Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Garante fines Municipality of Trento €50,000 for personal data processing violations

On January 11, 2024, the Italian data protection authority (Garante) announced in its newsletter its decision No. 5, as issued on the same date in which it imposed a fine of €50,000 on the Municipality of Trento, for violations of the General Data Protection Regulation (GDPR) following an investigation. 

Background to the decision 

Through press reports, the Garante learned that the Municipality of Trento participated in three artificial intelligence (AI) development projects entitled 'Marvel,' 'Protector,' and 'Precrisis' with support from the Bruno Kessler Foundation (the Foundation). The projects would involve the collection of information in public places through microphones and video surveillance cameras to detect potential situations that pose a potential danger to public safety. 

In response to requests for additional information, the Municipality of Trento stated that for project Marvel, video is provided from cameras already in place and microphones were installed specifically for the project. Regarding project Protector, data is provided via the social media platforms X (formerly Twitter) and YouTube to detect threats and data would be provided to law enforcement. Finally, regarding project Precrisis, no AI-based software component has been developed yet. Regarding all projects, the Municipality also highlighted that data is automatically anonymized at the time of collection, a Data Protection Impact Assessment (DPIA) had been carried out, biometric data would not be collected, and the Foundation had access to the data and helps to manage the processing of personal data for the development of AI models. 

Findings of the Garante 

Following its investigation, the Garante concluded that the Municipality of Trento's collection of personal data contained in audio and video recordings did not comply with the GDPR principles of lawfulness, correctness, and transparency by not providing interested parties with information regarding the processing of the content of their conversations in public spaces and that data would be processed from X (formerly Twitter) and YouTube in violation of Article 5(1)(a) of GDPR.  

In addition, the Garante determined that the Municipality of Trento collected data and communicated that data to third parties including data about crimes and religious beliefs in the absence of a valid legal basis as required by Articles 6, 9, and 10 of the GDPR. Among other things, the Municipality of Trento was found to have collected data without the data being ascertained to a specific crime at the time of collection, as required by the GDPR. The Garante also stated that the processing could not be based on the administrative functions attributed to the Municipality of Trento. 

The Garante also stated that the Municipality of Trento failed to provide interested parties with the information required, in violation of Articles 13(1)(c), 13(1)(e), 13(2)(a), 13(2)(b), 13(2)(d), and 14 of GDPR. Among other things, the Municipality of Trento's signs which were posted in public spaces did not inform interested parties that data would be shared with third parties, details for how interested parties could receive more complete information regarding the processing of their data, or that interested parties could file a complaint with a supervisory authority.  

Lastly, the Garante mentioned that the DPIA was not adequate as required by Article 35 of the GDPR. The Garante stated that the document was undated and failed to mention the personal data of users from X (formerly Twitter) and YouTube. 

Outcomes

In light of the above, the Garante imposed a fine of €50,000 on the Municipality of Trento. The Garante considered mitigating circumstances in imposing the fine outlining that only a limited amount of data was collected, the Municipality of Trento acted in good faith in believing the project would be valid within the legal framework, and that a DPIA was completed even though it was not fully compliant. 

You can read the newsletter here and the decision here, both only available in Italian.  

Feedback