The Italian data protection authority ('Garante') issued, on 9 June 2022, its Decision No. 214, in which it imposed a fine of €26,000 on the Policoro Municipality for violation of Articles 5(1)(a), 5(1)(e), 5(2), 12, 13, 24, and 38(6) of the General Data Protection Regulation (Regulation (EU) 2017/679) ('GDPR'), following a complaint from an individual.

Background to the case

In particular, the Garante highlighted that the complainant had alleged that the Municipality had used video surveillance in violation of the regulations on the protection of personal data. In addition, the Garante added that the complainant alleged the inadequate installation of the signs informing the public of the deployment of video surveillance and the lack of adequate information on video surveillance contained therein.

Findings of the Garante

Further to the above, the Garante found that, in light of the investigation carried out, the Municipality had processed personal data through video surveillance while providing data subjects with insufficient information on the processing, in violation of Articles 5(1)(a), 12, and 13 of the GDPR. In addition, the Garante explained that the Municipality had not set the maximum retention times for the images taken using cameras for the purpose of combating the practice of illegal waste abandonment.

Consequently, in view of the principle of accountability and in compliance with the storage limitation principle, the Garante held that the Municipality should have defined the maximum retention terms for video surveillance images for each processing purpose pursued, adequately describing the choices made in this regard.

As a result, the Garante considered that the processing of personal data carried out by the Municipality had been unlawful, as it had been not compliant with the principles of lawfulness, correctness, and transparency, storage limitation, and accountability, providing information on the processing of first-level personal data that was not adequate to inform the individuals.

Furthermore, the Garante found that the Municipality, by entrusting its data protection officer ('DPO') with the power to assist the Municipality in the proceedings before the Garante, had placed the same DPO in a position of conflict of interest, in violation of Article 38(6) of the GDPR.

Outcomes

In conclusion, the Garante imposed the aforementioned fine, also outlining that the Municipality has 30 days to settle the dispute by paying an amount equal to half of the sanction imposed. 

Lastly, the Garante ordered the Municipality, within 30 days of notification of the decision, to identify the maximum retention times of the images on the basis of the purposes pursued with the video surveillance system, and to provide interested parties with appropriate information on the processing of personal data.

You can read the decision, only available in Italian, here.