], or of “Article 28, paragraph 9, of the [Regulation]”. Considering that “both the controller and the processor are responsible for ensuring the existence of a contract or other legal act regulating the processing”, the competent supervisory authority “may impose an administrative fine on both the controller and the processor” (“Guidelines 07/2020 on the concepts of controller and processor under the GDPR”, adopted by the European Data Protection Board on 7 July 2021, para. 103). 

Therefore, where, as in the present case, there is “a data controller-processor relationship […] even in the absence of a [valid] written processing agreement” - since the entity processing the data does not actually process the data for its own purposes but on behalf of the commissioning entity and data controller, in the performance of a service contract or other similar legal relationship between the parties (see the definition of “processor” in art. 4, par. 1, no. 8, of the Regulation) - “this implies […] a violation of Article 28, paragraph 3, of the [Regulation]” (ibidem, par. 103 and note no. 42). 

Given that, in the present case, no agreement on the protection of personal data was stipulated with the supplier and maintainer of the IT application “TrevisoSicura”, who actually acted as data controller, it must be concluded that the Municipality has committed a violation of art. 28, par. 3, of the Regulation. 

3.2.3 The unsuitable information on the processing of personal data

Also due to the incorrect qualification of the roles in terms of personal data protection, the information on the processing of personal data that was provided to the users of the “TrevisoSicura” application (in the files), cannot be considered fully compliant with the requirements set out in art. 13 of the Regulation.

This is because such information:

- erroneously indicates the Company as the data controller instead of the Municipality, whose contact details are not indicated (see art. 13, par. 1, letter a), of the Regulation);

- does not indicate the contact details of the Data Protection Officer designated by the Municipality (see art. 13, par. 1, letter b), of the Regulation);

- fails to refer, as the legal basis for the processing, to the need to exercise tasks of public interest specific to the Municipality (see art. 13, par. 1, letter c), of the Regulation);

- does not mention the Company among the recipients of the data in the capacity of data controller (see art. 13, par. 1, letter e), of the Regulation);

- indicates a data retention period (“maximum 12 months”) that does not correspond to that indicated on the application web page (“3 months from the notification with subsequent automatic deletion”) (see art. 13, par. 2, letter a), of the Regulation);

- does not mention the right of the data subject to lodge a complaint with a supervisory authority (see art. 13, par. 2, letter d), of the Regulation);

- does not clarify whether the interested party is obliged to provide personal data or the possible consequences of failure to provide them (see art. 13, par. 2, letter e), of the Regulation). 

It must therefore be concluded that the Municipality, in its capacity as data controller, which is subject to the transparency obligations provided for by the data protection legislation, has acted in violation of art. 5, par. 1, letter a), and 13 of the Regulation. 

3.2.4 Violation of the principles of data protection by design and by default, as well as accountability

From the overall investigation launched against the Municipality, it emerged that the Authority made the IT application “TrevisoSicura” available to users, without, however, having adopted any internal act aimed at regulating the processing and ensuring overall compliance with the data protection legislation, having, moreover, erroneously attributed to itself the role of data controller (see the aforementioned statements of the Municipality regarding the circumstance that "at the moment no decisions have been adopted aimed at regulating the processing of personal data deriving from the provision of the app due to the incorrect identification of the roles envisaged by the Regulation. The only decisions concern the activation/maintenance of the service for the years 2021 and 2022”).

Therefore, the Authority did not identify, before starting the processing and from the design of the application, the necessary measures aimed at implementing the principles of data protection, integrating the necessary guarantees into the processing in order to meet the requirements of the Regulation (see art. 25, par. 1, of the Regulation).

Nor have adequate technical and organizational measures been implemented to ensure that, by default, only the personal data necessary for each specific purpose of the processing are processed (see art. 25, par. 2, of the Regulation). In particular, the Municipality, by configuring the application in such a way as to grant data subjects the possibility of entering free text in a specific field, did not consider the possibility that they could send the Authority data that are not relevant to the purpose pursued (see art. 5, par. 1, letter c), which formalizes the principle of "data minimization"), or the mapping of the areas of the city affected by criminal phenomena, with the consequent risk of acquiring data belonging to particular categories (see art. 9 of the Regulation) or to crimes (see art. 10 of the Regulation). 

The Municipality then stated that "at the moment the retention period of the reports reported in the information is a maximum of 12 months", while "the web page of the app instead reports a retention period of 3 months from the report with subsequent automatic deletion". Notwithstanding that there is an inconsistency with regard to the retention times declared in the information and those mentioned on the web page of the application, the Municipality nevertheless acknowledged that "in consideration of the purpose and above all the method of routing the reports, it is believed, in order to considerably reduce the surface of exposure and consequently the risks for the interested parties, to avoid such retention by the systems upstream or in any case to limit to a number of days compatible with any problems in receiving the email, consequently updating the information". Therefore, as admitted by the Municipality itself, the retention of the reports in the IT systems of the supplier, after sending them to the local police by email, was not, in any case, necessary.

From the above considerations it emerges that the Municipality was not able to demonstrate that it had complied with the principles of data protection and that it had taken due account of the personal data protection profiles before making the “TrevisoSicura” application available to users, thus failing to comply with the obligations arising from the principle of accountability, which informs the European legislation on data protection (see Articles 5, paragraph 2, and 24, paragraphs 1 and 2, of the Regulation).

It must therefore be concluded that the Municipality acted in a manner that was not compliant with the principles of accountability and data protection by design and by default, in violation of Articles 5, paragraph 2 (in conjunction with Article 24), and 25 of the Regulation.

4. Conclusions.

In light of the above assessments, it is noted that the declarations made by the data controller during the investigation ˗ the truthfulness of which may be held accountable pursuant to Article 168 of the Code ˗, although worthy of consideration, do not allow to overcome the findings notified by the Office with the act of initiation of the proceeding and are insufficient to allow the archiving of the present proceeding, since, moreover, none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply.

Therefore, the preliminary assessments of the Office are confirmed and the unlawfulness of the processing of personal data carried out by the Municipality is noted, for having processed personal data in the context of the use of the application "TrevisoSicura", in violation of arts. 5, par. 1, letter a) and par. 2 (in conjunction with art. 24), 6, 13, 25 and 28, par. 3, of the Regulation, as well as 2-ter of the Code. 

Taking into account that the violation of the aforementioned provisions occurred as a consequence of a single conduct (same processing or processing linked to each other), art. 83, par. 3, of the Regulation, pursuant to which the total amount of the administrative pecuniary sanction does not exceed the amount specified for the most serious violation. Considering that, in the case in question, the most serious violations, relating to Articles 5, 6 and 13 of the Regulation, as well as 2-ter of the Code, are subject to the sanction provided for by Article 83, par. 5, of the Regulation, as also referred to in Article 166, paragraph 2, of the Code, the total amount of the sanction is to be quantified up to EUR 20,000,000. 

In this context, considering, in any case, that the conduct has exhausted its effects, given that the reporting functions of the IT application have been deactivated and that the maximum retention period for reports already received has elapsed, the conditions for the adoption of further corrective measures pursuant to Article 58, par. 2, of the Regulation do not apply.

5.    Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, paragraph 2, letters i and 83 of the Regulation; article 166, paragraph 7, of the Code).

Violation of the provisions cited is subject to the application of an administrative pecuniary sanction pursuant to the combined provisions of articles 58, paragraph 2, letters i), and 83, paragraph 5, of the Regulation.

The administrative pecuniary sanction imposed, depending on the circumstances of each individual case, must be determined in amount taking into due account the elements provided for in article 83, paragraph 2, of the Regulation.

Considering that:

- although the IT application “TrevisoSicura” was made available to users for an extended period of time (from July 2020 to December 2022), the Municipality received a low number of reports (n. 414) and, therefore, the processing concerned a limited number of interested parties compared to the total number of residents in the Municipality (approximately 85,000 inhabitants) (see art. 83, par. 2, letter a), of the Regulation);

- the relationship between the Municipality and the Company, in addition to not having been definitive in a data protection agreement stipulated pursuant to art. 28, par. 3, of the Regulation, has not been correctly framed, for data protection purposes, even within the scope of the contract for the supply of maintenance services (see the Company's email of 5 May 2023, acquired within the scope of the separate but connected proceeding initiated against the same, where it is stated that the client relationship between the Municipality and the Company "is not regulated except in a scant disciplinary" (see art. 83, par. 2, letter a), of the Regulation); 

- the violation is negligent (see art. 83, par. 2, letter b), of the Regulation); 

- the processing did not concern personal data belonging to particular categories (see art. 9 of the Regulation) or data relating to crimes (see art. 10 of the Regulation), although, as illustrated above, the fact that the application was configured in such a way as to allow users to enter free text exposed the Municipality to the risk of also acquiring such types of data (see art. 83, par. 2, letter g), of the Regulation),

it is believed that, in this case, the level of severity of the violation committed by the data controller is medium (see European Data Protection Board, “Guidelines 4/2022 on the calculation of administrative pecuniary sanctions under the GDPR” of 24 May 2023, point 60).

That said, it is believed that, for the purposes of quantifying the sanction, the following mitigating circumstances must be taken into account:

- the Municipality has a high degree of responsibility, having substantially failed to consider the data protection profiles underlying the processing in question, before carrying out the same (Article 83, paragraph 2, letter d), of the Regulation);

- the Municipality offered good cooperation with the Authority during the investigation, having also promptly taken action to deactivate the reporting functions of the IT application immediately after learning of the start of the investigation (Article 83, paragraph 2, letter f), of the Regulation);

- there are no previous relevant violations committed by the Municipality (Article 83, paragraph 2, letter e), of the Regulation).

In light of the aforementioned elements, assessed as a whole, it is believed that the amount of the pecuniary sanction should be determined in the amount of Euro 7,000 (seven thousand) for the violation of Articles. 5, par. 1, letter a) and par. 2 (in conjunction with art. 24), 6, 13, 25 and 28 of the Regulation, as well as 2-ter of the Code, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive. 

Taking into account that the processing of the personal data in question took place in violation of the aforementioned provisions of the Regulation for an extended period of time and that, as emerged from the investigation, the Municipality substantially failed to consider the data protection profiles before making the application available to users, it is also believed that the accessory sanction of publication on the website of the Guarantor of this provision should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 are met.


GIVEN ALL THE ABOVE, THE GUARANTOR

declares, pursuant to art. 57, par. 1, letter f), of the Regulation, the unlawfulness of the processing carried out by the Municipality of Treviso due to violation of arts. 5, par. 1, letter a) and par. 2 (in conjunction with art. 24), 6, 13, 25 and 28 of the Regulation, as well as 2-ter of the Code, in the terms set out in the reasons;

ORDERS

to the Municipality of Treviso, in the person of its legal representative pro-tempore, with registered office in Via Del Municipio, 16 - 31100 Treviso (TV), C.F. 80007310263, to pay the sum of Euro 7,000 (seven thousand) as an administrative fine for the violations indicated in the reasons. It is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

the aforementioned Municipality, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 7,000 (seven thousand) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of Law no. 689/1981;

ORDERS

- the archiving, pursuant to art. 14 of the Regulation of the Guarantor no. 1/2019, of the dispute regarding the processing of personal data carried out through the use of drones equipped with thermal cameras by the local police;

- the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code (see art. 16 of the Regulation of the Guarantor no. 1/2019);

- the annotation of this provision in the internal register of the Authority, provided for by art. 57, paragraph 1, letter u), of the Regulation, of the violations and measures adopted in accordance with art. 58, paragraph 2, of the Regulation (see art. 17 of the Regulation of the Guarantor no. 1/2019).

Pursuant to art. 78 of the Regulation, 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad. 

Rome, 4 July 2024

THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE GENERAL SECRETARY
Mattei