The Privacy Guarantor against the Municipality of Rome: lack of transparency on data

Users and employees of public services of Roma Capitale not sufficiently protected: TuPassi app and server do not comply with GDPR.

500 thousand euro fine against the Municipality of Rome. According to the Guarantor for the protection of personal data, the processing of user and employee information carried out through "TuPassi", the appointment booking system used by the City of Rome, would not be transparent and would not comply with current legislation.

The measure comes after the conclusion of the preliminary investigation, following the controls carried out by the Guarantor on the systems used by the City of Rome for the booking of services of various types. To conduct the operation together with the Authority, also the special nucleus privacy protection and technological frauds of the Guardia di Finanza. Several irregularities were found, despite the previous measure always on the same issue dating back to the year 2019. Also in March two years ago, the Guarantor had expressed a negative opinion on the data processing carried out through "TuPassi" by Roma Capitale, requesting some corrective measures to adhere to European regulations.

Privacy Guarantor against the Municipality of Rome, the irregularities found

As anticipated, at the center of the irregularities was the processing of personal data - even sensitive - of users who made reservations for health services or counter appointments through "TuPassi". Among the channels available, in addition to the app and the dedicated website, also the totems available at the offices of the Public Administration and the professionals of the circuit.

As indicated by the investigation activity, the system was storing a large amount of references of citizens, including personal data, date and time of booking and type of service, on the servers of Roma Capitale for a long time. Even for the employees the situation showed several dark points: in fact, daily reports were recorded and generated with the details of the work activity (date of the request, service booked, name of the employee in charge of managing the request, call and waiting time), without the guarantees introduced by the Workers' Statute regarding remote control.

Worsening the situation was the absence of information on the processing of such information, neither for users nor for employees, contrary to what is established by the EU Regulation currently in force. Under the magnifying glass were also the technical and organizational measures of the Authority, considered inadequate according to the Regulatory Authority, also guilty of not having properly managed the relationship with the supplier company. For the latter, with a separate measure, the Guarantor has also foreseen a sanction of 40 thousand euros relative to the role of owner of the treatment of the personal data of users and employees and to the activity that concerns them.

Privacy Guarantor against the Municipality of Rome, what's next?

In order to return to use the booking system "TuPassi", the Authority has requested all the necessary updates to protect the privacy of the data of the figures involved, that is, users and employees of Roma Capitale. The Guarantor has also provided a series of indications to be respected, in order to make the service compliant with the regulations in force.